Privacy at UiPath

If you enter into a licensing agreement with UiPath, we will process your business contact details for contract performance. We will process this data in accordance with the GDPR and in order to meet our contractual and legal requirements. Contract performance includes providing you the license codes, account activations, contracts and business accounts management, support and communications related to the products and services you are using.

UiPath processes your contact details in order to send you the latest updates, releases and news about our products and events or to ask for your feedback using UiPath products, as a based on your contractual relation with UiPath or with your consent.

What personal data is received by UiPath when you use our cloud products?

If you use personal data with UiPath cloud products, they will be processing data on your behalf and UiPath will be considered a data processor under the GDPR. This means that you are the controller and thus, you are in control of the personal data you use with our products.

When you use the UiPath Cloud Platform, UiPath may have access to user data and data available in Orchestrator - a core component of the UiPath Cloud Platform that allows customers to manage their fleet of robots from a central control panel.

All customer data in each data store that makes up our service stack will be encrypted.

UiPath processes two categories of data when using UiPath Cloud Platform: (1) customer data and (2) system-generated logs. Customer data includes user-identifiable transactional and interactional data that we need to operate the service and manage your contract with UiPath. System-generated logs include service usage data that may be aggregated and contain pieces of customer data. From a GDPR standpoint, UiPath is considered a data processor in relation to system-generated logs if they contain personal data. UiPath honors all obligations of a data processor by providing customers with full control over their data, in accordance with the product architecture.

UiPath is transparent about the sub-processors it uses and about the locations where your data is primarily stored when using cloud products. More details can be found here.

More details about the terms which govern the use of the UiPath Cloud Platform can be found here. The Data Processing Agreement which applies when personal data is used with the Platform can be found here.

Please be mindful of the fact that if you use UiPath products in Private Preview or Trial you may have restrictions on using personal data or sensitive data with the products.

Does UiPath have access to your production data?

UiPath maintains strict control over who has access to production environment and customer data. Access is only granted at the level of least privilege and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service. Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were to be stolen, data is still protected because we use two-factor authentication for all production system access.

How does UiPath ensure safe personal data transfers between its affiliates or with its sub-processors when cloud products are used?

To ensure that personal data is protected in accordance with GDPR when shared with its affiliates or with its sub-processors, UiPath uses the following personal data transfer mechanisms:

• Standard Contractual Clauses as approved by the decisions of the European Commission

• Privacy Shield certification mechanism, for persona data transfers from the EU or Switzerland to the USA

• (*)UiPath Inc. is an active participant of the Privacy Shield Framework. For more information please click here.

(*)When GDPR became effective, UiPath has signed Standard Contractual Clauses with its affiliates and has imposed GDPR policies and standards, globally, among its entities. Privacy Shield was used by UiPath as an additional transfer mechanism and not as the primary transfer mechanism, which is why the recent ruling of the European Court of Justice does not affect the protection or transfer of personal data of European customers. With its sub-processors, UiPath has concluded data processing agreements in accordance with GDPR, ensuring that any transfer mechanism used will be in compliance with the European legislation.

Will UiPath have access to the personal data you use with the on-premise software?

Generally, our products can be used both on-premise or in the cloud, depending on your specific needs and applicable laws. When you are using the on-premise version of our products, only you will have access to the data used with the product.

Some of the things you can do to internally secure your data are:

• Implement an access management system, allowing access only to authorized staff

• Limit access to the internet on the machines on which the UiPath RPA Platform is installed

• If you have users accessing the UiPath RPA Platform remotely, ensure a VPN connection

• Ensure that your network is secure

• Do not send personal data for support/maintenance purposes; use only anonymized or dummy data for this purpose

• Make sure that you install the relevant updates to the software

Please have in mind that when you use OCR activities in Studio from third parties, data may be sent and processed by these parties subject to their privacy policies.

What personal data does UiPath process for support purposes?

If you have any troubleshooting issues, please reach out here for support. Please be mindful of the fact that UiPath does not require any sensitive data for support purposes and that any screenshot should be first redacted before sending. UiPath deletes all data received for support purposes within 6 months of the ticket closure.

UiPath only requires your business contact details in order to identify you as our customer and to provide you the support you need. Please check the support terms for more information on how UiPath processes data for support.

Where can I address a data access or a data deletion request as a customer?

