Automation 360 Cloud FAQ

Answers to frequently asked questions (FAQ) and related information provide insight into various aspects related to Automation 360 Cloud.

Where can I find an overview of Automation 360 Cloud security?
An overview and details about Automation 360 Cloud security can be found in this document: Automation 360 Cloud Security and Data Privacy.
As a customer, how can I start using Automation 360 Cloud?
The prerequisites and additional, optional steps for getting started can be found on the Automation Anywhere documentation portal at the following location: Get started with Automation 360 Cloud.

For most customers, the basic requirement is to allow secure access, using HTTPS, to their new Control Room environment hosted on Automation 360 Cloud. If this is not already enabled, you need to open port 443 in your firewall to allow outward HTTPS communication from your browser and the Bot Agent to the Control Room. After the Bot Agent is installed, it establishes a web socket connection to the Control Room. No ports need to be open on the customer site for these inbound connections.

Does Automation 360 Cloud provide a service-level agreement (SLA) for service availability?
Yes, an SLA for 99.9 percent monthly availability is provided for the customer's access to their production Control Room environment. The SLA does not include planned downtime for maintenance and updates to the service. If a customer believes that the SLA has not been met, a service credit can be claimed through Support. Details can be found in our Availability Service Level Terms.
How does Automation 360 Cloud support high availability (HA)?
Each customer's Automation 360 environment is deployed using application load balancing across highly available public Cloud infrastructure services. The infrastructure services support both microservices running on Docker containers in Kubernetes clusters and datastores (database, cache, logging, file system, storage) supporting HA across multiple zones within a region. Both AWS and GCP public clouds are used.
Does Automation 360 Cloud support disaster recovery (DR)?
Yes, Automation 360 Cloud supports DR. Under a disaster recovery scenario the customer's tenants will be brought up in another region using the same URL and their Bot Agent will reconnect automatically. In case of major incidents, where imminent resolution seems unavailable, a disaster situation is declared and all the tenants within the region affected by the incident are failed over to another, remote region. The current objectives for this recovery are as follows:
Recovery Time Objective (RTO)
The time taken to get a new region up and running with the last backup data restored is 4 hours after announcement of the disaster.
Recovery Point Objective (RPO)
The maximum duration for data loss during a restore is 4 hours.
Note: RPO is based on backups taken and pushed to another backup region.
Do all customers receive notifications about upcoming general releases from Automation Anywhere via email?
All Cloud and On-Premises customers receive general release announcements from Automation Anywhere via email. The release announcements are sent two weeks before the release date. Additionally for Cloud customers, the announcement is also sent to the administrators who registered when first provisioning the Control Room.
How do customers determine what region their Control Room is in?
A Customer License User (CLU) can sign-in to the License and Cloud Services and find the region where the Control Room is hosted. To find the region, navigate to the License and Cloud Services portal on the A-People site and click the Cloud Control Room Instances tab. For more information, see Licenses and cloud services.
Customer can also sign-in to the Control Room and find the region where the Control Room is hosted by clicking the ? button on the lower-right corner of the Control Room.
Are there maintenance windows for the Automation 360 Cloud?
Yes, Automation Anywhere updates Automation 360 Cloud every 3 months so that customers will receive automatic and regular updates to the latest software version. For more information, see Automation 360 software lifecycle policy.

The primary channel for communicating the timing of Cloud status and maintenance windows is the Automation 360 Cloud Service Status site. You can subscribe to this website and receive the updates. Note that you cannot choose when the updates are rolled out across the multitenant Cloud. The Automation 360 architecture is designed to allow these timeless updates to roll out without affecting customers' bot development lifecycles.

As a customer, what actions should I take to plan for an Automation 360 maintenance window?
A customer's bot operations should take account of scheduling bots to run outside of the published maintenance windows. These updates are scheduled to run outside of normal business hours on the same day and time per region, and focuses on mid-month, avoiding month ends. More details guiding customers on planning around maintenance windows can be found on this KB article: Automation 360 Cloud updates.
Is customer data stored on the Automation 360 Cloud?
Yes, basic automation processes allow customers to keep customer business data on their own infrastructure using careful bot design. However, Automation 360 applications increasingly store customer data on the Cloud. Several Automation Anywhere products store customer data as part of customer-defined automations, although typically only temporarily, that is, during the automation process defined by the customer.

