Try UiPath Free

Privacy

Privacy at UiPath

UiPath considers privacy as an essential part of the business, which is why we commit to respecting one of the strictest privacy standards, with respect to its products, the European GDPR (General Data Protection Regulation). GDPR is reflected in UiPath’s intercompany agreements and in UiPath’s global privacy policy available here. UiPath has a dedicated team focused on privacy compliance and conducts internal privacy assessments before new products and services are released for our customers to use.

 

In order to satisfy the customer’s different privacy compliance needs, UiPath offers both on premise and cloud software. Therefore, the customer can choose to use the UiPath RPA Platform fully on its infrastructure, without any data going outside the customer’s environment.

 

By implementing GDPR, UiPath also commits to:

  • best industry standards regarding information security as available here
  • privacy by design for all UiPath products as described here
  • imposing similar privacy requirements on its sub-processors. The principles imposed on its sub-processors can be accessed here.
  • keeping your data confidential.

What personal data does UiPath process if you are a customer?

If you enter into a licensing agreement with UiPath, we will process your business contact details for contract performance. We will process these data in accordance with the GDPR and in order to meet our contractual and legal requirements. Contract performance includes providing you the license codes, account activations and management of our contracts and business accounts, support or communications related to the products and services you are using.

 

UiPath processes your contact details in order to send you the latest updates, releases and news about our products and events or to ask for your feedback using UiPath products, as a result of your contractual relation with UiPath or with your consent.

 

When personal data is received by UiPath when you use our cloud products?

 

If you use personal data with UiPath cloud products, UiPath is considered a data processor, according to the GDPR, which means that our products process data on your behalf. This means that you are the controller and thus, you are in control of the personal data you use with our products.

 

When you use the UiPath Cloud Platform, UiPath may have access to user data and data available in orchestrator, a core component of the UiPath Cloud Platform, which allows customers to manage its fleet of robots from a central control plane.

 

All customer data in each data store that makes up our service stack will be encrypted.

 

UiPath processes two categories of data when using UiPath Cloud Platform—customer data and system-generated logs. Customer data includes user-identifiable transactional and interactional data that we need to operate the service and to manage your contract with UiPath. System-generated logs include service usage data that may be aggregated and contain pieces of customer data. From a GDPR standpoint, UiPath is considered a data processor for the last part, to the extent personal data is used and as such honors all obligations of a data processor by providing customer with full control over its data, in accordance with the product architecture.

 

UiPath is transparent about the sub-processors it uses and about the locations where your data is primarily stored when using cloud products, which can be found here.

 

Please see here more details about the terms which govern the use of the UiPath Cloud Platform, including the Data Processing Agreement which applies when personal data is used with the Platform here.

 

Please be mindful of the fact that if you use UiPath products in Private Preview or Trial you may have restrictions on using personal data or sensitive data with the products.

 

Does UiPath have access to your production data?

 

UiPath maintains strict control over who has access to production environment and customer data. Access is only granted at the level of least privilege and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service. Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were ever stolen, data is still protected because we use two-factor authentication for all production system access.

 

How does UiPath ensure safe personal data transfers between its affiliates or with its sub-processors when cloud products are used?

 

UiPath uses the following personal data transfer mechanisms, in order to make sure that personal data is protected in accordance with GDPR when shared with its affiliates or with its sub-processors:

  • Standard Contractual Clauses as approved by the decisions of the European Commission
  • Privacy Shield certification mechanism, for persona data transfers from the EU or Switzerland to the USA (*)

 

UiPath Inc. is an active participant of the Privacy Shield Framework. For more information please click here.

 

(*)When GDPR became effective, UiPath has signed Standard Contractual Clauses with its affiliates and has imposed GDPR policies and standards, globally, among its entities. Privacy Shield was used by UiPath as an additional transfer mechanism and not as the primary transfer mechanism, which is why the recent ruling of the European Court of Justice does not affect the protection or transfer of personal data of European customers. With its sub-processors, UiPath has concluded data processing agreements in accordance with GDPR, ensuring that any transfer mechanism used will be in compliance with the European legislation.

Will UiPath have access to the personal data you use with the on premise software?

 

Generally, our products can be used both on premise or in the cloud, depending on your specific needs and applicable laws. When you are using the on premise version of our products, only you, the customer, will have access to the data used with the on premise product.

 

Some of the things you can do to internally secure your data are:

  • Implement an access management system, allowing access only to authorized staff
  • Limit access to the internet on the machines on which the UiPath RPA Platform is installed
  • If you have users accessing the UiPath RPA Platform remotely, ensure a VPN connection
  • Ensure that your network is secure
  • Do not send personal data for support/maintenance purposes; use only anonymized or dummy data for this purpose
  • Make sure that you install the relevant updates to the software.

 

Please have in mind that when you use OCR activities in Studio from third parties data may be sent and processed by these parties subject to their privacy policies.

