Ubiq Overview

Ubiq is a data protection platform that gives enterprises a single, identity-governed system to encrypt, tokenize, and mask sensitive structured and semi-structured data across applications, databases, APIs, and analytics.

Unlike legacy tools that control who can access a database, Ubiq controls who can perform cryptographic operations on data, and enforces those decisions using your existing IAM (Okta, Entra ID, SailPoint, etc.). This finally connects identity policy to data security without agents, proxies, or infrastructure changes.

Ubiq is built for enterprise-scale structured data protection and can be deployed in hours, not weeks.

Note: Ubiq is designed for structured and semi-structured data by applications and systems. It is not intended for protecting end-user files (PDFs, Office documents, images, etc.), which are typically secured using tools like Microsoft Purview, or data stored in third party SaaS solutions (Salesforce, Workday, etc.).

The Gap Between Identity and Data Security

Traditional data protection has two disconnected layers:

• IAM: governs access to apps and systems
• Data Security: manages encryption, keys, and tokenization through separate tooling

This gap yields:

• Over-privileged access
• Fragmented controls
• Audit and compliance exposure

Ubiq bridges that divide by making identity the control plane for all cryptographic operations. If IAM says a user or non-human user shouldn’t see or transform a field, Ubiq enforces that consistently, at every touchpoint.

Core Capabilities

Unified Protection

• Field- and record-level encryption, (vaultless) tokenization, and masking
• Format-preserving transformations that maintain usability
• Supports structured and semi-structured data (JSON, events, records) across applications, databases, warehouses, APIs, and streaming systems

Integration & Identity Alignment

• Integrates with existing IAM platforms (e.g., Okta, Auth0, Entra ID) or via scoped API tokens
• Applies IAM-based policies to govern who can encrypt, decrypt, tokenize, or mask data
• Extends least-privilege access and user lifecycle controls directly to the data layer

Low/no-code Integrations

• Single integration supports encryption, tokenization, and masking use cases
• No agents, no proxies, no changes to schemas or flows
• All encryption, tokenization, and masking occur within your environment - data NEVER leaves

Secure Operations and Key Management

• Built-in, HSM-backed FIPS-validated key management, or optionally use customer-owned BYOK/HSM keys
• Local execution ensures sensitive keys and data never leave your environment
• Typical integration time: 2–4 hours for initial deployment

Ubiq delivers enterprise-grade data protection that aligns with your existing IAM, rather than requiring separate key systems or control frameworks.

Integration Coverage

Ubiq integrates anywhere sensitive structured, semi-structured, or streaming data is accessed:

• Applications: Backend services, microservices, internal tools, ETL/ELT pipelines, streaming services (Kafka/Kinesis), and batch processing jobs.
• Databases: SQL and NoSQL systems.
• Data Warehouses & Analytics: Snowflake, BigQuery, Redshift, Databricks, Fabric, etc.
• API Gateways & Services: Kong, Apigee, etc.
• BI & Visualization Tools: Tableau, PowerBI, Looker, etc.

All integrations run locally - no agents, proxies, or schema changes.

Scope Clarification: Structured vs. Unstructured Data

Ubiq is purpose-built for protecting structured and semi-structured data inside applications, databases, APIs, and analytics platforms. It is not a solution for unstructured end-user files such as PDFs, Office documents, images, or content on laptops or file shares such as SharePoint or OneDrive.

For unstructured file protection, customers typically pair Ubiq with Microsoft Purview Information Protection (MIP) or similar DLP/DRM tools.

Ubiq and MIP are complementary. MIP governs documents, while Ubiq governs data fields, records, and datasets used by applications and systems - data which is most commonly exposed during a breach.

Access Control Options

Ubiq supports two access control models, designed for different contexts:

• Customer IAM-Based Control (Recommended):
  Integrate Ubiq with your Identity Provider (e.g., Okta, Entra ID) using SCIM. Users and groups sync automatically, and access to datasets is governed entirely by identity. This is the preferred model for human users and identity-aware workloads.
• Ubiq-Managed Service Access (API Keys)
  Provided for service accounts, automated workloads, or environments where IdP integration isn’t feasible. Each key includes scoped permissions and can be rotated or revoked at any time.

In most deployments, customer IAM governs human identities, while Ubiq-managed identities (API keys) govern systems or external partner access, ensuring clean separation of control and easier compliance management.

High-Level Deployment Architecture

Ubiq follows a hybrid SaaS architecture designed to keep data and cryptographic operations within your environment while offloading policy management, logging, and orchestration to Ubiq’s cloud control plane.

• Control Plane (SaaS/Ubiq's Cloud Environment): Hosts the Policy Manager and Key Management infrastructure. It stores configuration, access policies, and master key material in a secure, FIPS-compliant environment. Master keys can optionally be stored in your HSMs.
• Data Plane (Customer Environment): All encryption, tokenization, and masking occur locally, inside your applications, databases, and data warehouses. Sensitive data and derived keys never leave your environment.

This model centralizes policy management while keeping data and cryptographic execution fully local, helping maintain data residency and regulatory compliance.

The diagram below illustrates the high-level deployment model, highlighting which components reside in Ubiq’s SaaS control plane versus the customer’s infrastructure.

• Key management: Ubiq-hosted FIPS-compliant key management OR use customer-owned HSMs
• Policy Enginer: Control plane (policy manager, key manager) is Ubiq-hosted
• Identity enforcement and/or Ubiq IAM: Governs all data access operations in real-time
• Low/no-code integrations: Software libraries that perform all crypto operations locally within the customer’s environment
• Data and data encryption keys remain fully inside the customer infrastructure

Runtime Enforcement Flow

Every Ubiq operation (encryption, tokenization, masking, or decryption) passes through an identity-aware decision flow:

1. Request Initiation: A user or system requests to access or modify protected data.
2. Identity Evaluation: Ubiq checks the requestor’s identity and group membership (via your IdP or SCIM mapping).
3. Policy Check: The system verifies that the identity is authorized to perform the requested operation on the dataset.
4. Key Access: If approved, the appropriate key material is retrieved and applied locally.
5. Enforcement: If not authorized, the request is denied — even if the user has full database or infrastructure access.

This ensures that cryptographic decisions are not only policy-based, but identity-enforced, closing the gap between IAM and data security.

Why Customers Choose Ubiq

• One Integration, Complete Coverage: A single integration enables encryption, tokenization, masking, and dynamic masking. No need to buy or manage separate products or licenses.
• Identity-Driven Control: IAM governs who can perform cryptographic operations, extending your existing access policies to the data layer.
• Data Stays Local: All cryptographic operations happen within your environment; Ubiq manages only keys (optionally) and policies in SaaS.
• Zero Infrastructure Overhead: No agents, proxies, or schema changes. Integrate directly into existing applications, databases, and pipelines.
• Audit by Default: Every encryption, tokenization, or masking action is logged with identity context for complete traceability.