For example:

  • IQ Bot use typically involves uploading images for processing.
  • Recorder and AISense Recorder store recorded screenshots.
    Note: Secure recording can be enabled by administrators to ensure that these are not stored.
  • Automation Co-Pilot stores data processed by attended forms.
  • Bot Insight can be used to create dashboards made from tagged business data being processed by a bot.
  • WLM stores Work Items in its queues.

The customer has control over what business data is stored on the Automation 360 Cloud. Note that the source data remains with the customer, and the customer is in control of deleting the data on the Automation 360 Cloud. In general, the business data a customer keeps in our Cloud through the use of bots is for automation purposes only and can then be deleted. The primary storage for the data is not on our Cloud. Customers might need to keep audit logs and dashboard data. Both of these can be exported.

What is the Automation 360 Cloud Data Retention Policy?
During a customer's subscription period, data on the Automation 360 Cloud is in their control.

Backups are taken every 4 hours and kept for seven days. After a subscription ends, according to our retention policy, data is held for another 30 days, to allow for renewal or recovery of bots and reports, and is deleted after that. After 60 days, the entire tenant environment is deleted.

What is the Automation 360 Cloud audit log retention policy?
In Automation 360 Cloud deployments, audit logs are retained for the last 180 days (2 quarters). Audit logs that are older than 180 days are purged periodically. Because the audit logs are purged periodically and depending on when you are viewing the audit logs, you might see audit logs that are older than 180 days till the purge process gets triggered internally.

The available or retained audit logs can be viewed from the audit log page by authorized users. Users can choose to filter the audit logs by selecting appropriate filters as per user requirement. Use the Custom filter option to select a period to view the retained audit logs. For user convenience, the product supports a few quick filters such as Last 24 hours, Last 7 days, Last 30 days, Last 60 days, and Last 90 days.

Is data stored on the Automation 360 Cloud using common storage infrastructure?
Yes. The data storage services used by Automation 360 Cloud are shared across customers as part of the multitenant design. In this way, the infrastructure and operational costs are not passed on to our customers. Automation Anywhere applications use a unique tenant ID to ensure that data access is logically segregated by tenant. No data processing or storage operations can expose the data of one customer to another customer.
Can Automation Anywhere personnel access customer data stored on the Automation 360 Cloud?
Yes. However, operational controls governed by Automation Anywhere compliance certifications ensure that such access is limited to a well-defined set of individuals in CloudOps, SecOps, and Support organizations under strict separation of duties. Customer data will be accessed only based on a customer granting permission in order to resolve a support case.
What compliance covers Automation 360 Cloud?
Automation Anywhere Cloud Operations (CloudOps) is governed by the following certifications based on third-party audits: SOC 1 Type 2, SOC 2 Type 2, ISO 27001:2022: Information Security Management Systems (ISMS), ISO 27017:2015: Information Security Controls for Cloud Services), ISO 27018:2019: Protection of Personally Identifiable Information (PII) in Cloud environments and HITRUST.

The Automation Anywhere Business Continuity Management system is also certified with ISO 22301.

Customers rely on industry standard certifications for regulatory and compliance reasons. SOC 2 is created by the American Institute of CPAs (AICPA), and it measures IT security controls. The SOC 2 Type 2 certification verifies that Automation Anywhere CloudOps and SecOps teams have taken the appropriate controls and have put operational processes in place to meet industry standards for secure Cloud operations.

What is the timeline and validity for the Service Organization Controls (SOC) attestation reports?

Automation Anywhere conducts SOC 1 and SOC 2 audits annually inline with Trusted Service Criteria (TSC) defined in the SSAE 16 standard. The SOC 1 and SOC 2 reports cover the audit period from November 1st to October 31st.

