Privacy at UiPath

If you are a customer employee and if you are using UiPath’s products and services, we will process certain categories of personal data about you as described in our Privacy Policy available here. Therefore, UiPath processes your personal data such as full name, work e-mail, job title or role, requests and interactions, for account provisioning and security, for contract performance, for sending you communications related to the use of our products and services, for support provisioning, for ensuring service quality and as further described in the privacy policy.

If you want to know more about what personal data we process and why, or if you want to opt out, please fill in this form.

If you want to delete your user account data or organization data, please make a request here. If you are not the administrator and unique user of your organization, please contact your employer for account removal.

When you create an account on Marketplace, Customer Portal, Academy or Forum, please check the terms and conditions and privacy policy when signing up.

What personal data is received by UiPath when you use our cloud products?

UiPath will process your e-mail for account provisioning and for securing your cloud account.

If you use personal data with UiPath cloud products, UiPath will be processing data on your behalf and will be considered a data processor under the GDPR. This means that you are the controller and thus, you are in control of the personal data you use with our products.

More details about the terms which govern the use of the UiPath cloud products can be found here. The Data Processing Agreement, which applies to personal data used with cloud products, is available here.

To ensure the fair use, security, and reliability of our products, we process information resulting from the use of our products, called telemetry.

UiPath uses providers such as Cloudflare, CDN (content delivery network) and web application firewall, for ensuring the security of communications and preventing network attacks. Data such as IP and region are likely to be stored.

What telemetry data do we process and why?

When you use the UiPath cloud products we process the following telemetry types:

• Operational telemetry, such as: error logs, logs about the health and hardware of our servers, logs about performance to make sure that our products are reliable, functional and that all our customers benefit fairly from our cloud resources.

• Front-end events representing key actions meant to help us understand and improve the user experience and product interface.

If you use UiPath Automation Suite, Standalone or other deployment installed on premises, you can opt out of telemetry.

How will the data used with UiPath products be processed to improve AI model performance and reliability?

The data you use with our models also helps us refine the model you are using, so you benefit from more accurate predictions and results tailored to your specific needs. As our models learn from a diverse range of data, they become more robust and capable of handling your complex scenarios. Your data contributes to creating more personalized outputs and ensures that the model is up to date. However, you are in control of your data and can decide what is best for you regarding data usage. You can always opt out of model improvement through the agreement. These are UiPath’s own models, deployed on our infrastructure and not third-party LLMs. If you have any questions on this topic, you can always raise a support ticket here: https://www.uipath.com/support.

Please check out in the product documentation available here how data is processed when you use each UiPath product.

Where will my data be processed when using cloud products?

When using Automation Cloud, you can choose where your data is stored as available here. Please read carefully what are the storage options available for each product and whether data may be transiting to other regions when you use generative AI supported features.

Data sent for support may be processed outside the selected regions as available below, in the sub-processor list. However, you are in control of the data sent for support purposes.

Please be mindful that if you use UiPath products in Private Preview or Trial, you have restrictions on using personal or sensitive data with the products, according to the terms of use.

How will data be processed when using generative AI supported features or integrations?

All the third-party features and integrations can be managed through the AI Trust Layer which allows you to manage and govern the data you use with UiPath supported generative AI features. Therefore, customers benefit from audit dashboards offering visibility over the usage of gen AI, data filtering such as masking and blocking of harmful content and context grounding through Retrieval Augmented Generation (RAG).

The third-party generative AI features supported by the Automation Cloud platform include Azure Open AI, Claude 3.5 Sonnet and Gemini. Our contracts with the third parties providing the models restrict the usage of data for training those models.

To ensure data confidentiality and minimization, Microsoft Azure storage for abuse monitoring purposes is disabled. With Amazon Bedrock, prompts and completions are not stored or logged.

Does UiPath have access to your production data?

