UiPath Security

UiPath maintains an ISO 27001:2013 certification for all of our core platform products and cloud services. Our ISO 27001 certification shows that UiPath has adopted a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes. Our ISO 27001 Certification can be found here.

Cyber Security Governance

UiPath recognizes the importance of implementing appropriate technical and organizational security measures in order to prevent any unauthorized access, disclosure, alteration or destruction of such data. For this purpose, UiPath implements industry standard security controls and maintains a comprehensive security program.

Risk Management

UiPath has a risk management process in place based on which it designs the set of security controls meant to reduce security risks to an acceptable level. A Risk Assessment is conducted at least annually and identified risks are mitigated according to risk severity and business priorities and captured in a Risk Treatment Plan.

Access Controls

Users are only granted access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes. The access rights of all users to information are granted as appropriate for conducting their duties and removed upon resignation or termination of employment, contract or agreement, or adjusted upon a change in role.

Access to all systems is protected by two factor authentication and a strong password policy. Users' access to business applications is controlled and logged. UiPath has logging enabled for log-on activities on systems and generates alerts for unusual log-on behavior.

Owners of critical business systems and applications have the responsibility to grant, review and remove users’ access, as defined in UiPath’s Access Control Policy and giving consideration to the concepts of least privilege and segregation of duties.

Password Policy

UiPath employs a strong Password Policy, along with multi-factor authentication and single sign-on on all enterprise applications and systems. Users have the responsibility to maintain the confidentiality of their passwords, as described in the Password Policy.

Asset Management

Within UiPath, information assets are protected throughout the information life cycle, including entry into UiPath’s systems, secure data transmission, and appropriate data access, storage, retention and disposal.

UiPath requires all its employees, contractors and third parties to respect a set of security measures when handling UiPath devices and information, as defined in the Acceptable Technology Use Policy.

All UiPath assets holding Confidential Data have an identified Asset Owner and are kept in an inventory that covers the entire lifecycle from purchase to disposal. Return of all equipment and secure disposal of data upon contract termination with employees or contractors is ensured.

All UiPath information assets are appropriately classified in terms of value, legal and contractual requirements to enable employees to handle them appropriately.

Acceptable Use

UiPath had defined and communicated to its employees the requirements for acceptable use of UiPath's resources in order mitigate the risk of unauthorized access to UiPath equipment, as well as use and modification of information assets. These include clear desk and clear screen rules, data handling requirements, password maintenance, equipment security and breach reporting / incident notification.

Disposal and destruction

UiPath has controls in place to mitigate the risk of improper and unsecure disposal and destruction of data, technology equipment and components owned by UiPath, including shredding hardcopy records which contain internal and confidential information, overwriting or physically destroying removable media, erasing or destroying mobile devices and securely erasing storage space allocated by cloud services, according to the cloud provider’s methodology.

Our Acceptable Use Policy restricts the storage of Customer Data locally, on the user’s device or on removable media.

For more information on the deletion of customer data, please refer to our Privacy controls.

Mobile devices and teleworking

Devices which access to Confidential Information are adequately protected, according to UiPath’s Managed Devices Policy. UiPath will, in limited circumstances, allow users to utilize their personal devices to access UiPath business resources. Users’ responsibilities and access to mobile devices containing non-public corporate information are restricted and controlled according to the BYOD Policy.

UiPath devices have security measures enforced on them and they are monitored for compliance deviations. Software installations on all UiPath systems is controlled by our operational security policy, which restricts and tightly controls installation of unwanted software.

Teleworking is part of our culture and we do our best to make sure it is done securely. Teleworkers who access any UiPath Business information from remote locations are required to comply with the Teleworking Policy.

Human Resources Security

UiPath ensures that employees agree to terms and conditions concerning confidentiality and information security appropriate to the nature and extent of access they will have to the organization’s assets and that go beyond the duration of the employment contract.

Upon termination of a work relationship, all access to information environments is removed and company assets are retrieved.

Responsibilities regarding information security are communicated to UiPath employees and they are informed that disciplinary actions can be taken against them based on violations of policies and procedures. We make sure all UiPath employees receive awareness trainings regarding UiPath policies as well as security risks and the protection of sensitive data.

