Ultimaker security

Ultimaker places a high value on privacy. The starting point for Ultimaker's approach to privacy and security are the risks that our customers are facing. When designing, developing, and maintaining our products & services, Ultimaker takes all justifiable measures to prevent:

  • Loss of confidential information, like print files or personal data stored in Ultimaker systems
  • Business process interruption, using Ultimaker devices or applications as a stepping stone into customer systems and infrastructure
  • Reduction of print quality, affecting customer processes that rely on parts printed via Ultimaker systems
  • Unauthorized usage of customer data, products, and services

In this article:

Related articles:

Security assets

Ultimaker distinguishes three major assets in security:

  • Ultimaker Digital Factory
  • Ultimaker Cura
  • Ultimaker Printers

For each of these assets, you will find a separate section with specific security details in this document.



ISO/IEC 27001 is the starting point for managing security risks. We have deployed an Information Risk Management System (ISMS) and this was externally certified late 2021. More details are available on request.

ISA/IEC 62443-4-2 is a guideline for securing our printers and related software services. This industrial security standard defines specific requirements to mitigate customers' risks.

For those cases where we might not meet all ISA/IEC 62443-4-2 requirements or customer-specific security requirements and where reasonably possible we will support our customers to take additional measures to meet their security requirements.

Third-party security assessments

Products & services are assessed by a third party to validate if the result of our design, development, and maintenance efforts adequately mitigate privacy and security risks. Security assessments are conducted on a recurring basis, at least every six months.

The goal of this assessment is to identify potential vulnerabilities in Ultimaker software and services, and to provide advice for addressing any potential weaknesses.

Any suggested resolutions – as a result of an assessment- are implemented, at least for those marked as 'medium' and higher, and also those marked as 'low' that are easy to implement.

Known vulnerabilities

There are known vulnerabilities for the connection between Ultimaker Cura and printers directly over the local network – please note these vulnerabilities are by design and will not be resolved

  • The local connection is not encrypted, customers are recommended to use Ultimaker Digital Factory to secure the connection between Ultimaker Cura and printers and activate the firewall
  • There is no authorization in place. Anyone with access to the same network segment can access the printer web server and APIs. Customers are recommended to use Ultimaker Digital Factory and activate the firewall if only authorized users should access the printer. As an alternative customers might also apply local mitigation to limit printer access

A similar recommendation applies to https://www.cve.org/CVERecord?id=CVE-2021-34086 and https://www.cve.org/CVERecord?id=CVE-2021-34087. Customers using Ultimaker Digital Factory and with an active firewall on the printer are not exposed to these vulnerabilities. Customers might also apply local mitigation to limit printer access. At any time customers should not expose Ultimaker printers to the public internet. Please note that Ultimaker does not have the intention to resolve these vulnerabilities as the risk is limited, the effort required to resolve is significant, and mitigation is in place.

General disclosure

At Ultimaker, we consider the security of our Cloud platform a top priority. No matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, please let us know as soon as possible via security@ultimaker.com. Please do not take advantage of the vulnerability and do not reveal the problem to others. To allow us to resolve the issue, please do provide us with sufficient information to reproduce the problem.

Ultimaker Digital Factory security

Ultimaker Digital Factory contains user-submitted information across several services. These services support functionality in Ultimaker Cura, Ultimaker Digital Factory, and other cloud products.

Information submitted to Ultimaker Cloud is kept private and will be shared with Ultimaker or trusted third parties only after the user gives explicit consent. More information can be found in the chapters about data sharing and classification.

Information submitted to Ultimaker Cloud is encrypted in transit and at rest. More information can be found in the chapters about network and data center security.

Data sharing

Ultimaker Cloud hosts separate types of information: public, private, and private until consent is given.

  • Public information refers to information like your username, which is publicly visible to other users when using services like the Ultimaker Marketplace and Ultimaker Community
  • Private information refers to information such as your email address, password, or usage patterns. This information is not shared with other parties
  • Private until consent is given applies to data being shared with third parties that integrate with the Ultimaker Cloud by means of OAuth 2.0. Prior to giving consent users will be presented with a screen that explains which data they are sharing and who they are sharing it with

More details about how Ultimaker handles customer data and privacy can be found in the Ultimaker privacy policy.

Data classification

Ultimaker differentiates between product and process data. Product data is related to the printed object and process data is related to the process of printing this object. Ultimaker services are designed in such a way that the two data types are processed separately and independently from each other. This means that customers can choose to only upload process data to Ultimaker Cloud and keep their product data on-premise.

