What is sensitive data?
Many customers must ensure that confidential or sensitive data remains within their production tenant during operations such as tenant refreshes or exports. This is a critical compliance requirement, particularly when individuals working in Development or Test environments may not have the necessary permissions to access this sensitive information.
By default, any data marked as sensitive will be obfuscated (masked) during a tenant refresh.
What data can be marked as sensitive?
To achieve this goal, clients now have the ability to flag fields as sensitive at the object level. The following field types can be marked as sensitive:
- Text
- Multiline Text
- Rich Text
- Number
- Decimal
- Currency
- DateTime
- Date
- Time
- Yes/No
Additionally, special consideration has been given to the Person object. The following fields for Person are marked as sensitive by default:
- Name
- Address 1
- Address 2
- Address 3
- Business Email
- Business Phone
- Direct Phone
- First Name
- Last Name
- Mobile Phone
- Personal Email
How can fields be flagged as sensitive?
The process involves modifying the fields on the object properties itself. This can be achieved by modifying a form based on the object, or by using the application toolbox. (Refer to this guide for more details on the application toolbox.)
- Open a form for the desired object in builder mode.
- Navigate to the field to be configured.
- Click the configuration icon.
- In the properties dialog, expand Options and click Object Detail.
- Check the box labelled Sensitive.
- Click OK to close the properties dialog.
- Repeat the process to mark further fields as sensitive, if required.
- Remember to save the form. This saves both the form and the object itself.
What happens to sensitive data during the obfuscation process?
The method of data obfuscation varies depending on the type of field. Below are the details for each field type:
- Text, Multiline Text, and Rich Text Fields: The existing data will be transformed into a hashed string using the SHA2_256 hashing algorithm. Please note that the length of the hashed string will differ from the original string. Any defined minimum and maximum values for these fields will be disregarded during this process.
- Number, Decimal, and Currency Fields: If a minimum value is specified for the field, the obfuscation process will set the new value to this minimum. If no minimum value is defined, the new value will default to 0.
- Date and DateTime Fields: For fields with a defined minimum value, the new value will be set to this minimum. If no minimum is specified, the date will default to January 1, 1753.
- Time Field: For a time field with a defined minimum value, the new value will be set to this minimum. If no minimum is specified, the time will be set to midnight.
- Yes/No Fields: The value will be replaced with a randomly generated Boolean.
Ensuring Irreversibility
To further safeguard sensitive data, the obfuscation process is designed to be irreversible. We do not retain any lookup tables, reference mappings, or encryption keys that could be used to re-identify or reconstruct the original data. Each value is fully randomized or replaced according to the field type, with no persistent relationship to the original content. This approach ensures that once obfuscated, the data cannot be traced back to its source — providing strong assurance against re-identification.
Anything else I should know?
Marking a field as sensitive in a parent object will mark the field as sensitive for any child object, as expected with object inheritance. (More information on object inheritance can be found here.)
Sensitive data will be obfuscated (masked) by default during any operations that involve copying or exporting data from a production tenant. This option can be disabled upon request. If you prefer that your data not be obfuscated du