Secure Your Sandbox Data with Salesforce Data Mask

Note This content relates to Salesforce Data Mask. Read about Accelerate and Anonymize in Own from Salesforce.

Data Mask uses platform-native obfuscation technology to mask sensitive data in any full or partial sandboxes. When you mask sandbox data, you can’t unmask it. This irreversible process ensures that the data isn’t replicated in a readable or recognizable way into another environment. Your production data remains unaffected, so if you change your mind, you can always refresh the data from production and create a sandbox org.

Note Many Salesforce products mask data in different ways to help keep your data secure and compliant. Data Mask uses platform-native obfuscation technology to mask sensitive data in full or partial sandboxes.Data Masking masks select sensitive data types (such as PII or PCI) included in AI prompts in production orgs.

You can configure four different levels of masking, depending on the sensitivity of the data.

• Replace private data in your sandboxes with random characters.
• Replace private data with similarly mapped words.
• Replace private data using pattern-based masking.
• Delete sensitive data.

• Data Mask Considerations
  When running Data Mask in your sandbox, it’s important to understand how rules and records are handled.
• Supported Data Mask Types
  Data masking types are supported on these objects.
• Understand How Different Masking Types Work
  Data Mask uses different levels or types of masking to help keep your sensitive production data private in a sandbox. For example, you can replace sensitive data in your sandboxes with random characters or similarly mapped words, or eliminate it.
• Data Mask Best Practices
  We recommend that you mask fields that typically contain personally identifiable information (PII) or other sensitive data. These fields are a good place to start.
• Install the Managed Package in a Production Org
  Data Mask is a managed package that you install in your production org. You can run the masking process from any new sandbox created from the production org. To install and use Data Mask, you must enable certain features in your production org and specify user permissions. After you install the package, Salesforce automatically upgrades it with new features and bug fixes. Data Mask currently supports API version 50.0.
• Create or Edit a Data Mask Configuration
  You can configure the masking process in one of two ways. Configure it in production, then when a sandbox is created or refreshed, the configuration appears in the sandbox. Or, configure the masking process in an existing sandbox.
• Create Custom Libraries
  Create a custom library that’s separate from the predefined Data Mask libraries. Custom libraries can contain any string value, such as long text, integers, and non-English characters.
• Run a Data Mask Job
  While the Data Mask package can be installed and configured in your production org, data masking jobs only run in sandbox orgs. That way, the data in the production org isn’t accidentally masked. When the configuration is complete, you can mask your sandbox data. Run the mask each time you want to replace or delete the data in your sandbox. Or, set the mask to automatically run each time you refresh your sandbox.