UiPath takes preventive measures prior to employment in the form of Background Checks, as prescribed by our Background Checks Policy.

Cryptographic Controls

Only industry-standard algorithms for encryption and key strength approved by UiPath Engineering and IT departments are used to encrypt UiPath data and assets used in production or business use cases. At minimum, Uipath encryption is used to protect UiPath and customer or third-party non-public data in transit across public environments.

Additionally, encryption is used to protect UiPath and customer or other third-party data over which UiPath has custodianship at rest. UiPath uses known Certificate Authorities for the issuance of public key certificates. Keys have defined activation and deactivation dates so they can only be used for a limited period of time and they are protected from modification, loss, destruction and unauthorized disclosure during their use, storage, and handling (lifecycle). Keys are replicated/ duplicated as necessary to execute necessary backup and disaster recovery activities.

The use of cryptography is monitored to ensure compliance with applicable regulations.

Third party risk management

UiPath maintains a Third-party Vendor Risk Management Program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process or host UiPath data or have access to UiPath network and systems.

UiPath concludes data protection agreements and imposes security requirements on its vendors in order to ensure that at least the same level of confidentiality and data security is implemented by its sub-contractors as the ones applicable to UiPath.

The list of security requirements required from our vendors is available here.

UiPath maintains the right to perform audits in order to monitor the compliance of its sub-contractors with the agreed technical and organizational measures regarding data confidentiality and security.

Physical security

Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to UiPath's employees, premises, system and network devices and information, as well as interruptions to the organization's activities. The level of security measures, policies and procedures implemented are commensurate with the risks and particular legal, regulatory or contractual requirements associated with each facility.

Access to premises is monitored through access controls, such as individual badges and through video surveillance. Asset movement controls are in place and the buildings are protected for seismic, flood and other similar risks. Data availability and continuity of service is ensured by using top cloud service providers.

Incident Management

Uipath has a strong process in place to provide a rapid and effective response to security incidents, in order to minimize risks while ensuring the availability of information systems.

In order to respond to incidents effectively and timely, UiPath Incident Management teams are ready to take necessary actions to contain the threat, eradicate the source of the incident and restore the affected systems, information and data.

Incident responders track the incident root causes, the lessons learned in the incident management system and propose continuous improvements to system and data owners.

Based on the material nature of a major incident, the UiPath legal team will initiate contact with affected parties outside of UiPath in accordance with regulatory and contractual obligations.

Business Continuity

UiPath utilizes a decentralized office approach to leverage cloud-based services. Users are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones.

Awareness and Training

UiPath informs all employees and contractors regarding their obligations around information security. We provide annual training to our employees to help improve the company’s cyber hygiene and protect UiPath assets.

Monitoring, testing and reviewing

UiPath conducts periodic reviews of security policies and practices through independent third-party auditing services, as well as internal assessments as deemed appropriate. The policies are reviewed and updated regularly to ensure that they comply with changes to the law, adopted standards, organizational policies, contractual obligations and that they are appropriate to the risks faced by the company.

Operations and network security

Intrusion prevention and detection systems and firewalls are in place to protect our network.

Separation of test, development and operational facilities is ensured.

Appropriate anti-malware protection is maintained.

Regular backups of essential business information are maintained through Microsoft Azure for UiPath online services. An appropriate backup cycle is used and documented.

Event logs recording user activities, exceptions, faults and information security events are produced, kept and regularly reviewed.

Information about technical vulnerabilities of information systems being used is obtained in a timely fashion and the organization’s exposure to such vulnerabilities is evaluated and appropriate measures are taken to address the associated risk.

Roles and responsibilities

UiPath defines information security related roles and responsibilities across the organization: Executive management (CIO, CPO, CTO, CLO); Employees and contingent staff. The information security functions, roles and responsibilities are organized and defined by the Product Trust Management Board (PTMB), which establishes and ensures the security governance within the organization.

