Compliance

Compliance at UiPath

At UiPath, compliance is treated seriously. We make efforts every day to to make sure compliance is integrated into our processes and behaviours.

We strongly encourage our employees and our partners (customers, resellers, agents, suppliers, etc.) to act in compliance with the applicable legislation and with the UiPath Code of Conduct.

 

UiPath Internal Code of Conduct

The Internal Code of Conduct is applicable to all employees, freelancers, those employed by carriers or other contingent workers acting on behalf of UiPath or having access to UiPath systems including its subsidiaries and affiliates to ensure they act in good faith, with integrity and consistent with the Company’s values in order to maintain effective trust and credibility with our employees, customers, business partners and communities in which we operate.

The UiPath Internal Code of Conduct is available here.

Report Ethics & Compliance Concerns

Any breach of the UiPath Code of Conduct, UiPath policies or the law is taken seriously. Any such concerns should be reported at legal.compliance@uipath.com.
If you wish to report anonymously you can use the following means:
Web app: uipath.ethicspoint.com
Mobile app: uipathmobile.ethicspoint.com 
Hotline: There are dedicated lines for each country where UiPath has an entity. Access uipath.ethicspoint.com and select the country you are located in. This action will display you the hotline number for your country.

 

Global Partner Code of Conduct

This Global Partner Code of Conduct (the “Code”) sets out our expectations and defines the minimum standards of business conduct and business practices applicable to all UiPath clients, resellers, consulting partners, vendors, OEMs, suppliers, agents, entities and/or individuals who do business with or on behalf of UiPath (the “Partners”).

 

All Partners are expected to comply with this Code of Conduct.

The Global Partner Code of Conduct is available here.

 

Privacy & Security Compliance

ISO 27001: UiPath has engaged a certification body accredited by the ANSI National Accreditation Board (ANAB) and United Kingdom Accreditation Service (UKAS) to audit UiPath’s information security management system (ISMS) annually for conformity with the ISO 27001 standard and issue the corresponding certification.

The certification includes in scope UiPath’s core product lines and main development locations. The ISMS supports the management of confidential information collected, processed, or otherwise impacted during the product development and maintenance lifecycle for main product lines, considered the core business of UiPath, covering the analysis, design, development and global delivery by UiPath on customer premise, by using cloud service and/or acting as a cloud service provider.

 

AICPA SOC

 

SOC 2: UiPath has engaged an independent certified public accounting firm to examine controls relevant to American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for security, availability and confidentiality and issue SOC 2™ reports every six months.

  • UiPath’s current SOC 2 Type 1 report covers the design of controls relevant to UiPath Test Manager.

  • UiPath’s current SOC 2 Type 2 report covers the design and operating effectiveness of controls relevant to Automation Cloud, Automation Hub, AI Center (Computer Vision and Document Understanding) and Data Service.

AICPA System and Organization Controls (SOC) reports provide independent assurance to global customers in highly regulated industries who trust UiPath with their most sensitive data.

HIPAA: UiPath has engaged an independent certified public accounting firm to examine UiPath’s information security and privacy program every six months for conformity with applicable implementation specifications within the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy and Breach Notification Rules.

  • UiPath’s HIPAA Type 1 attestation covers the design of applicable administrative, physical and technical safeguards relevant to Automation Cloud, Automation Hub, Orchestrator, Professional Services and Customer Support.

Under HIPAA, UiPath is a business associate to covered entities and other business associates. HIPAA attestation provides independent assurance to customers and business partners that UiPath has designed and implemented administrative, physical and technical safeguards applicable to UiPath’s business as a cloud service provider.

 

 

 

Cyber Essentials Plus: In the United Kingdom, UiPath has engaged a certification body authorized by IASME to audit UiPath UK Limited and UiPath SRL annually against UK National Cyber Security Centre (NCSC) technical requirements for IT infrastructure and issue a Cyber Essentials Plus certificate.

Firms undergoing annual Cyber Essentials Plus audits help reduce the level of cyber security risk in the UK government supply chains. The Cyber Essentials scheme defines a set of controls which, when properly implemented, will provide organizations with basic protection from the most prevalent forms of threat coming from the internet. The scheme is mandatory for central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services.

 

GDPR: UiPath has one of its main headquarters in the European Union, which makes UiPath subject to the GDPR, one of the strictest data protection laws around the world. Since UiPath is committed to respecting your privacy, we implement the GDPR principles in all UiPath entities. Please check here our global Privacy Policy.

 

Privacy Shield: UiPath is an active participant of the Privacy Shield Framework. The purpose of Privacy Shield is to ensure that when personal data is transferred from the European Union or Switzerland to the United States, the data protection legislation is observed and implemented. Please find here the details of UiPath’s participation to the Privacy Shield Framework.

When GDPR became effective, UiPath has signed Standard Contractual Clauses with its affiliates and has imposed GDPR policies and standards, globally, among its entities. Privacy Shield was used by UiPath as an additional transfer mechanism and not as the primary transfer mechanism, which is why the recent ruling of the European Court of Justice does not affect the protection or transfer of personal data of European customers. With its sub-processors, UiPath has concluded data processing agreements in accordance with GDPR, ensuring that any transfer mechanism used will be in compliance with the European legislation.

