Sandbox DataMasker FAQs
Common questions about masking sensitive data in Salesforce sandboxes.
How do I install DataMasker?
Installation via Salesforce AppExchange takes under 5 minutes. Configure masking profiles through a point-and-click interface. Most teams complete their first sandbox masking run the same day.
Does DataMasker require custom Apex development?
No custom code needed for standard implementations. Configuration happens through Salesforce screens. REST API triggering requires connected app setup but no Apex coding.
Which Salesforce editions does DataMasker support?
Works with Enterprise, Unlimited, and Performance editions. Supports all sandbox types (Developer, Developer Pro, Partial Copy, Full Copy) and scratch orgs.
How long does DataMasker take to deploy?
Initial deployment takes one business day. Full production deployment with CI/CD integration typically requires 1-2 weeks.
Does DataMasker pass Salesforce AppExchange Security Review?
Yes, it has passed rigorous assessment covering OWASP Top 10, data handling, encryption, and access controls.
Can DataMasker mask data in production?
No, designed for non-production environments only. It eliminates PII exposure in developer and QA environments without modifying production.
How do I create different masking profiles for different sandboxes?
Support for multiple named profiles allows creating Developer (aggressive masking), QA (selective masking), and Demo profiles with specific substitutions.
What permissions does DataMasker require?
Requires System Administrator profile or custom profile with DataMasker permission set. Running user must have object access. No special license add-ons needed.
What substitution types does DataMasker support?
Supports realistic name generation, email substitution, phone masking, address masking, date offset, numeric range masking, picklist substitution, and regex pattern masking.
Can DataMasker mask formula fields?
Cannot directly mask calculated fields. Masks source fields instead, automatically updating formula results. Contact Cloud Compliance for independent formula field scenarios.
Does DataMasker support picklist fields?
Yes, substitutes values with other valid picklist options while preserving data integrity constraints.
How does DataMasker handle related records to maintain referential integrity?
Grouping and sequencing features process related objects together, ensuring consistent propagation of changes across related records.
Can I mask only specific records, not all records of an object?
Yes, filter conditions allow masking records matching specific criteria, useful for partial copy sandboxes preserving reference data.
What happens to encrypted fields (Salesforce Shield Platform Encryption)?
Works alongside Shield. Shield encrypts at rest; DataMasker masks decrypted values with realistic substitutes.
Can DataMasker preserve email domain structure during masking?
Yes, masks the local part while preserving domain, useful when domain serves as company proxy.
How does DataMasker handle Person Accounts?
Fully supported. Treats as unified Contact+Account object, applying masking rules simultaneously to both.
Can DataMasker mask data in Experience Cloud (Community) objects?
Yes, supports portal user records, community member data, and associated CRM objects.
Does DataMasker support custom objects?
Yes, all custom objects and fields are available in profile configuration.
How fast does DataMasker process records?
Processes approximately 5 million records per hour. Scales to 99 million in 24 hours using parallel batch processing.
How does DataMasker handle Salesforce governor limits?
Uses Apex Batch with configurable sizes (default 200, tunable to 2,000). Spawns parallel jobs for large volumes.
What is the recommended batch size for large orgs?
Start with 200 records/batch for complex schemas. 500-1,000 safe for simpler schemas. Avoid maximum sizes with many relationships.
Can DataMasker run multiple masking jobs in parallel?
Yes, simultaneous jobs process different objects. Achieves 99M records in 24 hours through parallel batch processing.
How long does a typical full-copy sandbox masking run take?
1-5M records: 2-4 hours. 10-50M records: 8-12 hours with standard parallelism. Example: 125M records in 48 hours.
Does DataMasker slow down the sandbox environment during masking?
Runs asynchronously in background job queue. Sandbox remains accessible. Schedule during off-hours for large jobs.
What happens if a masking job fails mid-run?
Completed batches preserved. Resume feature allows re-running from failure point. All errors logged with record ID and field.
Does DataMasker support Salesforce Financial Services Cloud row-locking?
Yes, grouping and sequencing resolves FSC row-locking through dependency-aware processing.
How do I trigger DataMasker from a Copado pipeline?
Call REST API endpoint with masking job configuration. API returns job ID for polling completion status.
Does DataMasker work with Gearset?
Yes, use post-deployment webhook feature to call REST API after sandbox deployment.
Can I trigger DataMasker from GitHub Actions or GitLab CI?
Yes, REST API supports HTTP requests from any CI/CD platform using curl or preferred HTTP client.
What does the DataMasker REST API request look like?
Specifies target sandbox, masking profile name, and optional overrides. Uses OAuth 2.0 connected app authentication.
Can DataMasker be scheduled to run automatically after sandbox refresh?
Two methods: REST API trigger from CI/CD pipeline or Scheduled Apex. API recommended for active DevOps pipelines.
Does DataMasker support Salesforce DX scratch orgs?
Yes, masks scratch orgs via REST API after org creation and data loading.
How do I validate that masking ran successfully in my pipeline?
Poll REST API endpoint until completion. Response includes summary of objects, records, and fields processed plus errors.
Can multiple team members configure DataMasker simultaneously?
Yes, profiles stored as Salesforce records. Subject to standard record-level access controls. Version control through metadata export.
What support is available for DataMasker integration?
Cloud Compliance provides documentation, API reference, sample integrations, and Customer Success Manager support.