Our security, availability, and confidentiality commitments for our Cloud Platform include, but are not limited to, the following:

• Operational Practices — A range of security and confidentiality controls designed to address the security and confidentiality criteria of UiPath Cloud Platform. Such security and confidentiality controls include a role-based access management system that permits and restricts user access to customer data, based on roles and responsibilities and a formal process for granting and revoking access.
• Product Security — A range of security controls UiPath implements to keep the UiPath Cloud Platform and customer’s data safe. This includes the use of encryption technologies to protect customer data at rest and in transit and continuous testing of application attack surface.
• Reliability and Availability — Hosting data with Atlassian’s cloud hosting partners while focusing on product resiliency to minimize downtime, as well as optimal performance with redundancy and failover options globally while maintaining multiple locations and availability zones across regions.
• Security Process — A range of methods to detect security defects, that allows UiPath to address identified gaps as soon as possible to minimize impact. This includes continuous monitoring, alerting and incident management

Cloud Platform

When using UiPath Cloud Platform, your data will benefit from multiple layers of security and governance technologies, operational practices, and compliance policies that UiPath enforces.

Service-design principles

All of the services packaged together as UiPath Cloud Platform are delivered via a Software-as-a-Service (SaaS) model that’s built and hosted in Microsoft Azure. They all use core Azure services, including compute, storage, networking, SQL database, app configuration, secret storage in Key Vault, and identity and access management. This allows us to focus on the unique aspects of running UiPath’s services while taking advantage of, and building upon, Azure’s state-of-the-art capabilities in security, privacy, and compliance. We also utilize the industry certifications available through Azure. At UiPath, we share the responsibility of protecting your data with Azure and strictly adhere to the guidance they publish.

Data encryption

We encrypt all customer data at rest in any data store that is part of our service. For example, we use transparent data encryption in SQL databases. All data is transmitted over protected channels, whether it travels over the Internet or within our internal service components.

Identity and access management

We support account creation in our Cloud Platform using a variety of identity service providers, such as Google, Microsoft, and LinkedIn, as well as through native accounts. Post account creation, our services manage a given user’s access rights using application-managed, role-based access control checks. Our on-premises customers have long used Orchestrator’s roles-based account control (RBAC). With the introduction of Tenant Management in our Cloud Platform, we now have similar RBAC controls for our Cloud Platform to provide a seamless experience for our customers.

Tenant data isolation

Data from each tenant is logically separated from others in our service so that we can enforce access and authorization controls for all tenants as they access data inside our service.

Package integrity

Starting with the 2019 fast-track release of our core platform, we added the ability to sign packages and workflows that are uploaded into Orchestrator. As an aside, Cloud Platform customers automatically receive the latest updates, meaning our Cloud Platform customers also get this new, additional protection. Customers can publish packages to UiPath-managed Cloud Platform Orchestrator with confidence and not worry about package integrity and corresponding business impact in the event that a server-side compromise occurred.

Privacy

UiPath collects two categories of data from users to operate and improve UiPath Cloud Platform Services:

1. Customer data: Includes user-identifiable transactional and interactional data that we need to operate the service and to manage your contract with UiPath

2. System-generated logs: Includes service-usage data that may be aggregated and contain pieces of customer data.

From a GDPR standpoint, UiPath is considered a data processor. As such, we honor all obligations of a data processor by providing customers with full control over their data, in accordance with the product architecture and implementation. We have ensured that we can export all of your data for you upon request. Should you close your account with UiPath Cloud Platform, or otherwise request data deletion, we delete that data from our systems after the requisite 30-day soft-delete period. We recommend our customers assess if their use of our Cloud Platform is in line with their privacy obligations. For more information about UiPath’s privacy statement, how UiPath processes your data when using online services, and GDPR commitments, please visit our Privacy Policy.

Data residency and sovereignty

We know our customers care deeply about data location. As of late-2019, we now support two separate server regions, US and EU (Ireland). Resources associated with unpaid user accounts are stored in EU. The location of services for paid users is based on the location of the user. We will serve all content, and store all data, for the user in the region that matches the paid user’s location and sovereignty requirements. We may continue to add additional regions as we see our customer base grow.

Security and compliance practices

UiPath addresses the following aspects of security and compliance in order to help prevent breaches and uphold the highest standards for data security, privacy, and availability:

Systems hardening

UiPath Cloud Services use Azure's Platform-as-a-Service (PaaS) offering for much of its infrastructure. PaaS automatically provides regular updates for known security vulnerabilities.

