<img src="https://secure.intelligence52.com/795135.png" style="display:none;">
Security & Compliance · For architects, platform owners and CISOs

Security and compliance, inherited from the platform you already trust.

Smart Collect® is a ServiceNow application — not an integration, not a middleware bridge, not a third-party SaaS calling APIs into your platform. Your security posture is its security posture. Your audit chain is its audit chain. Your patch cadence is its patch cadence.

YOUR SERVICENOW PLATFORM your tenancy · your RBAC · your audit log · your patch cycle Smart Collect® ServiceNow application inside your platform ServiceNow tables incident · sc_request · cmdb_ci sys_user · sys_audit Smart Locker (edge device) Smart Vending (edge device) Smart Kiosk (edge device)
The architectural proposition

Three things this changes about your security review.

The architecture choice — application native to ServiceNow rather than integration into it — is the entire story. Three consequences flow from it.

01

Smart Collect® is a ServiceNow application.

Not an integration. Not a middleware bridge. Not a third-party SaaS calling ServiceNow APIs from outside. The application runs natively on your ServiceNow platform, alongside your other certified apps. The technical category is "ServiceNow application," which means the security model that governs every other application on your platform governs Smart Collect® too.

02

Data never leaves your platform.

Every transaction record, audit log, identity assertion, asset update — all of it is written to standard ServiceNow tables inside your platform. There's no Velocity-side database, no shadow store, no replicated data, no extraction pipeline. The data sovereignty question your CISO will ask answers itself the moment you see the architecture.

03

Inherits your existing security posture.

Your RBAC model, identity provider, audit retention policy, encryption-at-rest configuration, network segmentation, and patch cadence all apply to Smart Collect® automatically. There's no parallel security model to maintain. The configuration you've already invested in extends to physical IT support — without a separate review cycle.

Certified in three places that matter

ISO-certified, ServiceNow-accredited, audit-ready.

Velocity holds the three certifications that matter for enterprise security review: the international quality and information-security standards, plus formal ServiceNow partner status. We don't claim certifications we don't hold.

ISO 9001

International standard for Quality Management Systems. Velocity's manufacturing, deployment, support and customer-success processes are audited annually against the ISO 9001 framework.

ISO 27001

International standard for Information Security Management Systems. Velocity's data handling, access controls, incident response, supplier security and ongoing risk management are audited annually against ISO 27001.

ServiceNow Service Specialist Partner

Formal partner accreditation from ServiceNow. Smart Collect® is a certified ServiceNow application, listed on the ServiceNow Store, and tracks the platform's release cadence for compatibility and security parity.

The audit chain in action

One ticket. One item. One ServiceNow record.

The principle Velocity runs across every form factor and every regulated sector. Every physical handover — locker collection, vending dispense, kiosk-mediated exchange — maps to a single ServiceNow record tied to a named individual. The audit chain your digital tickets already meet is extended, unchanged, to physical IT support.

STEP 01
Request

User raises ticket in ServiceNow — incident, request, or workflow trigger. Smart Collect® reads the named ticket ID against the named user.

Tables touched:
incident · sc_request · sys_user
STEP 02
Authorisation

System generates a one-time collection credential (QR, barcode, or PIN) and dispatches it to the user's registered email. Identity is bound to ticket.

Tables touched:
x_vst_collect_token · sys_user
STEP 03
Collection

User presents the credential at the form factor. Smart Collect® verifies, logs timestamp, captures the site reference, and updates the asset.

Tables touched:
x_vst_collect_event · cmdb_ci
STEP 04
Closure

Ticket auto-closes against the resolved request. Full chain readable from standard ServiceNow reporting. Retention follows your platform's policy.

Tables touched:
incident · sc_request · sys_audit
Regulated sectors, inherited posture

Your platform's compliance posture extends to physical IT — automatically.

An important framing point: Velocity is not claiming to hold FDA validation, ITAR clearance, or NRC certification ourselves. The architecture means we don't need to. Your ServiceNow platform is the certified system; Smart Collect® runs inside it and inherits that posture without a separate accreditation cycle.

Pharma & Healthcare
GxP · FDA · MHRA · EMA

Pharma and healthcare customers run ServiceNow platforms that meet GxP validation, FDA Part 11 electronic-records requirements, and MHRA / EMA audit expectations. Smart Collect® runs inside that platform, so the audit chain extends to physical IT handovers — every laptop swap, every peripheral fulfilment, traceable to the same standard as your validated digital workflows.

Defence & Aerospace
ITAR · Export controls

Defence primes and aerospace integrators with ServiceNow platforms configured for ITAR or export-control compliance extend that posture to physical IT support without exposing controlled records or technology to external systems. Smart Collect® data lives inside your platform — no exfiltration, no shadow database, no third-party API calls outside the boundary.

Energy & Nuclear
NRC · ONR

Nuclear and energy customers operating under NRC or ONR oversight on their ServiceNow platform inherit that compliance posture for physical IT support. Engineer-travel reductions also support carbon and emissions reporting where the operator has Science-Based Targets or equivalent commitments — the audit trail makes the saved mileage countable.

Financial Services
FCA · MiFID II · SEC · GDPR

Financial services customers with FCA, SEC or MiFID II configurations on their ServiceNow platform extend that audit chain to every IT-asset handover. GDPR data-residency requirements are met by architecture because the customer data stays in the platform — no extraction, no transfer, no separate processor agreement to negotiate.

Government & Public Admin
NCSC · NIST · Sovereign data

Government and public-sector customers with NCSC-aligned or NIST-aligned ServiceNow platforms keep all Smart Collect® data inside that platform. Sovereign-data discipline is preserved by architecture, not by configuration — there's nowhere else for the data to go.