Note:
  • SOC reports are evidence-based and backward-looking for the audit period. That is, auditors collect evidences on how the controls performed over the duration of the audit period to provide their opinion.
  • A SOC report is valid for one year time period.
  • Automation Anywhere maintains a Type 2 report that provides reasonable assurance of the operating effectiveness of our internal control structure.
  • SOC 1 and SOC 2 reports are issued approximately two months after the end of the audit period.
Are the compliance certifications and summary reports for the certifications available for customers to review?
Yes, customers can now access the various summary reports and certifications on the Compliance Portal under NDA.
How does Automation 360 Cloud support GDPR and an individual's privacy?
Automation Anywhere has put processes in place to handle individuals' data privacy rights, and reviews them on a regular basis to ensure GDPR compliance. For more information, see our Privacy Policy.
Do Automation Anywhere personnel monitor an Automation 360 Cloud tenant's environment?
Yes. All infrastructure and application-level audit logs are monitored to ensure the correct operation of the environment under load. This way, when load thresholds are reached, additional resources can be applied to ensure service availability and performance.
Does Automation Anywhere report unsuccessful data breaches to a customer?
No, Automation Anywhere reports only successful breaches to a customer when that customer's data has been compromised and on a timeline determined by local law.
What data does Automation Anywhere collect to improve the Automation 360 Cloud service?
To operate and support the service, Automation Anywhere captures logs that can include usernames from the system. These rotate and are overwritten every 30 days. Automation Anywhere collects and uses telemetry data only for purposes of improving the service. Collected telemetry data includes the following:
  • Audit logs: These reflect user activities in the Control Room and applications, for example, a bot was run successfully or a user created a bot.
    Note: The actual username is masked. Logs might include IP addresses, device names, and bot names.
  • User clicks on a UX feature: Helps in providing user-specific help and guidance options to the user in the UI based on their experience.
  • Where documents are uploaded for processing (for example, when using IQ Bot or AISense), Automation Anywhere might reconstruct the format of the document, without the customer's data, for the purpose of further training the Automation Anywhere AI/ML models to recognize document fields that might contain data for extraction. This aids in improving the application's data extraction accuracy.

This telemetry data can be used to monitor the service and is visible per tenant Control Room, and in aggregate, so that feature usage and adoption can be estimated. This can be used by product management to determine which features to prioritize for improvement and to identify features or applications not being adopted. This data can also help CSMs to advise customers on unused features that they could start using and benefit from.

In which geographical region is a customer's data stored when using Automation 360 Cloud?
In general, for the pure Cloud deployment model, a customer specifies the regional location at the time of provisioning their Control Room instances, for example, US East or Japan.
Note that we cannot provide the detailed address or location of the physical data center because we use public Cloud providers, who reserve the right to move and do not disclose locations for safety and security reasons. We provide this regional capability to ensure that the Control Room is located in the same region where the customer will perform most of their operations to ensure high performance and usability and to reduce latency. For most locations, for business continuity, the disaster recovery element of the service sends data backups every 4 hours to another region. The other region is usually in another country.
Which regional locations does Automation 360 Cloud support?
Automation Anywhere Control Room environments can be hosted in the following regions:
Primary Backup/DR
Automation 360 Cloud: Control Room - US West 1 Automation 360 Cloud: Control Room - US East
Automation 360 Cloud: Control Room - US East 1 Automation 360 Cloud: Control Room - US West
Automation 360 Cloud: Control Room - US East 2 Automation 360 Cloud: Control Room - US West
Automation 360 Cloud: Control Room - US Central 1 Automation 360 Cloud: Control Room - US East
Automation 360 Cloud: Control Room - Canada 1 -
Automation 360 Cloud: Control Room - Europe 1 Automation 360 Cloud: Control Room - Europe Central
Automation 360 Cloud: Control Room - Europe 2 Automation 360 Cloud: Control Room - Europe Central
Automation 360 Cloud : Control Room - Brazil 1 Automation 360 Cloud: Control Room - US East
Automation 360 Cloud: Control Room - South Africa 1 Automation 360 Cloud: Control Room - Europe West
Automation 360 Cloud: Control Room - Bahrain 1 Automation 360 Cloud: Control Room - Europe West
Automation 360 Cloud: Control Room - Japan 1 Automation 360 Cloud: Control Room - Singapore
Automation 360 Cloud: Control Room - Singapore 1 Automation 360 Cloud: Control Room - Japan
Automation 360 Cloud: Control Room – India 1 Automation 360 Cloud: Control Room - India East
Automation 360 Cloud: Control Room - Sandbox US West 1 Automation 360 Cloud: Control Room - US East
Automation 360 Cloud: Control Room - Sandbox US Central 1 Automation 360 Cloud: Control Room - US East
Automation 360 Cloud: Control Room - Sandbox Europe 1 Automation 360 Cloud: Control Room - Europe Central
Automation 360 Cloud: Control Room - Sandbox Singapore 1 Automation 360 Cloud: Control Room - Japan
Automation 360 Cloud: Control Room - Australia 1 Automation 360 Cloud: Control Room - Australia West
Automation 360 Cloud: Control Room - Australia 2 Automation 360 Cloud: Control Room - Australia East
What if the customer is concerned about data sovereignty (that is, maintaining data in a specified region)?

