AI Computer Vision topic / security and GPDR concerns

AI Computer Vision topic / security and GPDR concerns

  1. How is clipboard data handled? Is it taken out of Citrix client environment?
  •  No, the clipboard data always remains on the Citrix client. If “clipboard” is set, UiPath uses the shared client clipboard to get the data from the remote machine, and then cleanup/restore the clipboard.
 
2. Is there any information that is shared with UiPath servers for AI Computer Vision to work?
  • Yes. By default, the UI screenshots are sent to the UiPath Computer Vision server for analysis. But if needed, it can also be deployed the Computer Vision server locally
 
3. Is there any documentation around data security with respect to AI Computer Vision?
  • UiPath doesn't have a client-facing page about that, but here's below few important concepts:
    • Everything is encrypted at transit and at rest
    • AI Computer Vision (component product of UiPAth) is GDPR compliant
    • It is used a very strict access control for all stored data, azure subscriptions, etc.
    • Regularly are being performed penetration tests and code scanning
 
4. Is AI Computer Vision able to process data compliant to the Article 28 GDPR (ADV-Auftragsdatenverarbeitung)
  •  Yes

5. Does AI Computer Vision store personal data within European data centers?
  •  Yes

6. Are there any generally used master data records used across tenants and customers using UiPath (public) cloud environment (e.g. in a marketplace context)?
  •  No

7. By using your AI Computer Vision as a cloud service, which kind of local programs must be installed locally to achieve full functionality of the cloud service?
  •  Studio & Robot

8. Is there implemented any backup and recovery concept within the cloud service?
  •  Yes, it is being used the redundancy provided by the cloud provider

9. How are handled the preparations against cybersecurity attacks?
  •  Periodic security scans, penetretion tests, security assessments performed by the product security team. Infrastructure level security center rules for monitoring and alarming.

10. Is there being used any firewall, proxy server, DMZ and/ or any other functionalities for protecting cloud service against external attacks?
  •  Yes (Cloudflare + UiPath own proxy server)

11. Who does from UiPath organization have access to the customers data?
  • Only need-to roles have access to data, and a strict access control protocol is used to add users to the list. Currently around 7-8 users have access: product, dev, research. Clearly defined list of operators in charge with tagging data. Infrastructure and operations administrators, for break glass scenarios.

12. In which countries are the supporters located: Germany, EU or outside EU?
 - EU

13. Which kind of encryption is implemented for customer data (user credentials, confidential data, etc.) stored by UiPath?
  •  Our product does not store user credentials. For other customer data, UiPath is using AES 256 symmetric encryption (as provided by the cloud provider)

14. Does the project schedule include a penetration test?
  •  Yes

16. Is there any security concept for UiPath?
  •  Yes

17. Does UiPath have any security incident process internally in place?
  •  Yes

18. Is UiPath able to implement customer specific SLA’s within cloud service?
  •  Not Applicable, UiPath has global SLAs implemented

19. How many administrative/support accesses are present on UiPath side?
  •  One administrative + one back-up (break glass scenarios) + (number of people with access to viewer as support roles)

20. Which party is responsible for user access management?
  •  User as in users at infra/service level, or UiPath end users

21. Which party is responsible for user authorization (role) management?
  •  User as in users at infra/service level, or our end users

22. Is there implemented any virus protection inside UiPath product service?
  •  yes, Cloud provider level

24. Are there any down-times during release upgrade or is the upgrade - from customer point of view - a no-event?
  • there are no down-times
 
Regarding Intelligent OCR GDPR/ security perspective:
  • if is being used Digitize Document with OmniPage OCR, for getting text out of files, nothing leaves the robot machine.
  • if is being used data extraction with the FleciCapture Extractor, again, nothing leaves robot machine.
  • the only things moving document outside the robot are cloud OCR engines and the machine learning extractor.
  • if using any Cloud OCR engine, the engines corresponding terms apply as per below topic "What happens to data"
"What happens to data"
The short version: the analysis is done on UiPath cloud or on client's on-prem servers. UiPath only stores data from internally used server, that has been actually seen and indicated by a user. No runtime/robot data is stored.
Detailed version:
  • On prem / private cloud
  • open networks – no data leaves the company premises, except the submitted issues, performed by the user in order to fix a client specific problem. 
  • closed networks – no data leaves the company premises
  • On UiPath cloud
  • screenshots of the automated interfaces are processed on UiPath cloud servers, hosted in azure. 
  • additionally, design-time only (Studio) screenshots* may be stored (for up to 5 years), in order to improve the model. Production (robot) data is never stored.
  • UiPath receives and stores user-reported issues for the purpose of fixing specific problems.