Secure development life cycle

UiPath security and development teams work hand in hand to address security threats throughout the development process of UiPath Cloud Platform. Teams perform threat modeling during service design. They adhere to design and code best practices and verify security in the final product using a multi-pronged approach that leverages internally built tools, commercial static and dynamic analysis tools, internal penetration testing, and external bug bounty programs. We also monitor vulnerabilities introduced in our code base through third-party libraries and minimize our dependency on these libraries and corresponding exposure. Because the security landscape is continually changing, our teams stay current with the latest in best practices. We also enforce annual training requirements for all engineers and operations personnel working on UiPath Cloud Platform.

Service and data availability

Ensuring that UiPath’s Cloud Platform services are available so you can access your organization’s assets is of the utmost importance to us. That is why we rely on Azure’s backup mechanism and practice data recovery. We employ other fail-safes to help ensure availability. A malicious distributed denial-ofservice (DDoS) attack, for example, could affect UiPath Cloud Platform service availability. Azure has a DDoS defense system that helps prevent attacks against our service. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits. The system is designed not only to withstand attacks from the outside, but also from within Azure.

Live site testing

We emulate adversarial tactics on our services and underlying infrastructure using internal red teams. The goal is to identify real-world vulnerabilities, configuration errors, and other security gaps in a controlled manner so that we can test the effectiveness of our prevention, detection, and response capabilities.

Security incident response

We strive to minimize the attack surface of our services and go to great lengths to reduce the probability of a data breach ever occurring. Nevertheless, security incidents can still happen. In the event of a breach, we use security response plans to minimize data leakage, loss, or corruption. We provide transparency to our customers throughout the incident. Our 24x7 SRE and Security team is always on hand to rapidly identify the issue and engage the necessary development team resources to contain the impact of the incident. Once the team has contained an issue, our security incident management process continues as we identify the root cause and track the necessary changes to ensure we prevent similar issues in the future.

Production access control

We maintain strict control over who has access to our production environment and customer data. Access is only granted at the level of least privilege required and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service. Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were ever stolen, data is still protected because we use two-factor authentication for all production system access.

Secrets Management

Secrets that we use to manage and maintain the service, such as encryption keys, are managed, stored, and transmitted securely through the Azure Management Portal. All secrets are rotated on a regular cadence and can be rotated on-demand in the case of a security event.

UiPath platform on premises

UiPath platform on premises components are always installed in the customer environment. Based on past experiences with our customers we can make the following security recommendations:

• Password Policy: The default password policy states that all user passwords should contain at least 8 characters and at least one letter and a digit. This can be changed and made more complex in the Settings page, in the Security tab.
• Encrypting the Web . config File Encrypt the SecureAppSettings section of the Web . config file. To see how this can be done, please see the Encrypting Web . config Sections topic.
• Disabling the Auto-complete Feature in Your Browser: The auto-complete feature available in most web browsers is not completely safe. To make sure that nobody can discover your Orchestrator login password, it is recommended that you disable the aforementioned functionality in your preferred browser.
• Changing the Default System Admin Password: Change the default system administrator password (that was communicated to you by our team). You can do this by editing the user profile information.
• Not Selecting the Remember Me Check Box: When you first log in to Orchestrator, do not select the Remember Me password. This helps you log out of the current session every time.
• Limiting the Cookie Session Timeout Period: By default, the authorization cookie expires after 60 minutes. You can limit this time by changing the value of the Auth.Cookie.Expire parameter, in the Web . config file.
• Using Trusted SSL Certificates: While enforcing an HTTPS connection is important, just as important is to have an SSL certificate from a trusted provider. Additionally, you can remove the HTTP binding.
• Adding Cache-Control: We recommend adding security caching directives, so as to hide sensitive information that may be displayed in HTTP headers.
• Enabling Transparent Data Encryption on SQL Server. We recommend adding this setting for environments where robots may be processing sensitive data in queues over long periods of time and data protection is a concern.
• Additional Security Best Practices may be found online here.

