ManualsPro UiPath UiPath Information Security Exhibit Instructions

UiPath Information Security Exhibit Instructions

June 9, 2024
UiPath

UiPath Information Security Exhibit Instructions
UiPath Information Security Exhibit

Information Security Exhibit

Data security sits at the foundation of product development at UiPath (hereinafter, “UiPath” This Information Security Exhibit (the “Exhibit”) points out the organizational policies and controls in effect at UiPath that are aimed towards maintaining confidentiality, integrity, and availability of Customer Data used with UiPath products or services (hereinafter, the “Software”). Unless defined herein, terms used with capital letters will have the meaning given to them in the applicable Agreement.

Defined Terms.

Terms defined in this Exhibit shall have the meaning assigned to them below:
a. “Agreement” means the agreement validly executed between UiPath and the Customer with respect to access to, and use of, paid Software and/or Services, and incorporates this Exhibit, and the collection of documents and policies made available and amended by UiPath from time to time on the Trust Portal at uipath.com/legal/trustand-security (or successor website).
b. “Cloud Software” means Software provided as a service to the Customer.
c. “Customer” means the entity using paid Software and/or Services under an Agreement.
d. “Customer Data” means any data, information, and proprietary Customer content created prior to or independently from any Customer interaction with the Software and imported into the Software, or accessed by UiPath in connection with, or for the purpose of, provision of any Services. Customer Data may contain Personal Data.
e. “Documentation” means the official guides for Software, as made available on the Trust Portal.
f. “On-Premises Software” means Software deployed on Customer premises.
g. “Personal Data” means (i) information related to an identified or identifiable natural person as defined by, as applicable, Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws (“PII”), (ii) protected health information, as regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (“PHI”), and (iii) cardholder data (“CHD”) and/or sensitive authentication data (“SAD”), as defined by the Payment Card Industry Data Security Standard (“PCI DSS”).
h. “Services” means professional services specified in an Order, excluding Support.
i. “Software” means software products developed by or for UiPath and/or its Affiliates and licensed to Customer as specified in accepted orders, which may be provided, as available as “Cloud Software” or “On-Premise Software”, and excludes Third-Party Services.
j. “Support” means maintenance and service, applicable to the Software during the License Term as provided in the support terms available on the Trust Portal.
k. “Third-Party Services” means the cloud applications, cloud service endpoints, data services, software, application programing interfaces, and content of third parties which may be accessed using the Software or Services.
l. “UiPath Internal Policies” means the collection of policies maintained available by UiPath with respect to confidentiality, information security, and intellectual property protection.

Scope

This Exhibit highlights the security measures maintained by UiPath with respect to its internal infrastructure and its Software, that could have an impact on the confidentiality, integrity, and availability of Customer Data. This Exhibit does not cover any standards maintained by providers of Third- Party Services, and, unless otherwise expressly set out in this Exhibit, UiPath does not make any commitment in respect of Third-Party Services.
Information on the standard security requirements imposed to vendors that have access to Customer Data can be found at https://www.uipath.com/assets/downloads/cybersecurityrequirements:

Security Certifications and Attestations

UiPath recognizes the importance of implementing appropriate technical and organizational security measures and adequate security controls to prevent any unauthorized access, disclosure, alteration, or destruction of Customer Data. UiPath maintains a comprehensive information security management system and engages independent auditors to provide industry standard certifications and attestations. Further information is available on the Trust Portal, or upon Customer request. A list of certifications and attestations is available below, and further information on the Software in scope is available on the Trust Portal, or upon Customer request:
a. ISO/IEC 27001 certification
b. SOC 2 Type 2 and SOC 2 Type 1 attestations
c. Cyber Essentials Plus certification
d. Veracode Verified Continuous attestation
UiPath is constantly working to improve its quality and security standards and is working on an internal roadmap of certifications and standards relevant and adequate for the industry in which UiPath operates. UiPath shall not modify the level of security measures provided in this Exhibit during the term of the Agreement, to decrease the capabilities, functionality, or operation of the Software.
UiPath shall also comply with the controls in, and maintain, an ISO/IEC 27001 certification, providing that certification and a copy of the corresponding statement of applicability (SOA) to Customer upon written request.

