> Read the whitepaper on the runtime control plane for sensitive data access

Identity-driven runtime data security

Ubiq is the runtime control plane for sensitive data access. It sits between your IAM and your data, revealing sensitive data only to the identities authorized to see it, inside your own environment.

Book A Demo

Same data. Different identities. Different outcomes.

One protected record, revealed differently to every identity.

Protect sensitive data once. At the moment of access, Ubiq evaluates identity, context, and policy in real time — and returns only what that identity is authorized to see.

Protected recordEncrypted · Tokenized · Masked

Name

Dana Whitfield

dana.whitfield@acme.com

SSN

412-55-9087

Card

4539 8841 2207 4421

Ubiq runtimeevaluates identity + context + policy at the point of access

BI Analyst

Tableau · read

Masked

Card

•••• •••• •••• 4421

Payments service

API · service account

Tokenized

Card

tok_9f3a21c7e0b4

AI agent

MCP workflow

No access

Card

—

The runtime gap

System access was solved. Sensitive data access wasn’t.

IAM / IGAIdentity & access

Who gets into systems

UbiqThe runtime gap

What sensitive data each identity sees at runtime

Data protectionStorage & keys

Securing the data itself

System access control isn’t sensitive data visibility.

IAM and IGA decide who gets into a system — not which sensitive fields that identity should actually see once inside.

After access is granted, sensitive data is often returned in full to users, service accounts, and AI agents that don’t need it.

AI agents and MCP workflows reach data indirectly, multiplying access paths faster than controls can keep up.

How Ubiq works at runtime

Ubiq sits at the point of access. When any identity — a user, application, API, service account, or AI agent — requests sensitive data, Ubiq evaluates identity, context, and policy in real time, and returns only what that identity is authorized to see.

Protect onceReveal by identity

Sensitive data is encrypted, tokenized, or masked at the field and record level.

Protection is applied once — no separate copies for each team, tool, or use case.

Data stays protected wherever it lives, and never leaves your environment.

customers · 1 recordProtected at field level

NameDana WhitfieldMasked

Emaila8f3c1··@··Tokenized

SSN··· ·· ····Encrypted

Cardtok_9f3a21c7e0b4Tokenized

One protected dataset serves every team and workflow — storage and admins only ever see protected values.

Protect once

Protect sensitive data once — at the field and record level.

Each record, field, or file is encrypted, tokenized, or masked. One protected dataset serves every team and workflow — no separate copies — and storage and admins only ever see protected values.

Reveal by identity

Grant or restrict sensitive data access based on identities in your existing identity provider.

Ubiq connects to your existing identity provider via SCIM, so you can enforce encryption, tokenization, and masking policies through your existing policies, ensuring each human or non-human identity only sees the data they’re authorized to. No need to replicate or manage identities in a separate system.

Outcomes

Reduce exposure without reducing data use.

One runtime control point delivers safer data use across the enterprise — same business outcomes, less exposure.

Enable safe AI

Control what AI models, agents, and MCP workflows can see, use, and retain when they reach sensitive data.

Reduce risk

Limit exposure from insider threats, overprivileged users, and compromised admin credentials.

Meet compliance

Consistent protection, policy enforcement, logging, and auditability for PCI, GDPR, HIPAA, and more.

Enable safer analytics

Power dashboards, reports, and BI without exposing sensitive fields to the people and tools that don’t need them.

Standardize protection

Apply one identity-driven model across applications, databases, warehouses, APIs, and pipelines.

DATA SECURITY, WITHOUT THE COMPLEXITY.

Built to protect data wherever it lives, within your managed infrastructure.

Our no/low-code integrations allow you to quickly and easily encrypt, tokenize, or mask sensitive data directly in your databases, data warehouses, applications, and API gateways. And always tie sensitive data access to identities managed in your IAM.

Node.js

Ruby

Python

C++

Java

Snowflake

constubiq=require('ubiq-security')// Explicitly set the credentials.const
                


credentials= new Credentials ( '','','')// Encrypt a block of data.const



encrypted_data = awaitubiq. encrypt (credentials,plainntext_data)
// Decrypt a block of data.
constplainttext_data = awaitubiq. decrypt (credentials,encrypted_data)

require 'ubiq-security'
include Ubiq

# Explicitly set the credentials.
credentials = Credentials(access_key_id = "...", secret_signing_key= "...", secret_crypto_access_key= "...")