CCPA: UiPath complies with the California Consumer Privacy Act of 2018 (CCPA) by applying the common privacy principles of CCPA and GDPR to the more rigorous standard of the latter. UiPath does not sell customer data and only shares it with third parties acting as its service providers, who consequently process data solely on our behalf, in order to meet their contractual obligations. Otherwise, UiPath only shares data as directed by you or with your consent. As your service provider, UiPath only processes personal data used with UiPath cloud products for the purpose of providing you the service and product functionalities, as directed by you.

 

Paris Call for Trust and Security in Cyber Space: UiPath joined a global call for Nation States, Companies and Civil Society to come together and face the increasing threats endangering citizens and infrastructure in cyberspace. It is based around nine common principles to secure cyberspace and the commitment to adopt responsible behavior. Discover the 9 principles here.

 

Contact us at privacy@uipath.com for questions about our privacy and security compliance program.

 

Vendor Risk Management

We have a Vendor Risk Management Program in place to ensure we assess the security posture of critical providers and that all that all vendors and contractors that have access to UiPath data and/or systems attest to confidentiality and security requirements. All such providers are required contractually to implement a level of security as described in our Security standard, available here. Moreover, they are contractually required to comply with our internal security policies and procedures, as applicable to the nature of the service provided.

 

We retain the right to perform audits on our vendors and to request audit reports. Any findings that might pose a risk to UiPath’s data or systems will be subject of a remediation plan that the vendor is required to implement.

 

Anti-Bribery and Anti-Corruption Statement

UiPath adheres to a Zero Tolerance approach towards corruption and bribery. We do not bribe and cannot be bribed, and we do not engage in situations that might leave the impression of corrupt practices.

 

To make sure that these standards reach all our personnel, we created an Anti-Bribery program which consists of an Anti-Bribery Policy that is published and disseminated internally; an annual training for all personnel, making sure that Anti-Bribery provisions are always included in the agreements we undertake.

 

Our policy specifically references that all Gifts and Hospitalities must be modest, transparent, of low value and in accordance with the laws. UiPath prohibits the offering of anything, regardless of the value, with the corrupt intention to obtain an unfair advantage for UiPath.

 

Anti-Slavery and Anti-Human Trafficking Statement

UiPath recognises the seriousness and importance of combatting modern slavery and human trafficking. With respect to its employees and the operations of its business, UiPath is committed to ensuring the highest standards of welfare, safety and business practice, in accordance with all relevant legislation.

 

The Anti-Slavery and Anti-Human Trafficking Statement is available here.

Export Control

UiPath is keen on complying with export control regulations and therefore we expect every 3rd party we do business with to abide by all export control regulations as set forth by (i) the U.S. Department of Commerce Export Administration Regulations (EAR), U.S. Department of State International Traffic in Arms Regulations (ITAR) or other requirements of the U.S. Government; (ii) European Commission regulations; (iii) United Nations Security Council resolutions (the “Export Control Regulations”) regulating the export and reexport of the UiPath RPA Platform. We also expect our business partners not to be named on any Export Control Regulations list of restricted parties and not to be involved in dealings with entities and individuals that are sanctioned or that are located in countries subject to trade embargoes or economic sanctions.

Equal Opportunity Employer

UiPath is an equal opportunity employer and prohibits discrimination and harassment of any kind. We are committed and expect our Partners (i) to offer equal employment opportunity for all job applicants and employees, (ii) to provide all employees a work environment free of discrimination and harassment of any kind and (iii) to take all employment related decisions without regard to race, color, religion or belief, national, social or ethnic origin, sex, pregnancy, age, physical, mental or sensory disability, HIV status, sexual orientation, gender identity and/or expression, marital, civil union or domestic partnership status, past or present military service, family medical history or genetic information, family or parental status, or any other status protected by any and all similar laws.

Exclusion of AntiSocial Forces

We maintain an adequate policy for exclusion of anti-social forces in Japan. The latest version is available here.

Safe Harbor Statement

Some UiPath materials may contain forward-looking statements. Forward-looking statements include all statements that are not historical facts, and in some cases, can be identified by terms such as “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “might,” “plan,” “project,” “will,” “would,” “should,” “could,” “can,” “predict,” “potential,” “continue,” or the negative of these terms, and similar expressions that concern our expectations, strategy, plans or intentions. By their nature, these statements are subject to numerous risks and uncertainties, including factors beyond our control, that could cause actual results, performance or achievement to differ materially and adversely from those anticipated or implied in the statements. Although our management believes that the expectations reflected in our statements are reasonable, we cannot guarantee that the future results, levels of activity, performance or events and circumstances described in the forward-looking statements will be achieved or occur. Recipients are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date such statements are made and should not be construed as statements of fact.

This information is subject to change at any time without prior notice. Actual results and future plans may differ significantly as a result of, among other things, changes in product strategy. This presentation is not a commitment to deliver any material, or functionality. Any purchase of software by customers should neither be contingent on the delivery of any future functionality or features, nor dependent on any oral or written public comments made by UiPath regarding future functionality or features.