Frequently Asked Questions

Integration Architecture and Usage

Where do you typically recommend integrating Ubiq into our systems?

We recommend integrating Ubiq as close to the source of data creation or access as possible.

For applications: Integration at the mid/service/API-tier is often the most efficient. This approach protects data at rest and provides broad coverage with minimal implementation effort. Integrations can also extend outward to endpoints like mobile or browser-based applications, depending on your use case.

For databases and data warehouses: Integration occurs directly within the database or data warehouse system to secure data where it resides.

How long/hard is it to implement? When will I see value?

Ubiq is designed to be a low-code/no-code solution, enabling most large enterprise customers to go from zero to running tests in a testing/staging environment within just a few hours. Even production implementations for many enterprise customers can be completed in half a day or a day, barring internal processes of course (e.g., planning, meetings, approvals).

This timeline reflects the actual integration work required, without accounting for external factors like organizational red tape. With minimal effort, you can start seeing value—encrypting, tokenizing, or masking data—very quickly.

What skills and resources on my team are needed to manage and deploy the tool?

Successful deployments typically involve a security engineer or architect who configures data types, selects algorithms, and sets up key management settings. The additional required roles depend on the integration point:

• Application Integration: A software developer.
• Data Warehouse/Database Integration: A database administrator (DBA).
• API Gateway Integration: A DevOps or infrastructure engineer.

No cryptography expertise is needed. Team members only require domain knowledge in their respective areas, and even that doesn’t need to be extensive.

For enterprise-tier customers, Ubiq provides integration assistance at no additional cost, ensuring smooth onboarding and deployment.

Is any of my data ever sent to Ubiq or anywhere outside of my environment or data flow?

No customer data - be it records, text strings, file or images, etc. - protected with Ubiq is ever transmitted to or accessed by Ubiq. All encryption, tokenization, and masking processes, as well as any other data security operations, are performed within the customer's own managed environment. Our service is designed to ensure your data privacy and security are always in your control.

What are the performance impacts of implementing Ubiq?

In short, negligible impact on processing times. For structured data smaller than 50 characters, encryption and decryption are typically in the 10 microsecond range (10th-of-a-millisecond), while unstructured data scales linearly based on data size, with modest hardware able to process several GB in under 10 seconds.

For high volume, transaction environments, key caching can be used to further tune and improve performance. You can read more about key caching here.

Does encrypting data with the Ubiq Platform change its size?

For structured datasets, no - data size matches the input. For unstructured datasets, data size is about 1-2 KB larger than the source.

What languages or platforms do you support? Are your libraries native implementations? Are they open source?

Most major programming languages and enterprise grade database and data warehouses are supported. Details can be found at dev.ubiqsecurity.com. Libraries are open source, available on GitLab and GitHub.

What happens if the Ubiq's API becomes unavailable? What happens if my infrastructure loses access to the internet?

The most typical mitigation is through key caching for a pre-defined period of time. Keys are fetched once and stored securely in memory, minimizing reliance on the platform for subsequent encryption and decryption operations during the session. You can read more about key caching here.

How does Ubiq meet on-premise security requirements?

Ubiq ensures that all sensitive data processing—including encryption, tokenization, and masking—occurs entirely within your on-premise environment. No sensitive data is transmitted outside your infrastructure during these processes.

For encryption key management, Ubiq provides the flexibility to integrate with your existing Key Management Service (KMS) or Hardware Security Module (HSM), allowing you to store and manage master keys securely on-premise.

How can we partition data access so that applications can read only a subset of our data?

Create a new Dataset for each partition and distribute API keys for access to that partition.

Does our data have to be formatted or stored in a specific way to use the Ubiq ?

No. Ubiq works with any data format or storage medium.

How do I re-key my data (change the Data Encryption Key that was last used to encrypt it)?

For unstructured data, the process is straightforward: decrypt the existing data using the current key, then re-encrypt it with the new key.

For structured data, rotate the Data Encryption Key associated with the dataset. Decrypt the data with the old key, and re-encrypt it using the updated key. This method ensures seamless key rotation while maintaining data security.

Can I encrypt just a single data element or file or do I need to encrypt all of it (as a group)?

Our APIs are extremely flexible and allow you to encrypt as much or as little data as you wish. You can choose to encrypt individual data elements, files, or entire datasets depending on your security requirements and implementation strategy.

Can I create multiple API Keys for a single dataset?

Yes – you can create and associate multiple unique API keys per dataset. Each API key can have granular permissions (e.g., encrypt-only, decrypt-only, or both), enabling you to design a secure and tailored implementation for your use case.

How does Ubiq meet on-premise security requirements?