Product Security

Product Development Practices
UiPath follows a secure software development lifecycle (SDLC) for developing products. The secure SDLC process is enforced for every release and includes code reviews, threat modeling during service design and security assessments such as static and dynamic code analysis, open-source software assessments, manual penetration testing, and bug bounty programs.
UiPath shall document change control procedures to manage changes to information systems, supporting infrastructure and facilities. Prior to implementing any changes, UiPath shall (1) establish acceptance criteria for production change approval and implementation; and (2) require stakeholder approval prior to change implementation as applicable.
UiPath shall test system and application changes, including relevant security controls as applicable. System and application changes must meet defined acceptance criteria prior to implementation.
Additionally, UiPath shall restrict and track personnel access to program source code and require developers to periodically attend secure system development training.
Cryptographic Controls
An important part of UiPath security strategy is encryption, aimed to prevent information from being accessed unlawfully. Customer Data is encrypted at rest in any data store that is part of the Software. Customer Data is transmitted over protected channels, whether it travels over the Internet or within UiPath’s internal service components. Customer has the flexibility to configure the encryption of certain installed Software, as detailed in the relevant Documentation.
Only industry-standard algorithms for encryption and key strength that are approved by UiPath engineering and IT departments are used to encrypt UiPath data and assets used in production or business use-cases. UiPath uses encryption to protect UiPath and Customer or third-party non-public data in transit across public networks.
Additionally, encryption is used to protect UiPath and Customer or other third-party data at rest over which UiPath has custodianship. UiPath uses known Certificate Authorities for the issuance of public key certificates. Keys have defined activation and deactivation dates so they can only be used for a limited period, and they are protected from modification, loss, destruction, and unauthorized disclosure during their lifecycle (use, storage, and handling).

Network Security and Operations
All the web services offered as part of Software are TLS-enabled (for TLS 1.2+).
Intrusion prevention and detection systems and firewalls are in place to protect UiPath’s network infrastructure supporting the Software. Separation of test, development and production environments is ensured. Regular backups of essential business information are maintained through cloud providers for Cloud Software. An appropriate backup cycle is used and documented. Event logs recording user activities, exceptions, faults, and information security events are produced, kept, and regularly reviewed.
Information about technical vulnerabilities of information systems being used is assessed in a timely fashion, and appropriate measures are taken to address the associated risk in line with and the organization’s exposure to such vulnerabilities.
Software Access Controls
UiPath has built access control features into its Software which the Customer can utilize to provision, de-provision and authorize its own users. Details can be found in the relevant Documentation.
Access to Customer Data
UiPath does not have access to Customer Data used by the Customer with On- Premises Software, unless access is expressly granted by the Customer.
UiPath personnel may have access to Customer Data used by the Customer with Cloud Software solely for the purpose of fulfilling UiPath’s rights and obligations under the Agreement. UiPath leverages privileged identity management (“PIM”) to minimize granting access of UiPath personnel to Customer Data in Cloud Software. UiPath personnel who need to edit system resources, access, or modify Customer Data must use PIM to temporarily raise their access level. PIM requests must be enjoined by an adequate reason for access and are subject to approval by UiPath authorized reviewers. The activity conducted while using PIM is logged and recorded.
Unless otherwise agreed, UiPath shall restrict third party access to Customer Data.
Tenant Data Segregation
Data at rest from each tenant of the Cloud Software is logically segregated. UiPath provides the necessary mechanisms to enable tenants to enforce access and authorization controls for users, as they access data inside the Software.
Customer Data Hosting
As part of the Software, UiPath may use third-party service providers which may have access to Customer Data, as sub-processors of UiPath. UiPath maintains the list of sub-processors on the Trust Portal.
Customer Data and Personal Data uploaded by the Customer in the Software will be hosted in the region(s) evidenced in the Sub-processor list. Where technically implemented in a particular Software component, the Customer may configure the hosting location of the Customer Data used therein, provided however that back-ups may have different configurations.
Customer Data Back-ups
Regular back-ups of Customer Data in Cloud Software are performed automatically by UiPath’s underlying infrastructure as a service/platform as a service (IaaS/PaaS) provider. Each backup is stored in multiple locations to ensure resiliency.
Customer may notify UiPath in writing with sufficient time in advance to obtain the available backup records stored by UiPath to review any record of system activity related to Customer Data

