Privacy
UiPath considers privacy as an essential part of the business, which is why we commit to respecting one of the strictest privacy standards, with respect to its products, the European GDPR (General Data Protection Regulation). GDPR is reflected in UiPath’s intercompany agreements and in UiPath’s global privacy policy available here. UiPath has a dedicated team focused on privacy compliance and conducts internal privacy assessments before new products and services are released for our customers to use.
In order to satisfy the customer’s different privacy compliance needs, UiPath offers both on premise and cloud software. Therefore, the customer can choose to use the UiPath RPA Platform fully on its infrastructure, without any data going outside the customer’s environment.
By implementing GDPR, UiPath also commits to:
If you enter into a licensing agreement with UiPath, we will process your business contact details for contract performance. We will process these data in accordance with the GDPR and in order to meet our contractual and legal requirements. Contract performance includes providing you the license codes, account activations and management of our contracts and business accounts, support or communications related to the products and services you are using.
UiPath processes your contact details in order to send you the latest updates, releases and news about our products and events or to ask for your feedback using UiPath products, as a result of your contractual relation with UiPath or with your consent.
If you use personal data with UiPath cloud products, UiPath is considered a data processor, according to the GDPR, which means that our products process data on your behalf. This means that you are the controller and thus, you are in control of the personal data you use with our products.
When you use the UiPath Cloud Platform, UiPath may have access to user data and data available in orchestrator, a core component of the UiPath Cloud Platform, which allows customers to manage its fleet of robots from a central control plane.
All customer data in each data store that makes up our service stack will be encrypted.
UiPath processes two categories of data when using UiPath Cloud Platform—customer data and system-generated logs. Customer data includes user-identifiable transactional and interactional data that we need to operate the service and to manage your contract with UiPath. System-generated logs include service usage data that may be aggregated and contain pieces of customer data. From a GDPR standpoint, UiPath is considered a data processor for the last part, to the extent personal data is used and as such honors all obligations of a data processor by providing customer with full control over its data, in accordance with the product architecture.
UiPath is transparent about the sub-processors it uses and about the locations where your data is primarily stored when using cloud products, which can be found here.
Please see here more details about the terms which govern the use of the UiPath Cloud Platform, including the Data Processing Agreement which applies when personal data is used with the Platform here.
Please be mindful of the fact that if you use UiPath products in Private Preview or Trial you may have restrictions on using personal data or sensitive data with the products.
UiPath maintains strict control over who has access to production environment and customer data. Access is only granted at the level of least privilege and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service. Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were ever stolen, data is still protected because we use two-factor authentication for all production system access.
UiPath uses the following personal data transfer mechanisms, in order to make sure that personal data is protected in accordance with GDPR when shared with its affiliates or with its sub-processors:
UiPath Inc. is an active participant of the Privacy Shield Framework. For more information please click here.
(*)When GDPR became effective, UiPath has signed Standard Contractual Clauses with its affiliates and has imposed GDPR policies and standards, globally, among its entities. Privacy Shield was used by UiPath as an additional transfer mechanism and not as the primary transfer mechanism, which is why the recent ruling of the European Court of Justice does not affect the protection or transfer of personal data of European customers. With its sub-processors, UiPath has concluded data processing agreements in accordance with GDPR, ensuring that any transfer mechanism used will be in compliance with the European legislation.
Generally, our products can be used both on premise or in the cloud, depending on your specific needs and applicable laws. When you are using the on premise version of our products, only you, the customer, will have access to the data used with the on premise product.
Some of the things you can do to internally secure your data are:
Please have in mind that when you use OCR activities in Studio from third parties data may be sent and processed by these parties subject to their privacy policies.
If you have any troubleshooting issues, please reach out here for support. Please be mindful of the fact that UiPath does not require any sensitive data for support purposes and that any screenshot should be first redacted before sending. UiPath deletes all data received for support purposes within 6 months of the ticket closure.
UiPath only requires your business contact details in order to identify you as our customer and to better be able to provide you the support you need. Please check the support terms for more information on how UiPath processes data for support.
UiPath products are customizable so that you can change your automation flows and be in full control over your data. Depending on the products that you use you may have built in features to support you. However, if you are a customer and you have troubles in addressing a data subject request, in exporting or accessing your data or in deleting your data used with UiPath cloud products, please make a request here and we will swiftly reply.
If you have any concern or question about UiPath’s privacy practices please contact us at privacy@uipath.com .
If you have any concern or question about UiPath’s privacy practices please contact us at privacy@uipath.com .
If you are interested in our blog articles on this topic please click here.
Do check our Privacy Policy if you want more details about how UiPath handles personal data or make a request here.
UiPath respects your privacy and your rights regarding your personal data.
If you want to know what personal data we process and why, please fill in this form.
UiPath takes privacy really seriously, which is why it looks at privacy by design functionalities before every new product release. The privacy audit is an important component of UiPath’s global privacy compliance program. UiPath products are customizable, which means that you have full control over the data used with the UiPath RPA Platform. Depending on the type of product that you use, we offer different functionalities, as described in the product manuals available here, so please make sure that you choose the UiPath products that better fit your compliance needs.
Please make sure that you comply with your applicable privacy laws when designing the workflows and using the UiPath RPA Platform. If you want your data to stay fully on your infrastructure (machines, private cloud, private network), please use the on premise UiPath RPA Platform.
Privacy by design in UiPath software supports the customer with the following:
Recommendations for Customers using the UiPath RPA Platform:
UiPath respects core data protection principles and laws. In order to ensure a high level of data protection an intra-companies agreement sets the standard for personal data transfer and handling, in accordance with the EU data protection rules.
UiPath sub-processors must comply with the instructions provided by UiPath as a controller and with the EU data protection legislation. The purpose and the categories of personal data processed are expressly defined and specified in the data processing agreements together with the processing activities. No personal data shall be processed without a legal basis. Every processing agreement establishes how the rights of the data subjects will be observed and implemented.
Personal data trans-border transfers outside the UiPath group of companies are allowed only if an adequate level of personal data protection is ensured, either by signing standard contractual clauses, by having in place binding corporate rules, codes of conduct or certification mechanisms.
UiPath has the right to conduct inspections and audits at the premises of the sub-processors for the part of the business involving UiPath data. Alternatively, UiPath sub-processors will present recognized audit reports conducted by professional third parties, such as ISO 27001 or SOC II reports, at least once a year. UiPath has a vendor security assessment framework and imposes best industry standards on its sub-processors with access to customer data.
UiPath sub-processors shall cooperate for carrying out any data protection impact assessment and for addressing any requests from the data subjects or from the competent authority.
The security of personal data is ensured by establishing appropriate security measures in line with the risk of the processing activities. UiPath sub-processors have to notify, without undue delay, any personal data security breach at security.breach@uipath.com. The processing of personal data shall be done only by authorized personnel bound by confidentiality duties.
Download the UiPath Sub-processors.
Download the UiPath Group Entities.
Download the Data Processing Agreement.
