Ultimaker places high value on privacy. The starting point for Ultimaker's approach on privacy and security are the risks that our customers are facing. When designing, developing and maintaining our products & services, Ultimaker takes all justifiable measures to prevent:
- loss of confidential information, like print files or personal data stored in Ultimaker systems
- business process interruption, using Ultimaker devices or applications as a stepping stone into customer systems and infrastructure
- reduction of print quality, affecting customer processes that rely on parts printed via Ultimaker systems
- unauthorized usage of customer data, products and services
In this article:
- Security assets
- Ultimaker Digital Factory security
- Ultimaker Printers
Ultimaker distinguishes three major assets in security:
- Ultimaker Printers
- Ultimaker Cura
- Ultimaker Digital Factory
For each of these assets you will find a separate section with specific security details in this document.
ISO/IEC 27001 is starting point for managing security risks. Work is in progress to deploy an Information Risk Management System (ISMS) and have this externally certified late 2021.
ISA/IEC 62443-4-2 is guideline for securing our printers and related software services. This industrial security standard defines specific requirements to mitigate customers risks.
For those cases where we might not meet all ISA/IEC 62443-4-2 requirements or customer specific security requirements and where reasonably possible we will support our customers to take additional measures to meet their security requirements.
Third party security assessments
Products & services are assessed by a third party to validate if the result of our design, development and maintenance efforts adequately mitigate privacy and security risks. Security assessments are conducted on a recurring basis, at least every six months.
The goal of this assessment is to identify potential vulnerabilities in Ultimaker software and services, and to provide advice for addressing any potential weaknesses.
Any suggested resolutions – as a result of an assessment- are implemented, at least for those marked as 'medium' and higher, and also those marked as 'low' that are easy to implement.
Exception is for encryption of the local connection between Ultimaker Cura and printers, customers are recommended to use Ultimaker Cloud to secure the connection between Ultimaker Cura and printers.
At Ultimaker, we consider security of our Cloud platform a top priority. No matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, please let us know as soon as possible via email@example.com. Please do not take advantage of the vulnerability and do not reveal the problem to others. To allow us to resolve the issue, please do provide us with sufficient information to reproduce the problem.
Ultimaker Digital Factory security
Ultimaker Cloud contains user-submitted information across several services. These services support functionality in Ultimaker Cura, Ultimaker Connect and other products.
Information submitted to Ultimaker Cloud is kept private and will be shared with Ultimaker or trusted third parties only after the user gives explicit consent. More information can be found in the chapters about data sharing and classification.
Information submitted to Ultimaker Cloud is encrypted in transit and at rest. More information can be found in the chapters about network and data center security.
Ultimaker Cloud hosts separate types of information: public, private, and private until consent is given.
- Public information refers to information like your username, which is publicly visible to other users when using services like the Ultimaker Marketplace and Ultimaker Community
- Private information refers to information such as your email address, password, or usage patterns. This information is not shared with other parties
- Private until consent is given applies to data being shared with third parties that integrate with the Ultimaker Cloud by means of OAuth 2.0. Prior to giving consent users will be presented with a screen that explains which data they are sharing and who they are sharing it with
Ultimaker differentiates between product and process data. Product data is related to the printed object and process data is related to the process of printing this object. Ultimaker services are designed in such a way that the two data types are processed separately and independently from each other. This means that customers can choose to only upload process data to Ultimaker Cloud and keep their product data on-premise.
All cloud-based data, including, but not limited to 3D files, G-code, Ultimaker Connect group statuses, and Ultimaker Marketplace source files, use HTTPS (TLS 1.2) connections with industry standard 2048-bit RSA encryption. You can find a full report here.
Note: Connections between workstations running Ultimaker Cura and Ultimaker Connect within a local area network are not encrypted.
Data center security
Ultimaker Cloud stores its data on the Google Cloud Platform (GCP). With GCP the data is stored redundantly across multiple devices, across multiple environmentally controlled facilities. These facilities use multiple levels of biometric security for physical access, as well as full encryption and sharding of all data at rest. All Ultimaker Cloud data centers are in the European Union.
Note: Ultimaker does not use any consumer services from Google and has contracts in place to ensure all Ultimaker data are kept private. Ultimaker uses the Virtual Private Cloud (VPC) functionality of GCP to segregate all network traffic. More details about security and privacy at Google Cloud can be found here.
Ultimaker Cloud inherits the reliability of Google Cloud. More details can be found here. In addition data is backed up every three hours, encrypted and stored offline. In the unlikely event of data loss Ultimaker will be able to recover the data accordingly. Restore is tested on a regular basis when changes with major impact are deployed that can not be reverted (and restore is required)
Note: Backup is not available for any data intentionally deleted. Once you have deleted your data this cannot be recovered.
Ultimaker cloud applications and services are subject to continuous maintenance and automated security testing. These procedures ensure data center software is up-to-date, application dependencies are up-to-date and scanned for known vulnerabilities and exploits.
Ultimaker grants access to data stored in the cloud by using the “principle of least privilege” through appropriate access control roles on a “need to know” basis. Sensitive information is redacted in application logging to ensure engineers cannot get access to this information.
Application code has been reviewed by at least one other engineer than the original author to ensure quality and lack of vulnerabilities. Furthermore, automated deployments prevent engineers from running application software manually in production without going via the proper processes.
Cancelling your account
If an Ultimaker account is canceled, the account’s data will be deleted as part of the cancelation process. If you wish to migrate or download your data, you can arrange for this service prior to cancelation. Deleted data is unrecoverable by design.
For more detailed information about security in the Ultimaker Cloud, or to cancel your account contact us at any time by submitting a request.
Ultimaker Printer security
We distinguish two levels of security with corresponding measures: Cloud Connected and Local (please also refer to picture below). Per firmware version 6.0 (for S line printers only) the security level can by managed by enabling or disabling the firewall via the local GUI or via Digital Factory and behind additional authorisation (for customers with a software subscription only).
Cloud Connected (firewall enabled)
- Encrypted connection (outgoing only) via web socket between Ultimaker printer / Cura Desktop software and Ultimaker Digital Factory
- Ultimaker Digital Factory and printer access only for authorized users (via Teams in Digital Factory)
Local (firewall disabled)
- No internet connection required for printing
- Unencrypted connection between Cura Desktop software and Ultimaker printer
- Any user in same network segment can access Ultimaker printer