Customer Data Retention
As a rule, Customer Data is kept for the duration of the Agreement. Following termination of the Agreement and upon express written instructions from the Customer, UiPath will ensure that the Customer Data will be, as requested by the Customer in the timeframe specified by the applicable law, deleted, or returned to the Customer either manually or, if technically available, via direct export from the relevant Cloud Software.
Logs Information
Logging capabilities are built into the Software, which the Customer can enable to capture informational events, error, and warning messages relevant to the application as well as audit trails for actions performed. Details can be found in the Documentation.
UiPath enables operational logs and security logs of activity in Cloud Software. Operational logs are used for monitoring uptime and availability of infrastructure and Cloud Software. Security logs are used for identifying security incidents, policy violations, fraudulent activity, auditing, and forensic analysis, supporting investigations, establishing baselines, and identifying trends and potential long-term problems.
UiPath shall generate administrator and event logs for systems and applications that store, allow access to, or process Customer Data. The administrator and event logs shall be archived for a minimum of 180 calendar days;
Personal Data Protection
UiPath takes Personal Data protection very seriously and encourages Customers to minimize the use of Personal Data with Cloud Software, in line with the principles of the applicable legislation. Further rights and obligations between UiPath and Customer with respect to protection of Personal Data as part of Customer Data will be governed by appropriate data protection agreements executed between the Parties in accordance with GDPR and any applicable legislation.
Though UiPath is committed to making its operating environment as compliant as possible, some Software components might not meet all standards required by industry standards such as PCI DSS, or HIPAA. UiPath expressly prohibits Customers from using cardholder data (CHD), sensitive authentication data (SAD), personal health information (PHI), or any other specifically regulated information with Cloud Software, except where UiPath has expressly instructed otherwise in the Documentation, or by updates to this Exhibit or the Trust Portal. Nonetheless, the Customer is ultimately responsible in deciding whether the Software can be used in accordance with the laws, rules, and regulations applicable to Customer’s operations.
UiPath, in its capacity as data controller, makes available a process for data subject access requests, as required by the GDPR, available on the Trust Portal. UiPath will notify the Customer without undue delay of any data subject requests which UiPath in its capacity as data processor may receive but to which the Customer in its capacity as data controller must respond.
As a controller, UiPath processes Personal Data in accordance with its Privacy Policy available on the Trust Portal.
Malware
UiPath performs regular testing of first party and third-party code included in Software.
UiPath deploys, maintains, and updates anti-malware protection within its operating environment and on corporate computing resources.

Vulnerabilities Management
Vulnerabilities identified in the Software are mapped to industry standard Common Vulnerability Scoring System (CVSS) methodology (i.e., critical, high, medium, and low). Identified vulnerabilities shall be remediated in a timely manner within internally defined timeframes.
Regular testing is also performed directly against Software and UiPath has a bug bounty program that aims to leverage the expertise of the ethical hacker community to find vulnerabilities in Software and surrounding ecosystem to keep Customers’ use of the Software safe from malicious activities.
UiPath shall perform annual penetration testing for Cloud Software systems and applications that process Customer Data, including after significant system and application changes. UiPath shall implement a patch and vulnerability management process to identify, report, and remediate application and system vulnerabilities that is approved by the application or system owner and is commensurate with the level of risk by (a) performing code and Cloud Software vulnerability scans on a regular basis and during any major system or application updates; (b) implementing vendor patches or fixes; and (c) developing a risk treatment plan to address identified vulnerabilities.