# Encrypt a block of data.
encrypted_data = encrypt(credentials, plaintext_data)

# Decrypt a block of data.
plaintext_data = decrypt(credentials, encrypted_data)

# Require the Security Client.
importubiq_security asubiq

# Explicitly set the credentials.
credentials =ubiq.credentials(access_key_id= "..." ,secret_signing_key= "..." ,secret_crypto_access_key="...")# Encrypt a block of data.


encrypted_data =ubiq.encrypt(credentials,plaintext_data)

# Decrypt a block of data.
plaintext_data =ubiq.decrypt(credentials,encrypted_data)

#include 

struct ubiq_platform_credentials *creds =NULL;
void *ptbuf =NULL, *ctbuf =NULL;
size_t ptlen=0,ctlen=0; ubiq_platform_credentials_create(


creds); ... ubiq_platform_encrypt(





creds,ptbuf,ptlen,ctbuf,ctlen); ubiq_platform_decrypt(


creds,ctbuf,ctlen,ptbuf,ptlen);free(

ctbuf);free(
ptbuf);ubiq_platform_credentials_destroy(

creds);

#include 
 
 ubiq::platform::credentials creds;
 std::vector ptbuf,ctbuf; ... 





ctbuf =ubiq::platform: : encrypt (creds,ptbuf. data ( ) ,ptbuf.size()); 


ptbuf =ubiq::platform: : decrypt (creds,ctbuf. data ( ) ,ctbuf. size ( ) ) ;

using UbiqSecurity;


var credentials =UbiqFactory. CreateCredentials (accessKeyId: "..." ,secretSigningKey: "..." ,secretCryptoAccessKey:"..."); 


byte[]plainBytes=...;
byte[]encryptedBytes =await UbiqEncrypt. EncryptAsync (credentials,plainBytes); 


plainBytes =await UbiqDecrypt. DecryptAsync (credentials,encryptedBytes);

import com.ubiqsecurity.UbiqCredentials;import
com.ubiqsecurity.UbiqDecrypt;import
com.ubiqsecurity.UbiqEncrypt;import
com.ubiqsecurity.UbiqFactory;// Explicitly set the credentials.UbiqCredentials


credentials= UbiqFactory . createCredentials ( "","","",null);// Encrypt a block of data.byte[]


plainBytes=...;byte[]
encryptedBytes= UbiqEncrypt . encrypt (credentials,plainBytes);// Decrypt a block of data.


plainBytes= UbiqDecrypt . decrypt (credentials,encryptedBytes);

import
"gitlab.com/ubiqsecurity/ubiq-go"
varplaintext[]byte=...// load the default credentials


credentials, _ :=ubiq.NewCredentials()// encrypt a block of data


ciphertext, _ :=ubiq. Encrypt (credentials,plaintext)

// decrypt a block of data
plaintext, _ :=ubiq. Decrypt (credentials,ciphertext)

# Initialize credentials into the current session
call ubiq_begin_fpe_session(dataset_names,access_key,
secret_key,secret_crypto_access_key);# Encrypt a block of data.


select ubiq_fpe_encrypt_cache(plain_text,dataset_name);# Decrypt a block of data.


select ubiq_fpe_decrypt_cache(cipher_text,dataset_name);

# Querying encrypted data stored in a table
select name,address,ubiq_fpe_decrypt_cache(sensitive_info,dataset_name) fromsecure_table;

# Inserting encrypted data to a table
insert into secure_table (name,address,sensitive_info)values( "Jeff" , "101 Anywhere St" ,
ubiq_fpe_encrypt_cache(sensitive_info,dataset_name));

# Tear down the Ubiq Session
call ubiq_close_fpe_session(access_key,secret_key);

Integrations galore

Integrations are available for the most popular programming languages, databases and warehouses, API gateways, and SaaS platforms.

Learn more >

30+ native integrations
IAM-driven access enforcement
FIPS 140-2 Level 3-compliant key storage
Only NIST approved algorithms
Data never leaves your environment
Simple integrations & scalable APIs

Read the Docs

30+ integrations across your stack – from applications to infrastructure

Integrate our no-code, software-based integrations across databases, warehouses, and gateways or our lightweight code-based integrations to protect sensitive data directly in your applications.

Reveal sensitive data only to the identities authorized to see it.

Book a Demo