Every time you refresh a Salesforce sandbox from production, customer data comes with it. Names, email addresses, phone numbers, account details — all copied verbatim into a development environment that typically has weaker access controls, is shared across teams, and may be accessible to contractors or offshore staff. Without masking, your sandbox is a compliance liability sitting next to your development workflow.
MaskEzee solves this as a single post-refresh operation. It runs after the sandbox refresh completes, replaces all configured PII fields with format-valid synthetic values, and ensures referential consistency across related records. Developers get realistic data shapes, volumes, and relationships — without a single real customer record.
The Problem with Unmasked Sandbox Refreshes
Salesforce does not mask data during refresh by default. A partial sandbox refresh copies a representative sample of production records — including every field Salesforce replicates for that sandbox type. A full sandbox refresh copies everything. Developer sandboxes seeded from production carry the same risk.
The consequence is predictable: your QA team is running test scripts against real email addresses. Your developers are debugging with actual customer phone numbers visible in the record detail page. Integration tests are firing against real names. None of this is a security posture any DPO would approve — and under GDPR and UK GDPR, the fact that an environment is labelled "non-production" is not a legal exemption for processing personal data.
The compliance gap: The window between sandbox refresh completion and masking completion is a period of live PII exposure in a non-production environment. MaskEzee closes that window by running automatically as part of the refresh pipeline — no manual trigger required.
How MaskEzee Works
MaskEzee is a native Salesforce application that runs as an Apex batch process in the target sandbox immediately after refresh. No external servers, no data leaving Salesforce infrastructure, no third-party data transfer.
Configure masking rules in production
Define which fields on which objects should be masked. Standard PII fields (Contact email, name, phone, address) are pre-configured. Custom fields and objects are added through the MaskEzee configuration interface — field-by-field, with the masking strategy selected for each.
Refresh the sandbox as normal
Trigger the sandbox refresh through Salesforce Setup. MaskEzee's configuration is included in the sandbox metadata and arrives in the refreshed environment automatically. No re-configuration required in the sandbox after each refresh.
MaskEzee runs the post-refresh batch
Once the sandbox is active, MaskEzee's batch process starts. It processes records in configurable batch sizes (default 200 per batch, aligned with Salesforce governor limits). For each record, PII fields are replaced with format-valid synthetic values. The mapping is not retained — the replacement is one-way.
Referential integrity is maintained
If a Contact email address appears in a related Case, a junction record, or a custom object lookup, all instances receive the same replacement value. This ensures that data relationships remain functional for integration tests and automated workflows, even though no value is real.
Sandbox is cleared for access
When the batch completes, MaskEzee posts a completion notification via the configured channel (Slack, email, or Chatter). Developers and testers can then access the sandbox — no manual review or spot-check required before access is granted.
Masking Strategies by Field Type
MaskEzee applies different replacement strategies depending on the field type and the data sensitivity profile configured for each field.
| Field Type | Masking Strategy | Example Output |
|---|---|---|
| Format-valid synthetic email | test.a7f2b@maskezee.invalid | |
| Phone | Locale-matched digit pattern | +44 7700 900XXX (UK format) |
| First / Last Name | Random from synthetic name pool | Alex Thornton, Sam Rivers |
| Address (street) | Synthetic address, valid postcode format | 14 Test Lane, M1 1AA |
| Account Name | Prefixed original or random name | [MASKED] Original Corp |
| Custom Text | Configurable: redact, randomise, or prefix | REDACTED or [MASKED] original value |
| Custom Number | Range-preserving random within configured bounds | Value in same numeric range |
What MaskEzee Does Not Change
Masking should not break your sandbox. MaskEzee is designed to leave everything non-PII untouched:
- Record IDs and relationships — all lookups, master-detail links, and junction records are preserved as-is
- Dates and timestamps — CreatedDate, LastModifiedDate, and custom date fields are not altered unless explicitly included in masking rules
- Status and picklist fields — workflow state, case status, opportunity stage — untouched
- Numeric business data — opportunity amounts, account revenue, custom metrics — untouched unless in a configured custom field
- Record counts and data volume — masking replaces values, it does not delete records. The data shape and volume your tests rely on are preserved.
Running MaskEzee on Large Sandboxes
Full sandboxes can contain tens of millions of Contact records. MaskEzee handles this through configurable Apex batch processing with governor-limit-aware sizing. By default, the batch processes 200 records per execution. For extremely large datasets, the batch size can be reduced further or the job can be split across multiple scheduled runs.
The batch framework is asynchronous — it does not consume synchronous transaction time and does not interfere with other sandbox activity while running. Progress is logged to the MaskEzee Status object in the sandbox and can be monitored through the Apex Jobs page.
Compliance Notes
MaskEzee's output constitutes pseudonymised data under GDPR Article 4(5). The original PII has been replaced with non-identifying values, and the replacement mapping is not retained in the sandbox. This significantly reduces the risk profile of sandbox access and reduces the legal basis requirements for who can access the environment.
For teams that require full anonymisation — where GDPR no longer applies to the data at all — MaskEzee's one-way replacement mode stores no mapping and creates no path back to the original value. Confirm the appropriate treatment with your Data Protection Officer based on your organisation's data processing register.
MaskEzee does not transfer any data outside Salesforce infrastructure. All processing is native Apex, running inside the sandbox org. No data is sent to external endpoints, no cloud function is invoked, and no intermediate file is created outside the org.
Getting Started with MaskEzee
MaskEzee is available from CloudEzee Technologies. The initial configuration takes approximately two hours for a standard Salesforce org with Contact, Account, and Case objects. Custom object configuration and advanced referential integrity rules are included in the implementation engagement.
For orgs that run frequent sandbox refreshes — monthly or more — MaskEzee pays for itself in compliance overhead avoided on the first refresh cycle.
Book a MaskEzee DemoFrequently Asked Questions
Does Salesforce sandbox refresh automatically protect customer data?
No. Salesforce sandbox refresh copies production data verbatim. Partial and full sandboxes receive real customer records — including names, email addresses, phone numbers, and any PII stored in custom fields — unless a masking process is applied after refresh. Salesforce's built-in sandbox data mask tool offers some configuration but requires manual setup per refresh and does not cover all custom field patterns.
What data does MaskEzee protect during a sandbox refresh?
MaskEzee replaces personally identifiable information including Contact names, email addresses, phone numbers, mailing addresses, account names linked to individuals, and custom fields in the masking configuration. Replacement values are format-valid and referentially consistent — a masked email is still valid email format, and all records referencing the same original email receive the same replacement value.
How long does MaskEzee take to run after a sandbox refresh?
MaskEzee runs as a post-refresh Apex batch process. A partial sandbox with 50,000 Contact records typically completes in 10–20 minutes. Full sandbox environments with millions of records are handled in configurable batch sizes within governor limits. The process is non-blocking and can be triggered automatically via a post-refresh org hook.
Will masked data break automated tests or integrations?
Not if masking is configured correctly. MaskEzee preserves data format constraints — email addresses pass email validation, phone numbers match the expected locale digit pattern, and postcode fields match country format. Referential integrity is maintained across related objects: a Contact's masked email matches the same value in any Case, Lead, or junction record that references it.
Does MaskEzee satisfy GDPR requirements for sandbox environments?
MaskEzee's output constitutes pseudonymised data under GDPR — the original PII is replaced with non-identifying values, and the replacement mapping is not retained in the sandbox. This significantly reduces compliance exposure. For teams seeking full anonymisation, MaskEzee supports one-way replacement with no recovery path. Regulatory sufficiency should always be confirmed with your Data Protection Officer.