Network security

All cloud-based data, including, but not limited to 3D files, G-code, Ultimaker Connect group statuses, and Ultimaker Marketplace source files, use HTTPS (TLS 1.2) connections with industry-standard 2048-bit RSA encryption. You can find a full report here.

Note: Connections between workstations running Ultimaker Cura and Ultimaker Connect within a local area network are not encrypted.

Data center security

Ultimaker Cloud stores its data on the Google Cloud Platform (GCP). With GCP the data is stored redundantly across multiple devices, across multiple environmentally controlled facilities. These facilities use multiple levels of biometric security for physical access, as well as full encryption and sharding of all data at rest. All Ultimaker Cloud data centers are in the European Union.

Note: Ultimaker does not use any consumer services from Google and has contracts in place to ensure all Ultimaker data are kept private. Ultimaker uses the Virtual Private Cloud (VPC) functionality of GCP to segregate all network traffic. More details about security and privacy at Google Cloud can be found here.


Ultimaker Cloud inherits the reliability of Google Cloud. More details can be found here. In addition, data is backed up every three hours, encrypted, and stored offline. In the unlikely event of data loss, Ultimaker will be able to recover the data accordingly. Restore is tested on a regular basis when changes with a major impact are deployed that can not be reverted (and restore is required)

Note: Backup is not available for any data intentionally deleted. Once you have deleted your data this cannot be recovered.

Application security

Ultimaker cloud applications and services are subject to continuous maintenance and automated security testing. These procedures ensure data center software is up-to-date, application dependencies are up-to-date, and scanned for known vulnerabilities and exploits.

Internal controls

Ultimaker grants access to data stored in the cloud by using the “principle of least privilege” through appropriate access control roles on a “need to know” basis. Sensitive information is redacted in application logging to ensure engineers cannot get access to this information.

Application code has been reviewed by at least one other engineer than the original author to ensure quality and lack of vulnerabilities. Furthermore, automated deployments prevent engineers from running application software manually in production without going via the proper processes.

Canceling your account

If an Ultimaker account is canceled, the account’s data will be deleted as part of the cancelation process. If you wish to migrate or download your data, you can arrange for this service prior to cancelation. Deleted data is unrecoverable by design.

For more detailed information about security in the Ultimaker Cloud, or to cancel your account contact us at any time by submitting a request.

Ultimaker Cura security

Ultimaker Cura is our slicing software. It is available in two variants:

  • Regular (or Open) Ultimaker Cura: Publicly available via ultimaker.com
  • Ultimaker Cura Enterprise: Available for businesses with a paid software subscription - either Ultimaker Essentials, Professional, or Excellence.

Ultimaker Cura and Enterprise security

Ultimaker Cura Enterprise offers slicing features and security similar to the open Cura, but provides also business-specific needs:

    • Cura Enterprise can be deployed, configured, and managed across multiple workstations. Currently, it is provided in .msi format, for Microsoft Windows only.
    • Ultimaker Cura Enterprise receives two updates a year. These are thoroughly tested by our community and ensure the most stable desktop application. We support updates for 12 months after release, including security patches and critical bug fixes.
    • Each release of Cura Enterprise is independently scanned, tested, and analyzed for vulnerabilities.
    • In Cura Enterprise, the marketplace is only available after authentication and authorization via your Ultimaker account.
    • The marketplace of Ultimaker Cura Enterprise contains only validated, security-assessed plugins
    • Cura Enterprise fully integrates with the Ultimaker Digital Factory, only after authentication and authorization via the Ultimaker Account.

For these reasons, Ultimaker Cura Enterprise is the preferred version from a security perspective. Each release is security assessed, and actions are taken according to the risk profile.

Both Cura variants can be used completely offline if this is your preference - with the exception of downloading plugins that you may need to meet your specific requirements.

Ultimaker Printer security

Security levels

We distinguish two levels of security with corresponding measures: Cloud Connected and Local (please also refer to the picture below). Per firmware version 6.0 (for S line printers only) the security level can be managed by enabling or disabling the firewall via the local GUI or via Digital Factory and behind additional authorization (for customers with a software subscription only).

Cloud Connected (firewall enabled) 

  • Encrypted connection (outgoing only) via web socket between Ultimaker printer / Cura Desktop software and Ultimaker Digital Factory
  • Ultimaker Digital Factory and printer access only for authorized users (via Teams in Digital Factory)

Local (firewall disabled) 

  • No internet connection is required for printing 
  • Unencrypted connection between Cura Desktop software and Ultimaker printer
  • Any user in the same network segment can access the Ultimaker printer
Was this article helpful?
13 out of 17 found this helpful



Article is closed for comments.