Internal Security Practices

Access Controls
UiPath employees are granted logical access to business resources that they have been specifically authorized to use in accordance with defined access control policies and processes. The access rights are granted as appropriate for employees to conduct their duties and adjusted upon a change in role and are removed upon termination of employment.
Application owners shall review user access rights for appropriateness on a quarterly basis and shall immediately revoke inappropriate or unauthorized access upon detection.
UiPath employs a strong password policy, along with single sign-on on all enterprise applications and systems. For Customer end user authentication, UiPath shall support authentication as described in applicable public user documentation: https://docs.uipath.com/automation-suite/docs/about-accounts and https://docs.uipath.com/automation-cloud/docs/about-accounts. Users are required by policy to maintain the confidentiality of their passwords and change them periodically.
Users’ logical access to business applications is controlled and logged. UiPath has logging enabled for log-on activities on systems and generates alerts for unusual log-on behavior.
Owners of critical business systems and applications grant, review, and remove users’ logical access to business systems, based on the principles of least privilege and segregation of duties.
With respect to privileged user accounts, UiPath shall (a) restrict access to personnel with clear business needs; (b) provision accounts solely for the duration needed to complete the necessary task, (c) capture and periodically review system logs, and (d) enable access using multi-factor authentication.
Risk Management
UiPath has a risk management process in place designed to reduce the risks to an acceptable level. Risk assessments are conducted at least annually and identified risks are mitigated according to severity and business priorities.
Physical Security
Physical security measures are designed to prevent unauthorized physical access or damage caused by physical and environmental threats to UiPath’s employees, premises, system and network devices and information, or interruptions to the organization’s activities. The level of security measures, policies and procedures implemented commensurate with the legal, regulatory, or contractual requirements associated with each facility. Access to premises is monitored through access controls, such as individual badges and video surveillance, as permitted by the applicable law. Asset movement controls are in place and the buildings are protected for seismic, flood and similar risks.
UiPath has a “no-paper” policy and, unless as required by applicable law, aims to use electronic records and documents. UiPath has a clear desk and clear screen policy

Asset Management
UiPath’s information assets are protected throughout the information lifecycle, including entry into UiPath’s systems, secure data transmission, and appropriate data access, storage, retention, and disposal. UiPath information assets are appropriately classified in terms of value, legal and contractual requirements to enable employees to handle them appropriately.
UiPath requires its employees and contractors to comply with a set of security measures when handling UiPath devices and information. Each UiPath asset holding confidential information has an identified asset owner and is kept in an inventory that covers the entire lifecycle from purchase to disposal. Employees are required to return all equipment upon termination of employment.
UiPath shall implement and document system hardening procedures and baseline configurations and shall not include unsupported software or hardware.
Disposal and Destruction of Data and IT Equipment
UiPath has controls in place to mitigate the risk of improper and unsecure disposal and destruction of data, technology equipment and components owned by UiPath, including over-writing, or physically destroying removable media, erasing, or destroying mobile devices and securely erasing storage space allocated by cloud services, according to the cloud provider’s methodology.
UiPath maintains policies in place restricting the storage of Customer Data locally, on the employees’ devices or on removable media.
Mobile Devices and Teleworking
UiPath maintains adequate policies on teleworking and the access of Customer Data from remote devices. Corporate devices with access to Customer Data are adequately protected. Users are allowed to use their personal devices to access UiPath business resources under a limited policy restricting and controlling users’ responsibilities and access to Customer Data.
UiPath applies security measures on employee devices, including by:
a. requiring a multi-factor authentication access control mechanism to give full access to Customer Data.
b. applying security patches to applications and system software bearing Customer Data in line with vendor recommendations.
c. authorizing business applications before having access to Customer Data.
Human Resources Security
UiPath may perform background checks prior to employment, solely as permitted under applicable law.
UiPath ensures that employees agree to terms and conditions concerning confidentiality and information security appropriate to the nature and extent of access they will have to the organization’s assets and that go beyond the duration of the employment period.
Responsibilities regarding information security are communicated to  UiPath employees and they are informed that disciplinary actions can be taken against them based on violations of policies and procedures.

Vendor Risk Management
UiPath maintains a vendor risk management program through which it assesses and manages the risks assumed by the nature of relationships with vendors and contractors that receive, store, process, or host UiPath data or have access to UiPath network and systems.
UiPath checks the security measures of its critical vendors and has a policy to enter into data protection agreements seeking to ensure that at least the same level of confidentiality and data security is implemented by its subcontractors as the ones applicable to UiPath.
UiPath strives to maintain the right to perform audits to monitor the compliance of its sub-contractors with the agreed technical and organizational measures regarding data confidentiality and security.

Incident Management and Business Continuity

UiPath is committed to comply with contractual and legal obligations for the protection of Customer Data. UiPath has designed processes to provide response to security and operational incidents, with undue delay, to minimize risks and ensure availability of information systems.
To respond to incidents effectively and in a timely manner, UiPath incident management teams are taking necessary actions to contain the threat, eradicate the source of the incident, and restore the affected systems, information, and data.
Incident responders track the incident root causes, the lessons learned in the incident management system and propose continuous improvements to system and data owners.
UiPath utilizes a decentralized office approach and employees, and contractors are not dependent on specific office locations to perform their duties. Data processing environments maintain redundancy to meet availability requirements. Systems are built with failovers within availability zones. Data availability and continuity of service is ensured by using reputable cloud service providers.
UiPath shall implement a formally documented incident management policy that includes (a) a reporting mechanism for suspected incidents and events affecting the security of Customer Data, including the reporting of suspected unauthorized or unlawful access, disclosure, loss, alteration and destruction of Customer Data (b) procedures for notification to relevant authorities as required by applicable law and the Customer; and (c) procedures for forensic investigation of a security incident.
UiPath and its sub-processors shall implement, install and maintain the following environmental controls to protect personnel and equipment used to process or store Customer Data: (a) fire suppression systems; (b) temperature and humidity controls within a data center or server room environment; (c) arrangements with authorities for active response to civil unrest or natural disasters; and (d) backup power technology (e.g., uninterruptible power supply, diesel generator, separate grid connection, etc.)
UiPath shall perform an environmental risk assessment before processing any Customer Data, which shall include an assessment of the threats of natural and man-made disasters. UiPath shall implement appropriate physical protections for facilities storing Customer Data, taking into account the results of the environmental Risk Assessment, the availability of state-of-the-art technology, and the costs of implementing those measures.
UiPath shall perform business continuity risk assessments to determine relevant risks, threats, likelihood of a service outage or security breach, impacts of a service outage or security breach, and required controls and procedures to secure Customer Data. Based on risk assessment results, UiPath shall document, implement, annually test and review business continuity and disaster recovery plans to validate the ability  to timely restore availability and access to Customer Data in the event of a service outage or data breach (a “BCDR Plan”). In its business continuity and disaster recovery plan, UiPath shall include (a) availability requirements for the Customer, specifying critical systems; (b) UiPath internally agreed recovery point objective(RPO) and recovery time objective (RTO); (c) clearly defined roles and responsibilities; (d) provisions for a geographically separate site subject to physical and environmental controls; and (e) backup and restoration procedures that include sanitation, disposal, or destruction of data stored at the alternate site.
Following each Disaster after the Cloud Software have been fully restored, UiPath shall conduct a root cause analysis and provide to Customer a summary report that describes, at a minimum, (i) the cause or causes of the Disaster, (ii) efforts taken to mitigate the consequences and resolve the Disaster, and (iii) the remedial actions to be implemented by UiPath in order to avoid future Disasters.

Awareness and Training

UiPath maintains an annual internal training program to educate its employees with respect to UiPath information security and compliance-related policies. Employees are informed of the requirements for acceptable use of UiPath’s resources, in order mitigate the risk of unauthorized access to UiPath equipment, as well as use and modification of information assets.
UiPath shall train employees on information security upon hire and annually thereafter. UiPath shall update that training to include changes in its organizational policies and procedures and shall address (a) employees’ specific job functions; (b) disciplinary actions when Personnel commit or cause a suspected or actual Data Breach, and (c) specific training for the processing of personal data in accordance with applicable Data Protection Laws.

