Privacy
At UiPath we consider privacy an essential part of the business. This is why we commit to apply one of the strictest privacy standards, the European General Data Protection Regulation (GDPR), with respect to all our products. GDPR is reflected in UiPath’s intercompany agreements and in UiPath’s global privacy policy available here. UiPath has a dedicated team focused on privacy compliance and conducts internal privacy assessments before new products and services are released for our customers to use.
In order to satisfy the customer’s different privacy compliance needs, UiPath offers both on-premise and cloud software. Therefore, the customer can choose to use the UiPath RPA Platform fully on its infrastructure, without any data going outside the customer’s environment.
By implementing GDPR, UiPath also commits to:
If you enter into a licensing agreement with UiPath, we will process your business contact details for contract performance. We will process this data in accordance with the GDPR and in order to meet our contractual and legal requirements. Contract performance includes providing you the license codes, account activations, contracts and business accounts management, support and communications related to the products and services you are using.
UiPath processes your contact details in order to send you the latest updates, releases and news about our products and events or to ask for your feedback using UiPath products, as a based on your contractual relation with UiPath or with your consent.
If you use personal data with UiPath cloud products, they will be processing data on your behalf and UiPath will be considered a data processor under the GDPR. This means that you are the controller and thus, you are in control of the personal data you use with our products.
When you use the UiPath Cloud Platform, UiPath may have access to user data and data available in Orchestrator - a core component of the UiPath Cloud Platform that allows customers to manage their fleet of robots from a central control panel.
All customer data in each data store that makes up our service stack will be encrypted.
UiPath processes two categories of data when using UiPath Cloud Platform: (1) customer data and (2) system-generated logs. Customer data includes user-identifiable transactional and interactional data that we need to operate the service and manage your contract with UiPath. System-generated logs include service usage data that may be aggregated and contain pieces of customer data. From a GDPR standpoint, UiPath is considered a data processor in relation to system-generated logs if they contain personal data. UiPath honors all obligations of a data processor by providing customers with full control over their data, in accordance with the product architecture.
UiPath is transparent about the sub-processors it uses and about the locations where your data is primarily stored when using cloud products. More details can be found here.
More details about the terms which govern the use of the UiPath Cloud Platform can be found here. The Data Processing Agreement which applies when personal data is used with the Platform can be found here.
Please be mindful of the fact that if you use UiPath products in Private Preview or Trial you may have restrictions on using personal data or sensitive data with the products.
UiPath maintains strict control over who has access to production environment and customer data. Access is only granted at the level of least privilege and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service. Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were to be stolen, data is still protected because we use two-factor authentication for all production system access.
To ensure that personal data is protected in accordance with GDPR when shared with its affiliates or with its sub-processors, UiPath uses the following personal data transfer mechanisms:
UiPath Inc. is an active participant of the Privacy Shield Framework. For more information please click here.
(*)When GDPR became effective, UiPath has signed Standard Contractual Clauses with its affiliates and has imposed GDPR policies and standards, globally, among its entities. Privacy Shield was used by UiPath as an additional transfer mechanism and not as the primary transfer mechanism, which is why the recent ruling of the European Court of Justice does not affect the protection or transfer of personal data of European customers. With its sub-processors, UiPath has concluded data processing agreements in accordance with GDPR, ensuring that any transfer mechanism used will be in compliance with the European legislation.
Generally, our products can be used both on-premise or in the cloud, depending on your specific needs and applicable laws. When you are using the on-premise version of our products, only you will have access to the data used with the product.
Some of the things you can do to internally secure your data are:
Please have in mind that when you use OCR activities in Studio from third parties, data may be sent and processed by these parties subject to their privacy policies.
If you have any troubleshooting issues, please reach out here for support. Please be mindful of the fact that UiPath does not require any sensitive data for support purposes and that any screenshot should be first redacted before sending. UiPath deletes all data received for support purposes within 6 months of the ticket closure.
UiPath only requires your business contact details in order to identify you as our customer and to provide you the support you need. Please check the support terms for more information on how UiPath processes data for support.
UiPath products are customizable so that you can change your automation flows and be in full control over your data. Depending on the products that you use you may have built in features to support you. However, if you are a customer and you have trouble with addressing a data subject request, exporting or accessing your data or with deleting your data used with UiPath Cloud products, please submit a request here or here and we will swiftly reply.
If you have any concern or question about UiPath’s privacy practices please contact us at privacy@uipath.com.
If you are interested in our blog articles on this topic please click here.
Do check our Privacy Policy if you want more details about how UiPath handles personal data or make a request here.
UiPath respects your privacy and your rights regarding your personal data.
If you want to know what personal data we process and why, please fill in this form.
UiPath takes privacy really seriously, which is why it looks at privacy by design functionalities before every new product release. The privacy audit is an important component of UiPath’s global privacy compliance program. UiPath products are customizable, which means that you have full control over the data used with the UiPath RPA Platform. Depending on the type of product that you use, we offer different functionalities, as described in the product manuals available here, so please make sure that you choose the UiPath products that best fit your compliance needs.
Please make sure that you comply with your applicable privacy laws when designing the workflows and using the UiPath RPA Platform. If you want your data to stay fully on your infrastructure (machines, private cloud, private network), please use the on-premise UiPath RPA Platform.
Privacy by design in UiPath software supports the customer with the following:
Recommendations for Customers using the UiPath RPA Platform:
UiPath respects core data protection principles and laws. In order to ensure a high level of data protection, an intra-companies agreement sets the standard for personal data transfer and handling, in accordance with the EU data protection rules.
UiPath sub-processors must comply with the instructions provided by UiPath as a controller and with the EU data protection legislation. The purpose and the categories of personal data processed are expressly defined and specified in the data processing agreements together with the processing activities. No personal data shall be processed without a legal basis. Every processing agreement establishes how the rights of the data subjects will be observed and implemented.
Personal data trans-border transfers outside the UiPath group of companies are allowed only if an adequate level of personal data protection is ensured, either by signing standard contractual clauses, by having in place binding corporate rules, codes of conduct or certification mechanisms.
UiPath has the right to conduct inspections and audits at the premises of the sub-processors for the part of the business involving UiPath data. Alternatively, UiPath sub-processors will present recognized audit reports conducted by professional third parties, such as ISO 27001 or SOC II reports, at least once a year. UiPath has a vendor security assessment framework and imposes best industry standards on its sub-processors with access to customer data.
UiPath sub-processors shall cooperate for carrying out any data protection impact assessment and for addressing any requests from the data subjects or from the competent authorities.
The security of personal data is ensured by establishing appropriate security measures in line with the risk of the processing activities. UiPath sub-processors have to notify, without undue delay, any personal data security breach at security.breach@uipath.com. The processing of personal data shall be done only by authorized personnel bound by confidentiality duties.
Download the UiPath Sub-processors list.
Download the UiPath Group Entities list.
Download the Data Processing Agreement.
