Quality &
Compliance FAQs

Our partnership with you is anchored in transparency.

We’re fully committed to helping you defend your data, address security threats, and maintain compliance.

Jump to a Question

1. What is the Nuvolo / ServiceNow relationship?

The Nuvolo IWMS product is built by Nuvolo, Inc. as an ISV of ServiceNow.

Client should begin the process to Access ServiceNow’s Compliance Operational Readiness Evidence (CORE) group on ServiceNow’s Community portal.

ServiceNow Special Interest Groups

Nuvolo’s applications suite are scoped applications that have been designed and built to meet ServiceNow’s security requirements.  The application, and client data, are 100% contained within the ServiceNow platform.  Additionally, with every new ServiceNow release or Nuvolo application update, Nuvolo’s suite of applications must pass a rigorous inspection process, conducted by ServiceNow, to be certified within their App Store.  This certification process scrutinizes our application with respect to the following areas:
  • Security and performance of the application
  • Completeness of the marketing & listing information
  • Platform stability and user experience
There are over seventy (70+) stringent requirements that applications are tested against for the certification. ServiceNow Certification Policy for Scoped Applications, and the checklist by which the product is tested, is located here. (https://community.servicenow.com/community?id=community_blog&sys_id=259dea69dbd0dbc01dcaf3231f961969)

2. What information is available for customers to review?

Validation documentation related to our products, Operations reports (SOC reports, etc…), and Informational Documents (e.g., regulatory assessments, Nuvolo Process Overviews, Nuvolo certifications) are available through the Nuvolo CARE Special Interest Group(Link) available within Nuvolo Community Portal (Link). All SOPs and quality system documents are stored in Nuvolo’s GRC system. Customers may review this content only when conducting a formal audit of Nuvolo. Customers are not given direct access to the GRC system and will be provided a facilitated review over Zoom.

3. Is Nuvolo certified against established standards?

Yes. Currently Nuvolo maintains ISO9001 QMS, ISO27001, CMMC version 2 Level 1, SOC 2 Type 2 and our Capital Planning & Lease Management Solutions have SOC1 Type 2 certification. Certificates and reports are in Nuvolo CARE Special Interest Group (Link) available within Nuvolo Community Portal (Link).

4. How does FedRAMP apply for Nuvolo Connect Workplace Suite?

Per the Executive Order memo (link), FedRAMP applies to all cloud deployment and service models (Sec 3) as defined by NIST’s Definition of Cloud Computing 800-145 (link).  Nuvolo, Inc. is an Independent Software Vendor (ISV) which has developed the Nuvolo Connected Workplace within the ServiceNow Platform.  Currently, the Definitions of Cloud Computing (NIST 800-145) do not include ISVs.   Working closely with A-Lign, a 3rd party auditor, and FedRAMP PMO, Nuvolo has completed an FedRAMP ISV Report (link). More information can be found here about the FedRAMP ISV report by A-Lign (link).

5. Have Nuvolo products been assessed for regulatory compliance?

Yes.  Nuvolo monitors global regulations and document interpretations for their impact on the business and applicable alignment.  Assessment for regulatory compliance is available in the Nuvolo Regulatory Statements of Applicability (POL0020076).

6. Does Nuvolo have an independent Quality team?

The Nuvolo Quality Team is an independent organization which owns the establishment of quality processes, monitoring compliance, and measuring quality KPIs.  The quality team is responsible for managing our QMS, Computer Systems Validation (CSV) testing of our products, and supporting customer audits.

7. Does Nuvolo operate under a Quality Management System?

The Nuvolo Quality Team is an independent organization which owns the establishment of quality processes, monitoring compliance, and measuring quality KPIs.  The quality team is responsible for managing our QMS, Computer Systems Validation (CSV) testing of our products, and supporting customer audits.

8. What is Nuvolo’s Software Development (SDLC) process?

Nuvolo’s approach to design, development, testing, and release management is defined in Nuvolo’s Software Development Lifecycle (POL0020097).