UiPath maintains strict control over who has access to production environment and customer data. Access is only granted at the level of least privilege and only after proper justifications are provided and verified. If a team member needs access to resolve an urgent issue or deploy a configuration change, they must apply for "just in time" access to the production service. Access is revoked as soon as the situation is resolved. Access requests and approvals are tracked. If the username and password for one of our developers or operation staff were to be stolen, data is still protected because we use two-factor authentication for all production system access.

How does UiPath ensure safe personal data transfers between its affiliates or with its sub-processors when cloud products are used?

To ensure that personal data is protected in accordance with GDPR when shared with its affiliates or with its sub-processors, UiPath uses the following personal data transfer mechanisms:

• Standard Contractual Clauses as updated and approved by the decisions of the European Commission

• Data Privacy Framework self- certification mechanism, for persona data transfers from the EEA, UK or Switzerland to the USA

• Adequacy decisions as adopted by the European Commission

• UiPath Inc. is an active participant of the Data Privacy Framework. For more information, please click here.

UiPath has performed a transfer impact assessment to analyze all transfers outside the EEA and implement appropriate measures for safeguarding the data and minimizing any risks. UiPath has a vendor risk management process in place ensuring that all relevant vendors and sub-processors undergo privacy assessments and data processing agreements as well as standard contractual clauses are signed whenever personal data is processed and for personal data transfers.

Will UiPath have access to the personal data you use with the on-premises software?

Most of our products can be used both on-premises or in the cloud, depending on your specific needs and applicable laws. When you are using the on-premises version of our products, only you will have access to the data used with the product.

Some of the things you can do to internally secure your data are:

• Implement an access management system, allowing access only to authorized staff

• Limit access to the internet on the machines on which the UiPath RPA Platform is installed

• If you have users accessing the UiPath RPA Platform remotely, ensure a VPN connection

• Ensure that your network is secure

• Do not send personal data for support/maintenance purposes; use only anonymized or dummy data for this purpose

• Make sure that you install the relevant updates to the software

• Opt-out of telemetry

Please bear in mind that when you use OCR activities in Studio from third parties, data may be sent and processed by these parties subject to their privacy policies.

What personal data does UiPath process for support purposes?

If you have any troubleshooting issues, please reach out here for support. Please be mindful of the fact that UiPath does not require any sensitive data for support purposes and that any screenshot or other information should be first redacted before sending.

If you install any troubleshooting tools, please make sure that you read the terms of use and privacy policy and that you delete them after the task is completed. Data sent for support will be deleted in one year after ticket closure.

When you raise a support ticket through the Customer Portal, please make sure to read the Privacy Policy, which informs you how your data will be processed. UiPath Customer Portal is built on Microsoft Azure, and your business contact details will be stored in one or more of the following storage regions: EU, US, Japan, depending on your location, whether you access through VPN or as configured for backup purposes. UiPath requires your business contact details in order to identify you as our customer and to provide you with the support you need. Please check the support terms for more information on how UiPath processes data for support.

Where can I address a data access or a data deletion request as a customer?

UiPath products are customizable so that you can change your automation flows and be in control over your data. Depending on the products that you use you may have built-in features to support you. However, if you are a customer and you have trouble with addressing a data subject request, exporting or accessing your data or with deleting your data used with UiPath cloud products, please submit a request here or here and we will swiftly reply.

What is the UiPath contact for privacy related questions?

If you have any concern or question about UiPath’s privacy practices, please contact us at privacy@uipath.com.

UiPath takes privacy really seriously, which is why it looks at privacy by design functionalities before every new product release. The privacy audit is a key component of UiPath’s global privacy compliance program. UiPath products are customizable, which means that you have control over the data used with UiPath cloud products. Depending on the type of product that you use, we offer different functionalities, as described in the product manuals available here, so please make sure that you choose the UiPath products that best fit your compliance needs.

Please make sure that you comply with your applicable privacy laws when designing the workflows and using the UiPath RPA Platform. If you want your data to stay fully on your infrastructure (machines, private cloud, private network), please use the on-premise UiPath Automation Suite.

