Dynamic Data Masking for Sensitive Data

Mask sensitive data based on who is asking, without leaving the real value exposed underneath. Ubiq protects the value itself, then decides at runtime whether each identity receives the full value, a masked value, a tokenized value, or a protected value.

Get a demo

Trusted in production by security & data teams

Fortune100

Fortune50

Independently attested

SOC 2 Type II

PCI DSS SAQ-D

CMMC 2.0 Level 1

What is dynamic data masking?

Dynamic data masking returns a different version of a sensitive value depending on who or what is requesting it, so the same field can show in full to one identity and masked to another. Traditional masking changes only what appears in a query result or application view. Ubiq goes further: it protects the value itself, then reveals the right version at runtime based on identity and policy.

Static and dynamic masking

Serve a permanently masked version where the original should never be exposed, such as dev, test, vendor, and analytics copies, or decide the outcome at runtime for production access.

Protect the value, not just the view

Sensitive values can stay encrypted, tokenized, or format-preserving at rest, so masking becomes real data protection instead of a presentation-layer filter over plaintext.

Identity-based reveal

The same protected value resolves to a full, partially masked, fully masked, tokenized, or protected value based on the requesting identity, application, service account, API, or workflow.

Traditional masking hides the value when it is displayed. Ubiq protects the value, then controls what version each identity receives at runtime.

Traditional dynamic data masking hides what a user sees. Ubiq protects the value itself, then returns the right protected or unprotected version at runtime based on identity, context, and policy.

Traditional dynamic data masking changes only what a query or application shows, while the real value stays in plaintext underneath. Ubiq protects the value itself, then decides what version each identity receives at runtime.

Traditional dynamic data maskingMasks the value at query time. The real value stays in plaintext.

1Sensitive value at restThe sensitive value is unprotected at rest.

2Access requestA user, app, API, service account, or AI workflow requests the data.

3Mask at presentationThe result is masked in the response that is returned.

Example

Stored value(in plaintext)

555-12-1234

Returned to user(masked result)

•••-••-1234

The underlying value may still be stored in plaintext and reachable through direct or privileged access.

Common challenges

Sensitive values may remain exposed underneath
Direct or privileged access can still reveal data
Controls often live at the presentation layer
Hard to apply consistently across every consumer

Ubiq Dynamic Data Masking for Protected DataProtects the value, then reveals the right version at runtime.

1Sensitive value at restThe sensitive value is protected at rest.

2Access requestA user, app, API, service account, or AI workflow requests the data.

3Identity and policy decisionUbiq evaluates identity, policy, application, and context at runtime.

4Approved data outcomeUbiq returns the appropriate protected or unprotected version: full, masked, tokenized, format-preserving, or another policy-approved protected representation.

Example

Protected at rest(encrypted or tokenized)

ENC(7C2A-9F4B-D108)

Runtime outcome by identity

Analyst555-12-1234
Support•••-••-1234
BI toolTOK-9F4B-D108

The underlying value stays protected, while each identity receives only the approved version.

Key benefits

Protect sensitive values underneath
Reveal the right version by identity and policy
Enforce least privilege at the data value level
Support full, masked, tokenized, or protected outcomes

The bottom lineUbiq extends dynamic data masking into identity-governed data protection. Sensitive values stay protected at rest, and each access request receives a policy-approved data outcome.Mask, tokenize, or encrypt the same field based on who or what is asking, without leaving the real value exposed.

What traditional dynamic data masking does not solve

Dynamic data masking limits who sees sensitive values in a query result or application view. But in most implementations the underlying value still sits in plaintext, and the control lives at the presentation layer. That leaves real exposure across the systems and identities that touch the data.

The real value stays in plaintext

Traditional masking changes the displayed result, but the original value often remains in cleartext at rest, available to anyone or anything that reaches it directly.

Presentation-layer controls miss direct access

Masking applied in an application or query view does not govern direct database access, admin queries, exports, replicas, logs, or backups.

Proxy-based masking changes the architecture

Many legacy masking tools sit between applications and databases as a proxy. That can require application or connection changes, introduce latency, add infrastructure to the data path, and force teams to rework how applications reach sensitive data.

One control rarely spans every consumer

Apps, APIs, service accounts, BI tools, notebooks, and AI workflows each reach the data differently, and consistent masking across all of them is hard to enforce.

Access is treated as all or nothing

Most masking decides only whether a value is shown or hidden, not which version each identity should receive based on role, context, and policy.

Ubiq does not require a masking proxy between the application and database. Ubiq protects the value itself and applies identity-governed policy at runtime through application, API, SDK, SQL UDF, and database and warehouse integration patterns.

How Ubiq works

Same sensitive data. Different identities. Different runtime outcomes.

Dynamic data masking protects the value. Ubiq evaluates the requesting identity, context, and policy at runtime, then returns only the masked, full, tokenized, or protected version that identity is authorized to see.