Monitoring and Logging

The UiPath suite has configurable logging capabilities, so it can log anything in a database and text files. It can be integrated with Nlog, or the Windows Events Log, Elastic Search Log, Server Log. Each step of the automation can be monitored and logged locally or in a central database. Logs are time-stamped files which contain informational events, error and warning messages relevant to the application. The logging process is subject to a high degree of customization at both Robot and Orchestrator level. The UiPath suite already has pre-built setting which you can use to have a standard logging model, but it also gives you the opportunity of creating customized logs based on your company requirements. If settings are left at the default level, a log entry will be generated every time a process is started, stopped, or encounters an error. At the highest configuration level of verbose, every single action that is performed by the robot is logged.

Web Services Security

All the web services are TLS Enabled (for TLS 1.2+). The communication can be over HTTP or HTTPS with any of the Web Services and with the Web Application. The exact ciphers and TLS version allowed are configured by the customer by changing the SCHANNEL settings of Windows Server where Orchestrator is installed. The Customer should provide the SSL certificate. The certificate can either be a Domain certificate (generated in IIS for that specific domain, and that can be used only in that domain) or can be a web security certificate generated by a Certification Authority (like VeriSign).

Encryption

All credential data stored in Orchestrator is encrypted. We use a FIPS compliant AES 256 algorithm for encrypting data at rest. HTTPS is the default for all data in transit. The exact TLS versions, ciphers, and certificate strength are all configurable. All versions of SSL/TLS and ciphers are supported by Orchestrator and robots.

Segregation of Duties

The Segregation of duties has been considered at the Orchestrator level. Orchestrator comes with two roles predefined: administrator and robot. The administrator role has full access to all components whereas the robot role is used for all robots. Any number of additional roles can be created to suit an organization’s needs. Create, read, update, and delete (CRUD) permissions can be defined for each component within Orchestrator. Multitenancy enables you to isolate data, with only one instance of Orchestrator. This feature facilitates automating different departments from your company and ensures the desired authorization of Orchestrator data per department. Any objects created in one tenant are not accessible from another including users, robots, processes, etc. However, please note that all the data is stored in the same database.

Starting with March 2020, the below products have received the Veracode Continuous Verified certificationUiPath PlatformUiPath Platform:

• UiPath Platform
• UiPath Cloud Platform
• UiPath Automation Hub

Veracode Verified Continuous is the highest level of the Verified program from Veracode, Leader in the Gartner Magic Quadrant for Application Security and builds on the security processes embedded in the development lifecycle of our products. This certification validates key aspects of our security strategy such as:

• Integration of security tools & processes into our product development workflows.
• Passing through comprehensive Security assessments including Static & Dynamic code analysis, Open Source Software vulnerability assessments, Manual Penetration Testing.
• Completion of issue mitigation review resulting in Zero medium or higher known vulnerabilities of our products in scope.
• A 30-day remediation timeline for continuously ensuring the highest security level.
• Secure Coding Practices training for our Engineering teams.
• Security Champion – passing through advanced security training and working together with our Engineering teams to ensure secure coding practices.

You can check out our certification status on the Veracode website here.

UiPath's Bug Bounty Program (“Program”) aims to leverage the expertise of HackerOne's ethical hacker community to find vulnerabilities in our RPA Platform and surrounding ecosystem in order to keep our customers, partners and community users safe from malicious activities.

The Program focuses on high priority items such as:

• Identifying and exploiting vulnerabilities in the implementation of Orchestrator and Robot that will permit escalation of privileges and perform out of rights/bound actions on Orchestrator.
• Identifying publicly discoverable/accessible service end-points for UiPath.
• Discovering management level secrets such as passwords.
• Gaining control over the Orchestrator machine(s) in an on-premise scenario where the threat actor (malicious entity) is not a provisioned user on Orchestrator at application layer or OS level but is able to join the network on which robot and Orchestrator is deployed.
• Using manual analysis or tools to conduct an objective evaluation of the Orchestrator application against OWASP Top 10 2017 Application Security Risks.
• Injecting or uploading executable code into Orchestrator application that eventually runs itself, via interactive methods or access through APIs.

Before every GA/Major release for our products, we run:

• Static Code analysis, 3rd Party Dependencies Vulnerability Scans, Dynamic analysis
• 3rd Party Dependencies scans - Licenses and Vulnerabilities
• Anti-Malware Scans

Issues found go through a triage process and through a remediation process, as necessary.