Yes – you can create and associate multiple unique API keys per dataset.
We currently support AES-256-GCM and AES-128-GCM for unstructured data, and the NIST FF1 method for structured data, with support planned for additional algorithms in the future. Please feel free to reach out if you have specific needs.
By default and upon creation, both Primary Keys and Data Encryption Keys are scheduled to rotate annually. You have the flexibility to adjust the rotation schedule to 3, 6, 12, 18, 24, or 36 month intervals.
Data Encryption Keys are stored with your encrypted data within your (customer) infrastructure. Data encryption keys are never sent to Ubiq.

Primary Encryption Keys are stored within FIPS 140-2 Level-3 compliant Hardware Security Modules (HSMs) within Ubiq’s SaaS infrastructure.
For unstructured data, simply decrypt the encrypted data and then re-encrypt it.

For structured data, rotate the Data Encryption Key associated with the relevant Dataset. Then, simply decrypt the encrypted data and then re-encrypt it.

In both cases, the decryption process retrieves the existing data decryption key to decrypt the data, and the subsequent encryption process retrieves the next available Data Encryption Key to encrypt the data. Please note, that the number of unique Data Encryption Keys is unlimited for unstructured data, but limited for structured data (due to field format and length limitations).
Yes – we support MFA using TOTP (E.G. Google Authenticator) for login and sensitive operations such as key rotation or modifying encryption policies.
It is very important that you store your MFA Recovery Code in a safe place in case you lose or replace your MFA Device. However, if you lost, misplaced or failed to record your MFA Recovery Code, then please contact Ubiq Support to regain access to your account.
Yes. The Ubiq Platform is fully cloud provider and deployment agnostic. Your application can run in any environment, so long as it can access our platform over the internet.
It’s entirely up to you. Our APIs are extremely flexible and can be used to encrypt as much or as little data as you wish.
Internet access to our platform is required for access to our APIs. If they are inaccessible, you will be unable to encrypt or decrypt data. Accordingly, the Ubiq Platform is designed to be highly resilient and reliable. You can see our current and historic availability information at status.ubiqsecurity.com
The Ubiq Platform sees only calls to encrypt and decrypt specific Data Encryption Keys, which are randomly generated and don't reveal any information about your customer data.

Your customer data never leaves your environment.
Data size for Structured Datasets will match the plain/input text. Data size for Unstructured Datasets will be about 1-2kb larger than the source data.
We currently support most major programming languages. You can find those details at dev.ubiqsecurity.com.

Each implementation is supported on most or all platforms the language itself supports and uses either native cryptographic primitives provided by the language or operating system, or well-vetted industry standard third-party libraries.

Our libraries are open source and you can find the source code for all of them in our GitLab and GitHub repositories.
Each API key can encrypt and decrypt any data for a given Dataset. To create partitioned datasets, create a new Dataset for each partition (which will create a new, unique Primary Encryption Key), then distribute the API keys for access to that partition.
Events: Within the Ubiq Dashboard, on the Events page, we log every encrypt and decrypt API call that is made for your account.

Security History: Within the Ubiq Dashboard, on the Security History page, we log user security activity, such as logins, dataset creation & edit activity, team member invites, MFA activation, and several other categories of information.
Keys are loaded into memory only as long as required to encrypt or decrypt data and are flushed from memory afterwards. Libraries are fully capable of multi-threaded operations.
No. Our APIs work on the level of blocks of bytes and can work with any data format or storage medium.
Our platform is designed to be entirely self-service. Please review these docs on how to get up and running.
Our platform currently runs in the USA. Our longer-term plans include running components of our platform in other international regions.
We have a simple and transparent licensing model: a flat charge per encrypt API call. See our pricing page for more information.
Not at this time. We have long-term plans to support customer managed KMS/HSM systems. If this is a requirement, please contact us for more information.
API key access can be restricted by source IP, as well as permissions: encrypt only, decrypt only, and encrypt and decrypt.

API key/credential security is the responsibility of the customer, including account credentials, API Key usage, and access. We encourage our customers to explore the use of industry-vetted secrets management solutions, approaches, and strategies to protect any API keys, passwords, certificates, and other secret material.
Yes – please contact us and we will work with you on an appropriate strategy for your use case and organization, including invoicing and procurement details.
To help prevent account compromise, you will be logged out after 15 minutes of inactivity.
A KMS only offers a small fraction of the functionality offered by the Ubiq Platform. Our platform builds on a traditional KMS to add encryption policy support, automated key rotation and management, access controls, and an interoperable, open data storage format accessible through our suite of simple APIs.
We encourage our customers to explore the use of industry-vetted secrets management solutions, approaches, and strategies to protect any API keys, passwords, certificates, and other secret material.
A Dataset is the primary building block (in the Ubiq Dashboard) of data that you choose to encrypt.

Datasets can be configured as two types:

1. Structured - Example: Data stored in a database column with a fixed length and type. Like a name, address, or SSN.

2. Unstructured - Example: Files (audio, video, PDF, text, etc.) stored in an unstructured data store such as AWS S3, Google Cloud Storage, or a Data Lake.

Dataset Groups provides you with the ability to visually group various Datasets together (in the UI), so you can efficiently manage and track Datasets that may share specific attributes. Datasets can be assigned to any number of dataset groups; however, it is not allowed to have Datasets with identical names within a given Dataset Group.
A Primary Encryption Key, also known as a Symmetric Master Key, “is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods.”*
A Data Encryption Key, also known as a Symmetric Data Encryption Key, is “used with symmetric key algorithms to apply confidentiality protection to information.”* Data Encryption Keys are derived leveraging Primary Encryption Keys.
Chrome and Safari

* https://en.wikipedia.org/wiki/Cryptographic_key_types