What are the Encryption, Standards & Testing mechanisms to ensure security in Cloud?

Encryption

• What Encryption standards are deployed?

All database storage leverages AES CBC 256 or 128 where 256 is not available. Data in transit leverages RSA 2048 bit keys with a 90 day rotation.

Communication between external systems and the UiPath Cloud RPA platform are encrypted with ECDSA_P256 encryption with a SHA256ECDSA signature, a 6 month rotation, and accepting TLS 1.1 and TLS 1.2. Communications between services in the cloud platform are RSA 2048 encryption with a SHA256RSA signature, a 90 day rotation, and accepting only TLS 1.2.

• What key management tools and procedures are in place?

Azure Keyvault, CloudFlare, and Azure App Certificate Service. All keys are stored in a key vault dedicated to the customer.

Standards, Certifications and Testing

• What Security Standards is the service compliant with?

The UiPath Cloud platform is currently in the process of attaining ISO 27001 Certification, followed by SOC2 certification.

• Is the UiPath Cloud GDPR compliant?

Yes. UiPath does not collect PII by default and is considered a data processor in terms of GDPR. All data is encrypted in transit. UiPath supplies cryptographic activities to encrypt data in use and at rest. Additionally, role-based access controls allow customers to control who has access to any data that a customer may choose to store in Orchestrator tenants. Developers are also provided the ability to set any action in automation as private to prevent the logging of sensitive data.

• Is the UiPath Cloud HIPPA compliant?

Yes. All data is encrypted in transit. UiPath supplies cryptographic activities to encrypt data in use and at rest. Additionally, role-based access controls allow customers to control who has access to any data that a customer may choose to store in Orchestrator tenants. Developers are also provided the ability to set any action in automation as private to prevent the logging of sensitive data.

• Is the UiPath Cloud PCI compliant?

Yes. UiPath software is not a direct processor of credit or debit card transactions. Given that the platform could aid in financial business processes, all data is encrypted in transit. UiPath supplies cryptographic activities to encrypt data in use and at rest. Additionally, role-based access controls allow customers to control who has access to any data that a customer may choose to store in Orchestrator tenants. Developers are also provided the ability to set any action in automation as private to prevent the logging of sensitive data.

• Does UiPath undertake proactive vulnerability scanning?

Yes. Source Code analysis and internal scanning are performed via FOSSA, BURP, and Veracode. External scanning is also performed by BURP and Veracode. Additionally, UiPath employs in-house, red-team-style penetration testers. Scanning is performed before every release at a minimum. A letter of attestation will be made available following formal penetration testing as the cloud platform gets closer to GA release. A letter is currently available for UiPath's core platform.

• How are the system and underlying platform updated?

UiPath leverages Microsoft Azure PaaS ensuring that the Operating System and software supporting UiPath technology is always up to date. UiPath software is updated on a monthly basis at minimum. Security vulnerabilities or other issues that significantly impact the confidentiality, integrity, or availability of the platform will be updated out of band, as soon as a fix is created. Notifications of planned maintenance are sent through https://status.uipath.com

• Do datacenters have 24/7 security and monitoring, and are background checks performed on personnel?

These services are provided by Microsoft Azure. See Azure Facilities, Premises And Physical Security for their description.

• Is data stored in industry-standard formats?

Yes. All data is stored in standard formats.

• How frequently will compliance audits be conducted?

Audits will be conducted annually at a minimum. You can visit the this link for updated list of audits completed and certification achieved.

• Does UiPath work with Veracode for certification?

Yes, UiPath works with Veracode to provide continuous certification for all products.

Revision	Date	Notes	Name
V1.2	3/10/2020	Updates and Corrections to SSO options	KM, GA
V1.1	1/13/2020	Update for M50	KM
V1	11/6/2019	Initial Version	KM,GA,TM

Additionally, check Security link for updated details.