UiPath goes to great lengths to ensure that data related to your RPA projects remains safe and secure, without exception. When using UiPath Task Mining, your data benefits from multiple layers of security and governance technologies, operational practices, and compliance policies that UiPath enforces.
UiPath Task Mining is comprised of four main components: the Client App, Data Preprocessor, Analyzer, and Admin Portal. Together these components run studies on the tasks performed by users in your environment. From these studies, UiPath Task Mining will identify a list of tasks that are good candidates for automation and produce a detailed process map for the tasks. These studies are controlled by your system administrator and the data collected during the studies is encrypted to ensure your users’ privacy is not violated.
Before delving into the details surrounding UiPath’s approach to security, privacy, and compliance in our cloud, please check the Application Hosting Model page.
The Admin Portal and analyzer are delivered via a Software-as-a-Service (SaaS) model that’s built and hosted in Microsoft Azure. They all use core Azure services, including compute, storage, networking, SQL database, app configuration, secret storage in Key Vault, and identity and access management.
This allows us to focus on the unique aspects of running UiPath’s services while taking advantage of, and building upon, Azure’s state-of-the-art capabilities in security, privacy, and compliance. We also utilize the industry certifications available through Azure.
At UiPath, we share the responsibility of protecting your data with Azure and strictly adhere to the guidance they publish.
We encrypt all customer data at rest in any data store that is part of our service. For example, we use transparent data encryption in SQL databases.
All data is transmitted over protected channels, whether it travels over the Internet or within our internal service components.
We support account creation in our Cloud Platform using a variety of identity service providers, such as Google, Microsoft, and LinkedIn, as well as through native accounts. Post account creation, our services manage a given user’s access rights using application-managed, role-based access control checks.
Data from each tenant is logically separated from others in our service so that we can enforce access and authorization controls for all tenants as they access data inside our service.
UiPath collects two categories of data from users to operate and improve UiPath Task Mining Services:
- Customer data: Includes user-identifiable transactional and interactional data that we need to operate the service and to manage your contract with UiPath
- System-generated logs: Includes service-usage data that may be aggregated and contain pieces of customer data
From a GDPR standpoint, UiPath is considered a data processor. As such, we honor all obligations of a data processor by providing customers with full control over their data, in accordance with the product architecture and implementation.
We have ensured that we can export all of your data for you upon request. Should you close your account with UiPath Task Mining, or otherwise request data deletion, we delete that data from our systems after the requisite 30-day soft-delete period.
We know our customers care deeply about data location. As of Feb 2021, we now support two separate server regions, West Europe and Australia. We will serve all content, and store all data, for the user in the region that matches the paid user’s location and sovereignty requirements. We may continue to add additional regions as we see our customer base grow.
UiPath addresses the following aspects of security and compliance in order to help prevent breaches and uphold the highest standards for data security, privacy, and availability:
UiPath Task Mining uses Azure's Platform-as-a-Service (PaaS) offering for much of its infrastructure. PaaS automatically provides regular updates for known security vulnerabilities.
UiPath security and development teams work hand in hand to address security threats throughout the development process of UiPath Task Mining.
Teams perform threat modeling during service design. They adhere to design and code best practices and verify security in the final product using a multi-pronged approach that leverages internally built tools, commercial static and dynamic analysis tools, internal penetration testing, and external bug bounty programs.
We also monitor vulnerabilities introduced in our codebase through third-party libraries and minimize our dependency on these libraries and corresponding exposure. Because the security landscape is continually changing, our teams stay current with the latest in best practices. We also enforce annual training requirements for all engineers and operations personnel working on UiPath cloud services.
Ensuring that UiPath’s Task Mining services are available so you can access your organization’s assets is of the utmost importance to us. That is why we rely on Azure’s backup mechanism and practice data recovery.
We employ other fail-safes to help ensure availability. A malicious distributed denial-of-service (DDoS) attack, for example, could affect UiPath Task Mining service availability. Azure has a DDoS defense system that helps prevent attacks against our service. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits.
The system is designed not only to withstand attacks from the outside but also from within Azure.
We emulate adversarial tactics on our services and underlying infrastructure using internal red teams.
The goal is to identify real-world vulnerabilities, configuration errors, and other security gaps in a controlled manner so that we can test the effectiveness of our prevention, detection, and response capabilities.
We strive to minimize the attack surface of our services and go to great lengths to reduce the probability of a data breach ever occurring. Nevertheless, security incidents can still happen.
In the event of a breach, we use security response plans to minimize data leakage, loss, or corruption. We provide transparency to our customers throughout the incident. Our
24x7 SRE and Security team is always on hand to rapidly identify the issue and engage the necessary development team resources to contain the impact of the incident.
Once the team has contained an issue, our security incident management process continues as we identify the root cause and track the necessary changes to ensure we prevent similar issues in the future.
We maintain strict control over who has access to our production environment and customer data.
Access is only granted at the level of least privilege required and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service.
Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were ever stolen, data is still protected because we use two-factor authentication for all production system access.
Secrets that we use to manage and maintain the service, such as encryption keys, are managed, stored, and transmitted securely through the Azure Management Portal.
All secrets are rotated on a regular cadence and can be rotated on-demand in the case of a security event.
With a solid foundation for security and privacy, UiPath is working towards obtaining industry certifications and accreditations over the next year, which include Veracode continuous for our Cloud Platform, ISO 27001:2013, and ISO 27017, CSA Star and SOC 1 Type 2 and SOC 2 Type 2.
Both the Admin Portal and Analyzer are delivered via a Software-as-a-Service (SaaS) model that’s built and hosted in Microsoft Azure. They all use core Azure services, including compute, storage, networking, SQL database, app configuration, secret storage in Key Vault, and identity and access management. We share the responsibility of protecting your data with Azure and strictly adhere to the guidance they publish.
Updated about a month ago