Security

Service-design principles

The Admin Portal and analyzer are delivered via a Software-as-a-Service (SaaS) model that’s built and hosted in Microsoft Azure. They all use core Azure services, including compute, storage, networking, SQL database, app configuration, secret storage in Key Vault, and identity and access management.

This allows us to focus on the unique aspects of running UiPath’s services while taking advantage of, and building upon, Azure’s state-of-the-art capabilities in security, privacy, and compliance. We also utilize the industry certifications available through Azure.

At UiPath, we share the responsibility of protecting your data with Azure and strictly adhere to the guidance they publish.

Data encryption

We encrypt all customer data at rest in any data store that is part of our service. For example, we use transparent data encryption in SQL databases.

All data is transmitted over protected channels, whether it travels over the Internet or within our internal service components.

Identity and access management

We support account creation in our Cloud Platform using a variety of identity service providers, such as Google, Microsoft, and LinkedIn, as well as through native accounts. Post account creation, our services manage a given user’s access rights using application-managed, role-based access control checks.

Tenant data isolation

Data from each tenant is logically separated from others in our service so that we can enforce access and authorization controls for all tenants as they access data inside our service.

Privacy

UiPath collects two categories of data from users to operate and improve UiPath Task Mining Services:

Customer data: Includes user-identifiable transactional and interactional data that we need to operate the service and to manage your contract with UiPath
System-generated logs: Includes service-usage data that may be aggregated and contain pieces of customer data

From a GDPR standpoint, UiPath is considered a data processor. As such, we honor all obligations of a data processor by providing customers with full control over their data, in accordance with the product architecture and implementation.

We have ensured that we can export all of your data for you upon request. Should you close your account with UiPath Task Mining, or otherwise request data deletion, we delete that data from our systems after the requisite 30-day soft-delete period.

We recommend our customers assess if their use of our cloud service is in line with their privacy obligations. For more information about UiPath’s privacy statement, how UiPath processes your data when using online services, and GDPR commitments, please visit our Privacy Policy.

Data residency and sovereignty

We know our customers care deeply about data location. We will serve all content, and store all data, for the user in the region that matches the paid user’s location and sovereignty requirements. To view the current set of regions supported, please visit Data Residency. We may continue to add additional regions as we see our customer base grow.

Note:

Data residency is enforced as we are now using Microsoft Cognitive Service for PII Masking and this works in relation with the tenant region.

Security and compliance practices

UiPath addresses the following aspects of security and compliance in order to help prevent breaches and uphold the highest standards for data security, privacy, and availability:

Systems hardening

UiPath Task Mining uses Azure's Platform-as-a-Service (PaaS) offering for much of its infrastructure. PaaS automatically provides regular updates for known security vulnerabilities.

Secure development life cycle

UiPath security and development teams work hand in hand to address security threats throughout the development process of UiPath Task Mining.

Teams perform threat modeling during service design. They adhere to design and code best practices and verify security in the final product using a multi-pronged approach that leverages internally built tools, commercial static and dynamic analysis tools, internal penetration testing, and external bug bounty programs.

We also monitor vulnerabilities introduced in our codebase through third-party libraries and minimize our dependency on these libraries and corresponding exposure. Because the security landscape is continually changing, our teams stay current with the latest in best practices. We also enforce annual training requirements for all engineers and operations personnel working on UiPath cloud services.

Service and data availability

Ensuring that UiPath’s Task Mining services are available so you can access your organization’s assets is of the utmost importance to us. That is why we rely on Azure’s backup mechanism and practice data recovery.

We employ other fail-safes to help ensure availability. A malicious distributed denial-of-service (DDoS) attack, for example, could affect UiPath Task Mining service availability. Azure has a DDoS defense system that helps prevent attacks against our service. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits.

The system is designed not only to withstand attacks from the outside but also from within Azure.

Live site testing

We emulate adversarial tactics on our services and underlying infrastructure using internal red teams.

The goal is to identify real-world vulnerabilities, configuration errors, and other security gaps in a controlled manner so that we can test the effectiveness of our prevention, detection, and response capabilities.

Security incident response

We strive to minimize the attack surface of our services and go to great lengths to reduce the probability of a data breach ever occurring. Nevertheless, security incidents can still happen.

In the event of a breach, we use security response plans to minimize data leakage, loss, or corruption. We provide transparency to our customers throughout the incident. Our 24x7 SRE and Security team is always on hand to rapidly identify the issue and engage the necessary development team resources to contain the impact of the incident.

Once the team has contained an issue, our security incident management process continues as we identify the root cause and track the necessary changes to ensure we prevent similar issues in the future.

Production access control

We maintain strict control over who has access to our production environment and customer data.

Access is only granted at the level of least privilege required and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service.

Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were ever stolen, data is still protected because we use two-factor authentication for all production system access.

Secrets management

Secrets that we use to manage and maintain the service, such as encryption keys, are managed, stored, and transmitted securely through the Azure Management Portal.

All secrets are rotated on a regular cadence and can be rotated on-demand in the case of a security event.

With a solid foundation for security and privacy, UiPath is working towards obtaining industry certifications and accreditations over the next year, which include Veracode continuous for our Cloud Platform, ISO 27001:2013, and ISO 27017, CSA Star and SOC 1 Type 2.

Both the Admin Portal and Analyzer are delivered via a Software-as-a-Service (SaaS) model that’s built and hosted in Microsoft Azure. They all use core Azure services, including compute, storage, networking, SQL database, app configuration, secret storage in Key Vault, and identity and access management. We share the responsibility of protecting your data with Azure and strictly adhere to the guidance they publish.