UiPath products are customizable so that you can change your automation flows and be in full control over your data. Depending on the products that you use you may have built in features to support you. However, if you are a customer and you have trouble with addressing a data subject request, exporting or accessing your data or with deleting your data used with UiPath Cloud products, please submit a request here or here and we will swiftly reply.

What is the UiPath contact for privacy related questions?

If you have any concern or question about UiPath’s privacy practices please contact us at privacy@uipath.com.

If you are interested in our blog articles on this topic please click here.

Do check our Privacy Policy if you want more details about how UiPath handles personal data or make a request here.

UiPath respects your privacy and your rights regarding your personal data.

If you want to know what personal data we process and why, please fill in this form.

UiPath takes privacy really seriously, which is why it looks at privacy by design functionalities before every new product release. The privacy audit is an important component of UiPath’s global privacy compliance program. UiPath products are customizable, which means that you have full control over the data used with the UiPath RPA Platform. Depending on the type of product that you use, we offer different functionalities, as described in the product manuals available here, so please make sure that you choose the UiPath products that best fit your compliance needs.

Please make sure that you comply with your applicable privacy laws when designing the workflows and using the UiPath RPA Platform. If you want your data to stay fully on your infrastructure (machines, private cloud, private network), please use the on-premise UiPath RPA Platform.

Privacy by design in UiPath software supports the customer with the following:

• Detailed logging and audit data are available in Orchestrator

• Access rights can be managed at a granular level in Orchestrator in order to enforce access controls

• User credentials are encrypted and stored confidentially

• It allows integration with single sign on authentication based on SAML 2.0

• Data is encrypted in transit between the robots and Orchestrator

• The passwords must contain by default 8 characters, including at least one letter and one digit

Recommendations for Customers using the UiPath RPA Platform:

• Do not use personal data or sensitive information in design time when designing the workflow

• Do not use sensitive information with beta releases of UiPath products

• Configure access rights in Orchestrator on a need to know basis

• Have in mind that assets can be edited or removed if they contain personal data

• Encrypt the connection with an SQL server for an extra layer of protection of data at rest

• Change your password settings if you want to improve password complexity

• Enable security alerts

• Cut access to internet on the machines on which the UiPath RPA Platform is deployed if you use the on-premise products

• Send only redacted information for support purposes

• Check here more security practices

Scope and principles

UiPath respects core data protection principles and laws. In order to ensure a high level of data protection, an intra-companies agreement sets the standard for personal data transfer and handling, in accordance with the EU data protection rules.

Processing of personal data

UiPath sub-processors must comply with the instructions provided by UiPath as a controller and with the EU data protection legislation. The purpose and the categories of personal data processed are expressly defined and specified in the data processing agreements together with the processing activities. No personal data shall be processed without a legal basis. Every processing agreement establishes how the rights of the data subjects will be observed and implemented.

Personal data trans-border transfers

Personal data trans-border transfers outside the UiPath group of companies are allowed only if an adequate level of personal data protection is ensured, either by signing standard contractual clauses, by having in place binding corporate rules, codes of conduct or certification mechanisms.

Audits and inspections

UiPath has the right to conduct inspections and audits at the premises of the sub-processors for the part of the business involving UiPath data. Alternatively, UiPath sub-processors will present recognized audit reports conducted by professional third parties, such as ISO 27001 or SOC II reports, at least once a year. UiPath has a vendor security assessment framework and imposes best industry standards on its sub-processors with access to customer data.

Cooperation

UiPath sub-processors shall cooperate for carrying out any data protection impact assessment and for addressing any requests from the data subjects or from the competent authorities.

Security of personal data

The security of personal data is ensured by establishing appropriate security measures in line with the risk of the processing activities. UiPath sub-processors have to notify, without undue delay, any personal data security breach at security.breach@uipath.com. The processing of personal data shall be done only by authorized personnel bound by confidentiality duties.

UiPath uses sub-processors for performing its business operations. All sub-processors used by UiPath are bound by contractual agreements, which include confidentiality and security obligations, to comply with applicable privacy laws and mainly with the GDPR.

The list below is a list of the sub-processors used in connection with UiPath’s cloud products and will be updated from time to time. UiPath will notify you of the changes if you use cloud products.

Download the UiPath Sub-processors list.

The previous version dated Sept. 27, 2022 can be found here.

Download the UiPath Group Entities list.

Download the Data Processing Agreement: English; Japanese(*).

(*)The Japanese version applies to Japanese customers which have signed or otherwise accepted a license agreement with UiPath KK.