Skip to main content

UID2 Private Operator Integration Overview

UID2 participants that host their own Private Operator send their own first-party directly identifying information (DII) to their own, local UID2 Operator service, running in a private environment.

A Private Operator runs in an enclave—a virtual machine with additional security features to prevent unauthorized access, so that unauthorized individuals cannot download any configuration information or data from the virtual machine.

Becoming a Private Operator includes several additional steps, and uses resources that the participant must provide.

Learn about what the UID2 framework offers for Private Operators, including benefits, hosting options, documentation and other resources, and how to get started.

note

This page is about Private Operators. For information about Public Operators, or if you're not sure what the difference is or what an Operator is, see The UID2 Operator.

Private Operator Benefits

Here are some of the intended benefits of participating in UID2 as a Private Operator:

  • You can maintain privacy-conscious workflows for your customer data to be encrypted and activated across chosen partners.

  • You can participate in UID2 using your own first-party directly identifying information (DII) without sharing it.

    Within a Private Operator solution, DII does not leave your infrastructure.

  • You have full control of resources, performance, and latency for UID2. For example:

    • You can provide greater availability, without rate limitations.
    • If you are not physically located near to a Public Operator instance, you might choose to host a Private Operator solution for latency reasons.
  • You can plan to minimize network hops with a service that can provide regional proximity.

  • You can implement processes and policies that you control, as opposed to taking part in a shared service.

If you have significant latency concerns, or your security requirements dictate that data stays within your systems, and you also have extensive engineering resources to both build and maintain your UID2 implementation, you might consider the Private Operator solution.

Private Operator Requirements

The participant must host, configure, maintain, and update the Private Operator instance, and must conform to strict security measures. Engineering resources are required to integrate and to make ongoing updates.

The participant must sign a contract (see Account Setup) to host a Private Operator instance.

note

A Private Operator has no visibility into the raw UID2s or UID2 tokens processed by a Public Operator or another Private Operator. Each Private Operator is isolated from all other Operators.

Hosting Options for Private Operators

If you choose to be a Private Operator, several implementation options are available. UID2 supports hosting UID2 in an enclave on the following cloud service providers (medium level of effort to implement):

Private Operator Workflow

The basic workflow for a Private Operator is as follows:

  1. On startup, the Private Operator goes through an attestation process with the Core service. The attestation process verifies that the Operator is running in a secure trusted execution environment (TEE), and that the environment hasn't been tampered with.

  2. When the Operator passes the attestation process, the Core service gives the Private Operator secure S3 URLs for retrieving the information it needs for startup.

  3. The Private Operator retrieves the security information from Amazon S3 that it needs to process UID2s, such as salts, encryption keys, and user opt-out records. For security details, see Private Operator Security.

  4. If an Operator is restarted, it goes through the attestation process again, and retrieves a fresh set of security information.

  5. The Operator re-attests periodically with the Core service to ensure that it is still running in a protected environment. If attestation fails, the Operator shuts down.

Private Operator Security

Each supported Private Operator implementation must meet rigorous security standards. Some security points include:

  • The Private Operator runs in a hardware-based trusted execution environment (TEE) hosted by one of the supported cloud providers listed in Hosting Options for Private Operators.
  • The Private Operator must complete an attestation process before accessing the information needed to process UID2s.
  • The information on S3 is encrypted at rest and also encrypted in transit through TLS. In addition, access is limited to only correctly authorized and attested Private Operators.
  • The information retrieved at startup is not stored locally at any point. It is only ever held in memory, and the Private Operator is running in a protected environment that makes it difficult for anyone running the Operator (such as an Administrator), as well as any external players, to see the data that's in memory.
  • The Private Operator never stores DII that is sent for processing (email addresses and/or phone numbers). The data is only used within the enclave, to generate UID2s, and is discarded immediately after processing.

Private Operator Limitations

There are a couple of limitations to Private Operator functionality:

  • Private Operators do not currently support client-side integration.
  • Private Operator updates are released three times per year; Public Operator updates are released on a more frequent cadence.

Getting Started

To get started as a Private Operator, follow these steps:

  1. Request access to UID2 by filling out the form on the Request Access page.

  2. Decide which implementation option you want to use.

    For details about available options, see Hosting Options for Private Operators.

  3. If you're using an SDK, download the SDK. Refer to the applicable SDK guide.

  4. Follow the instructions in the implementation guide for the option you chose.

    note

    Be sure to encrypt request messages to UID2. For details, see Encrypting Requests and Decrypting Responses.

  5. Test.

  6. Go live.

Implementation Resources

The following documentation resources are available for Private Operators to implement UID2.

There is no functional difference between the Private Operator versions.

Integration TypeDocumentationContent Description
AWSUID2 Private Operator for AWS Integration GuideInstructions for setting up a Private Operator service for AWS Marketplace.
GCP Confidential SpaceUID2 Private Operator for GCP Integration GuideInformation for setting up the UID2 Operator Service in Confidential Space, a confidential computing option from Google Cloud Platform.
AzureUID2 Private Operator for Azure Integration GuideInstructions for setting up the UID2 Operator Service in an instance of Confidential Containers, a confidential computing option from Microsoft Azure.