Policy Monitoring, Testing and Reviewing

UiPath reviews policies at least annually and updates as needed to ensure that policies comply with changes in law, common industry standards, organizational practices, and contractual obligations and that they are appropriate to the risks faced by UiPath.

Customer Assessment

UiPath shall promptly review and complete any justified Customer security questionnaire. UiPath shall make relevant documentation, reports, and evidence available for review upon Customer’s written justified request.
Without the need for confidentiality measures, Customer may share the results of any audit, report, or test under this Section 8 with any Affiliate or any government regulator of any Affiliate. Under appropriate confidentiality measures, Customer may share the results of any audit, report, or test under this Section 8 with actual or prospective clients of any Affiliate. To the extent required, UiPath shall cooperate in good faith with requests from any client or government regulator of any Affiliate that wishes to further investigate UiPath’s security audit attestations and results.

Governance

UiPath reserves the right to make additional changes to this Exhibit and publish them on the Trust Portal, provided that UiPath will not decrease the level of security provided hereunder.

References

Read User Manual Online (PDF format)

Loading......

Download This Manual (PDF format)

Download this manual  >>

UiPath User Manuals

UiPath 085092f9454b Procurement Terms and Conditions Instructions
UiPath
UiPath Information Security Exhibit Instructions
UiPath

Related Manuals

TSI Link Report Creator User Guide
tsi
Solidcom C1-HUB Base For Dect Intercom System Instruction Manual
Solidcom
Shenzhen Zhuoyu Technology JP-205 2.4G+ Bluetooth Rechargeable Ergonomic Keyboard User Manual
Shenzhen Zhuoyu Technology
GARDENA 8313-20 Fertiliser Dispenser Instruction Manual
Gardena
Harvopu iPad 10th Generation Case with Keyboard User Manual
Harvopu
marta MT-SM1737A Electric Baker Waffle Maker User Manual
MARTA
legrand 310085 External Charger Instruction Manual
Legrand
BIRD-X Deer Gard Silent Repeller User Manual
Bird-X
EV R300 UHF Wireless Microphone Handheld Transmitter User Guide
Ev
Mente Marine FCP Flybridge Control Panel Instruction Manual
Mente Marine
LG PREMTC00U Simple Remote Controller Wired Owner’s Manual
LG
FORTRESS Power Guardian IoT Gateway User Manual
FORTRESS Power
Blokker 4620145 Pegasi Mini XL Deluxe Football Table Instruction Manual
blokker
beamZ KUBE20BK Outdoor Battery Uplight User Manual
beamZ
ROCKVILLE Amplifier Mono Car Amp+Remote Owner’s Manual
RockVille
connect IT CMH-2010-BK Wall Mount For Flat Screen User Manual
CONNECT IT
LG DLE3600 7.4 Front Load Dryer Owner’s Manual
LG
GAMMA Bacchus Dynamic Driver Owner’s Manual
Gamma
LANCOM GS-3628X Hardware Fully Managed Access Switches User Guide
LANCOM
PENTAIR 523404 Intellisync Monitoring and Control System User Guide
Pentair
tommee tippee 42303060 Bath and Room Thermometer Instruction Manual
Tommee Tippee
sip Tempest PH720/100HD Hot Water Electric Pressure Washer User Manual
sip
R V R TX10K-KLC TX-K-KLC SERIES FM Stations
R V R
DOSS WB386 TV Soundbar User Manual
Doss
Moes BE09-220509 Human Presence Sensor Instruction Manual
MOES
FISHER and PAYKEL OR36SDI6X1 36 inch Contemporary 5 Zone Induction Self Cleaning Range User Guide
FISHER and PAYKEL
PLT-13092 Sele Ctable LED Flood Light Fixture Owner’s Manual
PLT
Thermador HMDW36WS Under Cabinet Drawer Wall Hood with Blower Owner’s Manual
Thermador
ideal lux Celine PL3 Ceiling Light 3Lt in White Instruction Manual
ideal lux
Graphite 59G611 Chip Extractor Instruction Manual
GRAPHITE
Contact Us   Privacy Policy   11.87ms