 

What personal data does UiPath process for support purposes?

 

If you have any troubleshooting issues, please reach out here for support. Please be mindful of the fact that UiPath does not require any sensitive data for support purposes and that any screenshot should be first redacted before sending. UiPath deletes all data received for support purposes within 6 months of the ticket closure.

 

UiPath only requires your business contact details in order to identify you as our customer and to better be able to provide you the support you need. Please check the support terms for more information on how UiPath processes data for support.

 

Where can I address a data access or a data deletion request as a customer?

 

UiPath products are customizable so that you can change your automation flows and be in full control over your data. Depending on the products that you use you may have built in features to support you. However, if you are a customer and you have troubles in addressing a data subject request, in exporting or accessing your data or in deleting your data used with UiPath cloud products, please make a request here and we will swiftly reply.

 

What is the UiPath contact for privacy related questions?

 

If you have any concern or question about UiPath’s privacy practices please contact us at privacy@uipath.com .

 

If you have any concern or question about UiPath’s privacy practices please contact us at privacy@uipath.com .

 

If you are interested in our blog articles on this topic please click here.

 

Do check our Privacy Policy if you want more details about how UiPath handles personal data or make a request here.

Privacy

Personal Data Request

UiPath respects your privacy and your rights regarding your personal data.

 

If you want to know what personal data we process and why, please fill in this form.

 

Privacy by design

UiPath takes privacy really seriously, which is why it looks at privacy by design functionalities before every new product release. The privacy audit is an important component of UiPath’s global privacy compliance program. UiPath products are customizable, which means that you have full control over the data used with the UiPath RPA Platform. Depending on the type of product that you use, we offer different functionalities, as described in the product manuals available here, so please make sure that you choose the UiPath products that better fit your compliance needs.

 

Please make sure that you comply with your applicable privacy laws when designing the workflows and using the UiPath RPA Platform. If you want your data to stay fully on your infrastructure (machines, private cloud, private network), please use the on premise UiPath RPA Platform.

 

Privacy by design in UiPath software supports the customer with the following:

  • Detailed logging and audit data are available in orchestrator
  • Access rights can be managed at a granular level in orchestrator in order to enforce access controls
  • User credentials are stored confidential and encrypted
  • It allows integration with single sign on authentication based on SAML 2.0
  • Data is encrypted in transit between the robots and orchestrator
  • The passwords must contain by default 8 characters, including at least one letter and one digit

 

Recommendations for Customers using the UiPath RPA Platform:

  • Do not use personal data or sensitive information in design time when designing the workflow
  • Do not use sensitive information with beta releases of UiPath products
  • Configure access rights in orchestrator on a need to know basis
  • Have in mind that assets can be edited or removed if they contain personal data
  • Encrypt the connection with an SQL server for an extra layer of protection of data at rest
  • Change your password settings if you want to improve password complexity
  • Enable security alerts
  • Cut access to internet on the machines on which the UiPath RPA Platform is deployed if you use the on premise products
  • Send only redacted information for support purposes
  • Check here more security practices

 

Privacy principles for UiPath Sub-processors

Scope and principles

 

UiPath respects core data protection principles and laws. In order to ensure a high level of data protection an intra-companies agreement sets the standard for personal data transfer and handling, in accordance with the EU data protection rules.

 

Processing of personal data

 

UiPath sub-processors must comply with the instructions provided by UiPath as a controller and with the EU data protection legislation. The purpose and the categories of personal data processed are expressly defined and specified in the data processing agreements together with the processing activities. No personal data shall be processed without a legal basis. Every processing agreement establishes how the rights of the data subjects will be observed and implemented.

 

Personal data trans-border transfers

 

Personal data trans-border transfers outside the UiPath group of companies are allowed only if an adequate level of personal data protection is ensured, either by signing standard contractual clauses, by having in place binding corporate rules, codes of conduct or certification mechanisms.

 

Audits and inspections

 

UiPath has the right to conduct inspections and audits at the premises of the sub-processors for the part of the business involving UiPath data. Alternatively, UiPath sub-processors will present recognized audit reports conducted by professional third parties, such as ISO 27001 or SOC II reports, at least once a year. UiPath has a vendor security assessment framework and imposes best industry standards on its sub-processors with access to customer data.

 

Cooperation

 

UiPath sub-processors shall cooperate for carrying out any data protection impact assessment and for addressing any requests from the data subjects or from the competent authority.

 

Security of personal data

 

The security of personal data is ensured by establishing appropriate security measures in line with the risk of the processing activities. UiPath sub-processors have to notify, without undue delay, any personal data security breach at security.breach@uipath.com. The processing of personal data shall be done only by authorized personnel bound by confidentiality duties.

UiPath Sub-processors

Download the UiPath Sub-processors.

 

UiPath Group Entities

Download the UiPath Group Entities.

 

Data Processing Agreement

Download the Data Processing Agreement.