Access request

HR app

Support analyst

Analytics API

AI agent

Protected employee record

Employee ID: EMP-3X9Q-1182
Name: Maria Chen
Email: maria@acme.com
Salary: $142,800

Real-time evaluation

Ubiq

Identity

Context

Policy

Runtime data outcome

HR app

Cleartext

Authorized to process the full employee record

EMP-3X9Q-1182Maria Chenmaria@acme.com$142,800

Support analyst

Masked

Needs to confirm the record, not read all fields

EMP-••••-1182Maria Chenm••••@acme.com$•••,•••

Analytics API

Tokenized

Authorized for analysis without exposing original identifiers

EMP-7K2M-4830Qenva Xltpx7kq2m9p@t4v8x.com$618,492

AI agent

Encrypted

Operates on ciphertext, never cleartext

9X2M-7K4Q-1182PX7K-9M2Q-3X8RA47F9C2B9E18D48F2A-C71B-4E09

Protected once. Resolved differently at runtime for each identity.

Where teams use dynamic data masking

Dynamic data masking lets the same sensitive field return different versions to different identities. These are the workflows where it matters most.

Customer support

Let support reps confirm a record with a masked value while fraud teams and approved workflows receive the full value, all from the same protected field.

Analytics and BI

Return masked or tokenized values to dashboards, reports, and notebooks so analysts work with production data without unrestricted access to raw sensitive fields.

Databases and data warehouses

Enforce field-level and column-level outcomes at runtime, so different users, queries, apps, and service accounts hitting the same table receive different versions.

Dev, test, and lower environments

Serve statically masked or tokenized data to development, QA, and vendor workflows without exposing the original regulated values.

Insider threat and overprivileged access

Reduce the blast radius of broad DBA, admin, and service-account access by controlling what sensitive fields each identity can actually reveal.

AI, RAG, and agents

Support AI and retrieval workflows on enterprise data while keeping sensitive source fields protected and governed by identity, limiting plaintext exposure across prompts, vector stores, and agents.

Ubiq is built to fit your environment

Ubiq deploys inside your own environment and integrates where sensitive data already lives, so teams adopt it without heavy operational friction.

No masking proxy in the data path

Ubiq does not sit between your applications and databases as a proxy, so there is no new component to route sensitive traffic through and no proxy bottleneck to operate.

No database schema changes

Protect and reveal values without changing table schemas or rearchitecting how data is stored, where applicable.

No heavy rearchitecture

Integrate at applications, services, and API gateways without reworking how they reach sensitive data.

SDKs, APIs, SQL UDFs, and DB integrations

Deploy through a few lines of code, SQL UDFs, and native database and data warehouse integrations.

Works with your identity provider

Reuse your existing IAM so runtime decisions follow the identities you already manage.

Customer-managed keys

Bring your own HSM or KMS so key control stays with your team.

Frequently asked questions

What is dynamic data masking?

Dynamic data masking returns a different version of a sensitive value at runtime depending on who or what is requesting it. The same field can return the full value to one identity and a masked value to another, based on identity, context, and policy.

What is the difference between static and dynamic data masking?

Static data masking creates a permanently masked copy of the data for cases where the original should never be exposed, such as development, test, vendor, or analytics datasets. Dynamic data masking decides the outcome at runtime, so the same stored value can return different versions to different identities. Ubiq supports both patterns.

How is Ubiq different from traditional dynamic data masking?

Traditional dynamic data masking usually leaves the underlying value in plaintext and masks it only when it is displayed. Ubiq protects the value itself with encryption, tokenization, or format-preserving protection, then reveals the full, masked, tokenized, or protected version each identity is authorized to receive at runtime.

What runtime outcomes can Ubiq return for a masked field?

Based on identity and policy, Ubiq can return the full value, a partially masked value, a fully masked value, a tokenized value, a format-preserving protected value, or a redacted value. This enforces least privilege at the level of the data value, not just the system.

What should you look for in dynamic data masking software?

Most data masking tools only change what appears at the presentation layer and leave the real value in plaintext underneath. Look for software that protects the value itself with encryption, tokenization, or format-preserving protection, enforces outcomes consistently across applications, databases, warehouses, BI tools, and AI workflows, and decides what each identity receives at runtime based on policy. Ubiq is built around identity-governed runtime control rather than view-only masking.

Can Ubiq apply masking across databases, applications, and AI workflows?

Yes. Ubiq integrates through SDKs and APIs, SQL UDFs, and database and data warehouse integrations, so identity-governed masking applies consistently across applications, APIs, databases, warehouses, BI tools, and AI workflows.

Does Ubiq use format-preserving encryption for masking?

Where format compatibility matters, Ubiq can use format-preserving protection techniques so masked or protected values keep the structure that applications and databases expect. This is an implementation detail. The capability is identity-governed runtime control over what each identity can see and use.

Can teams use dynamic data masking for AI and RAG without exposing sensitive data?

Ubiq separates protection of sensitive source data from AI and vector computation. Sensitive records and identifiers stay protected and identity-governed, while AI and retrieval workflows operate on controlled derived representations. Identity and policy govern when source data is revealed, so teams reduce plaintext exposure across prompts, vector stores, and agents.

Reveal sensitive data only to the identities authorized to see it.

Book a Demo