For customers concerned about data sovereignty, the Pure Cloud model ensures that data for Automation 360 Cloud regions in the US, EU, India, Australia, and Canada is stored within those regions. In the US, the data backup is maintained within the country, and disaster recovery is also handled locally. Similarly, for the EU, Canada, India, and Australia regions, backup is stored locally, and disaster recovery operations occur within the same geographical regions.

This model does not prevent access to the data from outside those regions, such as for support purposes.

Which public Cloud providers are used to deliver Automation 360 Cloud services?
Automation 360 Cloud uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) to deliver Automation 360 Cloud services. Automation Anywhere decides on the default provider to use. However, if you have a strong preference for AWS or GCP, you should work with your account team to choose the preferred Cloud service at the time of closing the sales transaction. For existing customers in the US and EU who provision for a new Control Room, the new tenants are created in the same region where your other tenants are located.
Note:
  • IQ Bot classic is not supported on GCP.
  • Migration of Enterprise 11 On-Premises Control Room to Automation 360 Cloud service on GCP using the Cloud Migration Utility is not supported.
What is a sandbox Control Room?
A sandbox is a fully functional and supported Control Room that receives new release updates at least 3 weeks prior to a customer's main Control Room for Bot Lifecycle Management (Dev/Test/Prod). The sandbox environment primarily allows customers to try out new releases and sanity-test their production bots.
Note: IQ Bot and DR are not supported on sandbox environments.
Is the sandbox the same as a trial environment?
No. Unlike a sandbox, a trial or proof-of-concept Control Room is provided free of charge for 30 days ahead of a sale, as part of the selling motion with customers.
What are SOC 1 and SOC 2 reports? Differentiate between Type I versus Type II SOC audits.
Type I audit confirms that the controls exist, whereas a Type II audit provides assurance that controls are designed and implemented, and they are operated effectively and as intended over the defined period of time. All Type II SOC audits attest to the effectiveness of controls over a period of time, 12 months.
Describe the validity of SOC audit reports?
  • Automation Anywhere SOC 1 and SOC 2 Type II audit period is for the previous 12 months. It is expected to occur around October every year.
  • These audit the operating effectiveness of our controls (systems) for the period of previous 12 months (typically between 1st November until 31st October).
  • Our audit report is valid for 12 months following the date the report was issued. During the time until the next audit, we assure that our controls will keep working as intended as a SOC bridge letter signed by Automation Anywhere leadership.

    For example, consider we have an audit report valid from November 2022 through October 2023. We assure that our systems will keep working as intended until the next audit from November 2023 through October 2024 with a SOC bridge letter.