Manufacturing & Other
Sector-ready · Workshop-scoped

If your sector isn't one of the five above — manufacturing, retail, transport, education, professional services — the same architectural principle holds. Whatever compliance posture your ServiceNow platform is configured to meet, Smart Collect® inherits it. The architect workshop can walk through the specific framework your environment operates under.

The architectural saving

Four things you don't need to do.

For most enterprises adopting a new vendor application, the security and compliance work runs alongside the technical work for months. The architectural choice of "ServiceNow application" rather than "third-party integration" eliminates four of those workstreams entirely.

No fresh vendor security review.

Smart Collect® inherits the vendor security review you've already completed for ServiceNow. There's no separate Velocity-as-a-vendor questionnaire, no parallel due-diligence package, no procurement-led security assessment to schedule.

No separate vulnerability scanning.

The application runs inside the ServiceNow platform that's already in your vulnerability management programme. There's no out-of-band scanning regime, no Velocity-specific patching schedule, no separate CVE feed to track.

No custom integration architecture review.

There's no integration to review — the application is native. Your architecture team doesn't need to evaluate API security, authentication flow design, network egress policies, or data-pipeline encryption. The platform already covers them.

No parallel data-sovereignty assessment.

Data residency is solved by the architecture: it stays in your platform's chosen region. There's no separate data-processing agreement to negotiate, no cross-border transfer assessment, no GDPR Article 28 review of Velocity as a sub-processor.

The architecture, made visible

Inside vs alongside.

The same physical IT support outcome can be delivered with two completely different architectures. The choice between them determines whether your security review is a re-run of work you've already done — or a whole new workstream.

API-integrated competitor model

Hardware vendor + middleware + ServiceNow connector.

YOUR SERVICENOW PLATFORM Connector / plugin OUTSIDE YOUR PLATFORM (vendor cloud) Vendor middleware Vendor database Locker hardware API

Triggers a fresh security review. Data moves out of your platform across an API boundary, into a vendor database under different controls. Three new vendor relationships to assess. New CVE feed to track. New data-processor agreement to negotiate.

Velocity Smart Collect® model

Native application inside your platform. Hardware as edge devices.

YOUR SERVICENOW PLATFORM Smart Collect® native application ServiceNow tables incident · cmdb · sys_audit Smart Locker · Smart Vending · Smart Kiosk edge devices · outbound HTTPS only nothing outside

Inherits your existing review. Data stays in the platform you've already certified. The application is governed by the same RBAC, retention, and patch policies as any other ServiceNow application in your tenancy. No new vendor relationship for security to assess beyond Velocity-as-hardware-supplier.

Common questions from architects

What architects ask, what we answer.

The questions that come up in every architect deep-dive, with the answer we'd give in the workshop. If yours isn't here, the workshop is the right place to bring it.

Where does customer data actually live?

Inside your ServiceNow platform. Smart Collect® records, audit trails, identity assertions, transaction logs — all of it is written to standard ServiceNow tables in your platform (x_vst_collect_event, x_vst_collect_token, plus standard incident, sc_request, cmdb_ci and sys_audit). There's no Velocity-side database, no shadow store, no replicated copy of customer data.

What's the network footprint of each form factor?

Each form factor — locker, vending machine, kiosk — is an edge device that communicates only with your ServiceNow platform via outbound HTTPS over standard ports (typically 443). No inbound connections, no peer-to-peer traffic between devices, no third-party endpoints contacted, no public-internet exposure beyond the platform handshake. The devices are deployable inside your existing firewall posture.

How do upgrades work?

Smart Collect® is delivered as a ServiceNow application via the ServiceNow Store and tracks the standard ServiceNow release cycle (e.g., Yokohama, Zurich). When you upgrade your platform, the application moves with it — there's no out-of-band patching schedule, no separate maintenance window, no compatibility lag to manage. New releases are tested against the upcoming ServiceNow version before publication.

What about offline operation?

Edge devices operate offline for collection authentication using locally cached, time-bound credentials. Transactions queue locally and sync to the ServiceNow platform when connectivity is restored. The audit chain is preserved end-to-end — every offline collection generates a record that reconciles cleanly when the device reconnects. No transactions are lost; no manual reconciliation is required.

What RBAC model controls access?

Standard ServiceNow RBAC. The same roles, permissions, and access policies that govern incidents, requests, CMDB records and asset transactions in your platform apply to Smart Collect® transactions and configuration automatically. We don't define a parallel role model — administering Smart Collect® uses the same admin roles your team already manages for the rest of the platform.

What happens when ServiceNow patches?

Smart Collect® is fully compatible with ServiceNow security patches because the application runs on the platform. There's no separate patching schedule and no compatibility window for your security team to track. We test against pre-release ServiceNow versions and certify each release before publishing to the Store.

How do we audit a locker collection three years from now?

Open the ticket in ServiceNow. The full chain is there: request, authorisation, collection timestamp, identity, asset record updates, closure. Retention follows your platform's policy automatically — no separate Velocity retention regime to administer. Standard ServiceNow reporting, dashboards and export tools work against the same data.

What's the failure mode if the network drops?

Edge devices continue to operate using locally cached credentials and queue new transactions. The user experience continues uninterrupted for collections that were already authorised. On reconnection, the queue syncs and ServiceNow records update atomically. No data loss, no manual reconciliation, no support escalation for routine connectivity interruptions.

Technical-buyer path

Architect deep-dive workshop — 60 minutes.

A different conversation than the standard discovery workshop. A Velocity ServiceNow architect walks through your platform configuration, your compliance constraints, your edge-device network model, and how Smart Collect® lands cleanly inside your specific environment. Bring your security team. Bring your CISO if they want to come.