Skip to content

Vuforia Engine Data Security

In this article, we summarize the security implementations that we enforce to securely send and store data used by Vuforia Engine.

Vuforia Engine and supporting cloud services are SOC 2 Type 2 attested, and undergo regular rigorous penetration testing and vulnerability scanning.

Statistical Data

Applications using the Vuforia Engine SDK communicate basic statistical data to PTC Inc at runtime. These include:

  • Device information.
  • Vuforia Engine version and license check.
  • Application information and Vuforia Engine lifecycle events.

For a complete list, please see Vuforia Statistics.

Communication with the Cloud

The Vuforia Engine SDK, during runtime, does not send Content (defined in the Vuforia Engine Developer Agreement) to the cloud, but may send some analytics and statistics as outlined on this page: https://developer.vuforia.com/legal/statistics.

However, if the Cloud Image Recognition and/or Web API service(s) are used by the SDK, then some Content may be sent to our cloud services, as outlined below.

Some Engine tools, such as the Model Target Generator, Area Target Generator, and during Area Target capture with the Vuforia Creator App, as well as web APIs, may send Content to Vuforia servers as requested by the user for performing certain actions. See the Data Transfer and Retention table below for details.

Authentication

Authentication to the Developer Portal and the Vuforia Web Services API relies on either OAuth2 or OAuth 1.0a-like flows, depending on the feature. See Vuforia Web API Authentication for authentication methods.

Encryption

Data in Transit

All data exchanged with the Vuforia Cloud services is encrypted using HTTPS with Transport Layer Security (TLS) 1.2 or greater.

Data at Rest

Personal Information is stored in AWS RDS (Amazon Web Services -- Relational Database Service) and encrypted. For more information about what personal data is captured, see PTC's Privacy Policy.

Cloud Image Recognition and the Vuforia Developer Portal use Amazon S3 (Simple Storage Service) non-public buckets for storing images, and metadata is stored in Amazon DynamoDB. All cloud components are monitored and secured in Amazon VPCs.

Data Transfer and Retention

Analytics and usage data listed in the Vuforia Statistics page is not considered sensitive and may be collected by one or more Engine tool, SDK, Web Application or Web API as outlined in the statistics document.

Customer "Content" is defined in the Vuforia Engine Developer Agreement and includes any data Customer uploads to Cloud Image Recognition or other Engine services. For the avoidance of doubt, it does not contain data outlined in the Vuforia Statistics page.

Client Feature Customer Data transferred Customer Data retention Storage Region

Engine SDK

 Applications running on the end-user's device may send below listed Vuforia Engine SDK data during runtime, depending on the type of features the application is implementing.
Model Target tracking - - -
Area Target tracking - - -
Area Target Capture API - - -
Instant Image Targets - - -
Device Image Targets (device databases) - - -
VuMarks - - -
Barcode Scanner - - -
Ground Plane - - -
Cloud Image Targets Camera frames are sent to the Engine Cloud recognition service for querying against the reference Image Targets 3 days US or EU or AP depending on query location

Target Manager


(Vuforia Engine Developer Portal)		 Assets are uploaded to the Vuforia Cloud for database creation. Databases are then downloaded and incorporated into the app at development time.
Device Image Targets (device databases) Images are sent to the cloud dataset creation and retrieval Until deletion US
Cloud Image Targets Reference images and their metadata are sent to the cloud for indexing and retrieval Until deletion US and EU and AP
VuMarks Vumark templates and instances are sent and stored in the Engine Cloud Until deletion US

Unity Extension
Same as Engine SDK

VuMarks designer
VuMarks - - -

Model Target Generator
Standard Model Targets - - -
Advanced Model Targets The 3D Model is sent to the cloud for training 24 hours (*) EU
Simplification The 3D Model is sent to the cloud for simplification 24 hours (*) EU
Model Conversion - - -
Model Coloring - - -

Area Target Generator
Area Targets - - -

Vuforia Creator App
Area Target Capture - - -

Web API
Cloud Area Targets The 3D scan data is sent to the cloud for dataset generation and retrieval. Streaming assets are cached in regional CDN for 1 hour Until deletion US
Cloud Targets Reference images and their metadata are sent to the cloud for indexing and retrieval Until deletion US and EU and AP
Cloud Query Query images are sent to the Engine Cloud recognition service for querying against the reference Image Targets 3 days US or EU or AP depending on query location
VuMarks VuMark templates and instances are sent and stored in the Engine Cloud Until deletion US
Advanced Model Targets The 3D Model is sent to the cloud for training and dataset generation 24 hours (**) EU
Standard Model Targets The 3D Model is sent to the cloud for dataset generation 24 hours (**) EU

(*) Unless the opt-in "share data" setting is enabled. See Model Target Generator Data Processing.

(**) Unless the opt-in "preserveCadModel" request parameter is enabled. See Web API Reference Library.

Enterprise Firewall Configuration

Engine Services and tools communicate via HTTPS to Vuforia Engine Cloud hosts with dynamic IPs that may be blocked by firewall and security settings.

To unblock, whitelist *.vuforia.com in your settings.

For a list of the exact URLs that must be accessible through your company's firewall in order to communicate with Vuforia Web Services, please contact support at vuforia-feedback@ptc.com.

Other Resources

Vuforia Engine Developer Portal

Model Targets and CAD data:

Area Targets and scan data:

Other Vuforia products

Vuforia Instruct and Expert Capture:

Vuforia Studio and View:

Vuforia Vantage

Vuforia Chalk

For general questions and guidelines: