Manual PII scrubbing scripts are inconsistent, hard to audit, and impossible to prove. DataTamed masks personal data automatically at import — and generates the evidence your auditors actually need.
Non-production environments are the most common source of personal data exposure — and the hardest to audit after the fact.
Someone wrote a data scrubbing script in 2019. It covers the columns that existed then. Since then, twelve new tables have been added — nobody updated the script. Your test environment has customer phone numbers and addresses sitting in plain text.
Your ICO audit letter arrives. The auditor wants evidence that personal data hasn't reached your development and test environments. You know it's been masked — but you can't prove it. Institutional knowledge is not evidence.
GDPR Article 25 requires data protection by design and by default. Copying production data to a dev environment without masking isn't just a process failure — it's a potential Article 32 violation. "We trusted the developers" won't satisfy a regulator.
During every database import, DataTamed inspects the schema and data to identify personal information. It applies your configured masking strategy and records every action — before the database image is saved.
Preserve the format while obscuring the value — e.g. J*** S*** for names. Data remains structurally valid for testing.
Replace the value entirely with a [REDACTED] placeholder. Applied to IP addresses and physical addresses.
Set the column to NULL — the most conservative option for optional fields like date of birth, where even a redacted placeholder carries risk.
| Schema.Table | Column | PII Type | Strategy | Rows |
|---|---|---|---|---|
| dbo.Customers | LastName | Name | Partial | 12,841 |
| dbo.Customers | FirstName | Name | Partial | 12,841 |
| dbo.Customers | Partial | 12,841 | ||
| dbo.Customers | PhoneNumber | Phone | Partial | 12,841 |
| dbo.Customers | Address | Address | Redact | 12,841 |
| dbo.Customers | DateOfBirth | Date of Birth | Nullify | 12,841 |
| dbo.AuditLog | IpAddress | IP Address | Redact | 284,320 |
GDPR Article 25 requires data protection by design and by default. DataTamed makes that a product feature, not a policy aspiration.
DataTamed inspects schema metadata and data samples during every import. It identifies personal data without requiring a DBA to pre-configure which columns to mask. New columns added to production are detected on the next import automatically.
The Data Masking Report is your audit artefact. Every PII detection, column, masking strategy, and row count is logged. Filter by database, PII type, or date — then export to CSV, Excel, Word, or PDF for direct handover to your auditor or DPA.
DataTamed runs on your own infrastructure. No database files, backup files, schema metadata, or report data are ever transmitted to DataTamed or any third party. You maintain complete control — a requirement under GDPR Article 28 (data processors).
Personal data is detected and masked during the import process — before the database image is stored. This means no window exists where a developer could access an unmasked clone. The masked image is the only version that ever exists.
The Backup History Report records every backup job with agent, server, database, timestamp, and status. Combined with the Data Masking Report, you have complete data lineage from production backup to non-production environment — documented and exportable.
Masking happens at the image level, not the clone level. Every clone created from that image inherits the same masking — no risk of one team getting a masked clone and another getting an unmasked one. The image is the source of truth.
DataTamed is designed around the data protection requirements that apply to organisations processing personal data in the UK, EU, and beyond.
Automatic PII masking satisfies data minimisation and storage limitation principles. The masking audit log provides the documented evidence Article 5(2) accountability requires.
Article 25 (data protection by design) and Article 32 (appropriate technical measures) are addressed directly. Pseudonymisation is an automatic product feature, not a manual process.
Six PII categories are detected and masked. The exportable masking log provides the paper trail for demonstrating that personal information belonging to California residents was not exposed in non-production systems.
DataTamed supports data protection controls relevant to ISO 27001 Annex A.8. Self-hosting means no third-party data processor relationship to manage or document.
Start a 14-day free trial and generate your first Data Masking Report within the hour. No credit card required. A member of our team will be in touch within one business day.
We'll be in touch within one business day.