Ubiq ensures that all sensitive data processing—including encryption, tokenization, and masking—occurs entirely within your on-premise environment. No sensitive data is transmitted outside your infrastructure during these processes.

For encryption key management, Ubiq provides the flexibility to integrate with your existing Key Management Service (KMS) or Hardware Security Module (HSM), allowing you to store and manage master keys securely on-premise.

What browsers do you officially support?

Chrome and Safari.

Security Features and Practices

Do you support Multi-Factor Authentication (MFA) when logging into the Ubiq Platform?

Yes – we support MFA using Time-Based One-Time Password (TOTP) systems like Google Authenticator. MFA can be applied for both user logins and sensitive operations, such as key rotation or encryption policy modifications.

I'm trying to sign into the Dashboard, but I don't have access to my MFA device or my recovery code. What can I do?

It is essential to store your MFA Recovery Code securely to ensure access in such situations.

If you lose access to both your MFA device and recovery code, please contact Ubiq Support for assistance. Ubiq's team will guide you through secure identity verification to regain account access.

How do we prevent unauthorized access via the API keys?

Restrict API key access by IP and permissions. Use industry-vetted secrets management strategies to protect keys and credentials.

How can I protect access to my API keys?

Use secrets management solutions, rotate keys periodically, and restrict key permissions (e.g., encrypt-only, decrypt-only) to mitigate unauthorized access.

What auditing features do you support?

Events log all encrypt and decrypt API calls. Security History logs user activities such as logins and dataset creation.

Describe key lifetime in memory. Can you deal with multi-threaded environments?

Keys are loaded into memory only during use and flushed afterward. Libraries support multi-threaded operations.

What are the primary threat/attacker use cases Ubiq addresses?

Ubiq addresses threats like credential compromise, insider threats, and SQL injection attacks. It integrates with IDPs for identity-driven data security, ensuring attackers can access only data tied to compromised identity permissions. It offers encryption, tokenization, and masking in one solution.

Key Management and Algorithms

What encryption algorithms do you currently support?

We currently support AES-256-GCM and AES-128-GCM for unstructured data, and the NIST FF1 method for format preserving encryption. These algorithms are widely recognized as secure and reliable.

We are continuously evaluating and planning to support additional algorithms, including those emerging for post-quantum cryptography. If you have specific encryption needs not currently supported, feel free to reach out to discuss.

How easy is it to change algorithms?

Changing algorithms in Ubiq is extremely simple and requires no code changes or updates to libraries. You can seamlessly select a new algorithm directly in the Ubiq web UI/dashboard.

Once an algorithm is changed, all future operations on the relevant data will use the new algorithm. If you’d like to update previously protected data to use the new algorithm, you can do so by re-keying that data.

Where are my encryption keys stored?

Data Encryption Keys are stored within your infrastructure, alongside the encrypted data. These keys are never transmitted to Ubiq, ensuring full customer control.

Primary Encryption Keys, which derive Data Encryption Keys, are securely stored within FIPS 140-2 Level-3 compliant Hardware Security Modules (HSMs) in Ubiq’s SaaS infrastructure.

What is your standard Primary Key rotation policy? Can the Primary Key rotation policy be customized?

By default, both Primary Keys and Data Encryption Keys are set to rotate annually upon creation.

You can customize this rotation schedule to meet your security requirements by choosing intervals of 3, 6, 12, 18, 24, or 36 months. This flexibility allows you to align your encryption practices with internal policies or compliance mandates.

What is your standard Primary Key rotation policy? Can the Primary Key rotation policy be customized?

By default, both Primary Keys and Data Encryption Keys are set to rotate annually upon creation.

You can customize this rotation schedule to meet your security requirements by choosing intervals of 3, 6, 12, 18, 24, or 36 months. This flexibility allows you to align your encryption practices with internal policies or compliance mandates.

Do you support Fully Homomorphic Encryption (FHE)?

FHE is still immature and not appropriate for wide-scale adoption. There are several challenges:

Performance Overhead: FHE is computationally expensive and significantly slower than traditional encryption methods. While improvements have been made, operations that take milliseconds on plaintext may take seconds or minutes on encrypted data, making it unsuitable for real-time or large-scale applications without significant hardware investments.

Security and Correctness: Ensuring ciphertexts reveal no information about plaintexts is challenging, and maintaining computational accuracy requires advanced noise management techniques, adding complexity.

Lack of NIST Standardization: Currently, no symmetric FHE approaches are NIST-approved, and the ecosystem for FHE is still maturing, lacking robust support and documentation.

Our approach prioritizes trust, transparency, and alignment with NIST standards. While some vendors offer proprietary FHE solutions, we aim to adopt validated and standardized FHE methods as they mature. This ensures security, transparency, and reliability in real-world applications.