9. Are releases validated by Nuvolo?

Nuvolo releases include a comprehensive functional validation of all product features against applicable regulations. Customers are ultimately responsible for establishing a Nuvolo instance is in a validated state. Customers can leverage Nuvolo’s functional validation content to reduce the scope, duration, and cost of their validation efforts.

Validation Packages are made available with each Major release and performed by an independent assessor. The reports are available in Nuvolo CARE Special Interest Group (Link) available within Nuvolo Community Portal (Link).

10. What is Nuvolo’s Computer System Validation (CSV) approach?

Nuvolo’s approach to computer systems validation (CSV) is defined in Nuvolo’s Computer Systems Validation Compliance Policy (POL0020080).

11. What does the Product Architecture look like?

Refer to the System Overview document in the latest Validation Pack for your application. These are available through the Nuvolo CARE Special Interest Group(Link) available within Nuvolo Community Portal (Link).

12. What vulnerability checks are performed for Nuvolo Connected Workplace?

During all phases of the development process, code create, updated or modified is reviewed and submitted to rigorous static code analysis and peer review prior to being incorporated to the code base.  With each release to the App Store, our applications are reviewed and certified by ServiceNow. (link) In addition, the ServiceNow platform provides daily unauthenticated infrastructure scans, weekly authenticated system scans and static and dynamic application security testing. (link)

13. Where is my data stored?

All Client data is stored within the ServiceNow Platform. Nuvolo, Inc. is a ServiceNow ISV where our suite is 100% developed within the ServiceNow Platform using the ServiceNow platform Development tools.

14. How is my data backed up and how is disaster recovery (DR) managed?

Client data is stored with in the ServiceNow platform. ServiceNow is responsible for all High Availability and Disaster Recovery controls.

15. How does Nuvolo manage Information Security and Data Privacy?

In short Nuvolo, Inc. has a simple but effect principle of Data Protection Principles.  All data must be processed in accordance with Nuvolo Data Protection Guidelines. The essence of these guidelines is set out below Data must:
  • Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed; (MINIMIZE, ANONYMIZE AND SANITIZE)
  • Be obtained only for one or more specified or lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
  • Restricted to authorized individuals approved on the project
  • Be protected by appropriate technical and organizational measures against unauthorized or unlawful processing, against accidental loss or damage
  • Be accurate and, where necessary, kept up-to-date
Nuvolo’s approach to information security is defined in Nuvolo’s Cybersecurity Vendor Compliance Program (VCP ISO) (POL0020049).

16. Where can I find copies of the SOPs referenced?

The Nuvolo Policies, Procedures, and Work Instructions are available through the Nuvolo CARE Special Interest Group(Link) available within Nuvolo Community Portal (Link)

17. How does Nuvolo manage its key suppliers?

Nuvolo’s approach to supplier management is defined in Nuvolo’s Vendor Audit and Management Procedure (POL0020083).

18. How is the ServiceNow platform patched and maintained?

As the platform owner, you client should already be familiar with the ServiceNow Patching program.   Nuvolo product suite https://community.servicenow.com/community?id=community_article&sys_id=a85279cadbf71b809d612926ca9619bc

19. How is the Nuvolo Suite patched and maintained?

Nuvolo provides our Clients four major releases per year. Hot-fixes/Patches are created and made available on an as-needed basis to resolve discovered bugs. All major releases and patches are available at zero cost to our Clients. Major releases and patches can be installed on a Client’s instance at any time, depending on the Client’s instance maintenance schedule. There is no service outage or downtime required during the upgrade to the new release or installation of patches. All release upgrades and/or patch installations are performed by the Client with assistance from Nuvolo if requested. Nuvolo provides documentation on how to perform these activities. Nuvolo will support the current GA version plus three previous major version releases.

Have a question? Send us an email at compliance@nuvolo.com!