Privacy by design in UiPath software supports the customer with the following:

• Detailed logging and audit data are available in Orchestrator

• Access rights can be managed at a granular level in Orchestrator in order to enforce access controls

• User credentials are encrypted and stored confidentially

• It allows integration with single sign on authentication based on SAML 2.0

• Data is encrypted in transit between the robots and Orchestrator

• The passwords must contain by default 8 characters, including at least one letter and one digit

Recommendations for Customers using UiPath cloud products:

• Do not use personal data or sensitive information in design time when designing the workflow

• Do not use sensitive information with beta releases of UiPath products

• Configure access rights in Orchestrator on a need to know basis

• Have in mind that assets can be edited or removed if they contain personal data

• Encrypt the connection with an SQL server for an extra layer of protection of data at rest

• Change your password settings if you want to improve password complexity

• Enable security alerts

• Cut access to internet on the machines on which the UiPath Automation Suite is deployed if you use the on-premise products

• Send only redacted information for support purposes

• Opt out of product improvement if you have stringent privacy obligations

• Configure access to gen AI supported features in line with your compliance needs

• Inform your employees about avoid using sensitive data in prompts

• Inform your employees and data subjects regarding how data is processed with UiPath cloud products

• Check here more security practices

Scope and principles

UiPath respects core data protection principles and laws. In order to ensure a high level of data protection, an intra-companies agreement sets the standard for personal data transfer and handling, in accordance with the EU data protection rules.

Processing of personal data

UiPath sub-processors must comply with the instructions provided by UiPath and with the EU data protection legislation. The purpose and the categories of personal data processed are defined and specified in the data processing agreements together with the processing activities. No personal data shall be processed without a legal basis. Every processing agreement establishes how the rights of the data subjects will be observed and implemented.

Personal data trans-border transfers

Personal data trans-border transfers outside the UiPath group of companies are allowed only if an adequate level of personal data protection is ensured, either by signing standard contractual clauses, by having in place binding corporate rules, codes of conduct or certification mechanisms.

Audits and inspections

UiPath has the right to conduct inspections and audits on its sub-processors for the part of the business involving UiPath data. Alternatively, UiPath sub-processors will present recognized audit reports conducted by professional third parties, such as ISO 27001 or SOC II reports, at least once a year. UiPath has a vendor privacy & security assessment framework and imposes high industry standards on its sub-processors with access to customer data.

Cooperation

UiPath sub-processors shall cooperate in carrying out any data protection impact assessment and for addressing any requests from the data subjects or from the competent authorities.

Security of personal data

The security of personal data is ensured by establishing appropriate security measures in line with the risk of the processing activities. UiPath sub-processors must notify, without undue delay, any personal data breach at security.breach@uipath.com. The processing of personal data shall be done only by authorized personnel bound by confidentiality duties.

UiPath uses sub-processors for performing its business operations. All sub-processors used by UiPath are bound by contractual agreements, which include confidentiality and security obligations, to comply with applicable privacy laws and mainly with the GDPR. The list below is a list of the sub-processors used in connection with UiPath’s cloud products and will be updated from time to time. UiPath will notify you of the changes if you use cloud products.

Download the UiPath Sub-processors list.

The previous version dated Feb. 24, 2023 can be found here.

Your contract is likely to be concluded with:

• UiPath Inc., which is self-certified to the EU-US Data Privacy Framework.

• UiPath SRL, based in Europe and subject to GDPR.

• UiPath affiliates which process personal data for support purposes are from the following countries: Canada, Romania, USA, India, China (for China), Japan (for Japan), Republic of Korea, Australia, France, Germany, Singapore, UK.

Download the Data Processing Agreement: English; Japanese(*).

(*)The Japanese version applies to Japanese customers which have signed or otherwise accepted a license agreement with UiPath KK.

Read the UiPath legal terms to find out more about the principles guiding your relationship with UiPath.