Securing Data in a Robotic Process

Robotic processes access machines, software, and data in ways similar to your human workforce. It's crucial to embed data privacy and security during the design, execution, and review stages for every robotic process. When designing a secure robotic process, consider how Appian stores or shares data and how the robotic process stores execution metadata. RPA's advantage is the ability to interact with multiple systems, so it's also important to know that some security aspects fall outside of Appian's control.

This page describes data security aspects you should consider in the design, execution, and review of robotic processes. To learn more about how permissions are used to secure robotic processes, users, and resources in Appian RPA, visit the Security page.

Designing a robotic process

Developers can include logging in the robotic process code to record information in the execution log, which is helpful for debugging processes or making results more readable. Be mindful of including potentially sensitive information in this log. Appian RPA users with access to the robotic process will also be able to see execution logs. Never log personally identifiable information (PII), protected health information (PHI), decrypted values, or passwords as plain text.

rpa-example-log.png

Executing a robotic process

Any data that is written to Appian Cloud databases during the execution of a robotic process adheres to our existing data privacy and retention standards.

Data flow from Appian

If your robotic process accesses existing data in an Appian database, consider where that data will be used and how it might be stored elsewhere. For example, if you use a robotic process to send Appian data to your HR system, you'll need to evaluate that software vendor's data privacy and storage practices prior to deployment.

Additionally, it's important to regularly evaluate and monitor the security of the resources where your robotic processes are being executed. Consider who has access to files that the robotic process regularly generates, updates, or moves on these resources. If the files contain sensitive information, consider cleaning or removing the files appropriately.

Data flow to Appian

On the Appian side, if the robotic process is executed as part of a process model, any data passed back from the robotic process may be stored in the Process Details area during monitoring. Administrators should consider who has access to the application and process models if this data is sensitive and shouldn't be easily accessible.

You may also configure your robotic processes to write or retrieve information in other databases. However, this type of access falls outside of Appian's security perimeter, and implementation must be tested for security independently.

Viewing results

You can control the information that Appian RPA captures when manually executing a robotic process through the Console. In the Execution options, you can choose to record the execution and take screenshots along the way. If you're concerned about the information that's contained in the execution video or screenshot, you can elect to not use this feature when manually executing the robotic process.

rpa-execution-options-2.png

However, there are methods available in the robotic process code to take screenshots during execution, which could override the manual execution option. Communicate with developers to ensure security concerns and guidelines are also respected in the robotic process code.

Execution results (including video and images, if captured) are visible to users that share permissions with the robotic process, so administrators can configure security by adding or removing permission tags as necessary.

Open in Github

On This Page

FEEDBACK