Salesforce is a powerhouse for managing customer relationships, and that means it often stores your most sensitive customer data. But not every Salesforce environment is equally secure.
Developers, testers, and training teams often work in sandbox environments that don’t have the same access controls or monitoring as production. If you copy unprotected production data into a sandbox, you could expose personal details where they don’t belong.
And when that happens, seemingly innocuous mistakes can cause big time blowback.
That’s where data masking comes in. It protects sensitive information in your Salesforce sandboxes while keeping the data realistic enough for testing, training, and development.
What Is Data Masking?
Data masking is the process of replacing real, sensitive data with altered or randomized values that look and behave like the real thing but can’t be traced back to actual people.
For example, a customer name like Maria Lopez might become Samantha Green. An email like john.smith@example.com might become michael.jones@testmail.com. The masked data looks valid, so your applications can work with it, but it no longer exposes private information.
The goal is to keep your non-production environments safe while preserving the usefulness of the data.
If you’d like to read more about this topic, we have a full blown guide to data masking.
How Data Masking Differs from Tokenization and Encryption
While they all protect data, they work differently:
- Data masking alters the data into a non-reversible but realistic form for safe testing and training use.
- Tokenization replaces sensitive data with a unique placeholder (token) that maps back to the original in a secure lookup.
- Encryption transforms data into unreadable form that can be restored only with the correct decryption key.
For Salesforce sandbox protection, masking is ideal because you don’t need the original values at all — you just need safe, usable stand-ins.
How Data Masking Works in Salesforce
Salesforce offers Data Mask, a managed package you install in your production org. When you refresh a sandbox, Data Mask automatically replaces sensitive production data with masked values before anyone accesses it.
You can set masking rules for different field types, for example:
- Replace names with random strings from a list.
- Scramble phone numbers while keeping them valid looking.
- Obscure email addresses while keeping the format intact.
The masking is irreversible — once masked, the original values can’t be recovered from the sandbox.
Example: Masking Salesforce Data in a Sandbox
Let’s say your production record looks like this:
| Field | Original Value | Masked Value |
| Name | Maria Lopez | Samantha Green |
| maria.lopez@example.com | laura.hill@fakedomain.com | |
| Phone | (312) 555‑0182 | (404) 555‑2917 |
After masking, your developers and testers still see realistic values, but no personal information is exposed.
Salesforce Data Mask vs. Salesforce Shield
Although both Salesforce Data Mask and Salesforce Shield are security-related features, they solve very different problems. Many Salesforce administrators and security teams mistakenly assume they are interchangeable — but using the wrong one for the wrong purpose can leave gaps in your data protection strategy.
Salesforce Data Mask
Salesforce Data Mask is specifically designed to protect sensitive information in non-production environments such as developer, QA, and training sandboxes. When you refresh a sandbox from production, Data Mask automatically replaces sensitive fields with masked values according to rules you define.
The goal is to make sure that when developers, testers, or trainers work in those sandboxes, they are not seeing actual customer or business data.
- The masking is irreversible — once the values are replaced in the sandbox, they cannot be decrypted or “unmasked.”
- It’s intended for environments where you do not need the real values at all, only data that behaves similarly for testing or training purposes.
- It helps organizations meet privacy and compliance requirements like GDPR, HIPAA, and CCPA by preventing unnecessary exposure of personal data.
Salesforce Shield
Salesforce Shield, on the other hand, is aimed at protecting live production data while still allowing full access to authorized users. Shield provides three core capabilities:
- Platform Encryption — Encrypts fields and files in production so they remain secure at rest and in transit, even if database-level access is compromised.
- Field Audit Trail — Lets you track changes to critical data for compliance and troubleshooting.
- Event Monitoring — Gives detailed insight into user activity for security oversight and performance optimization.
Shield encryption is reversible — if a user has the right permissions, they can see the original, unencrypted value. This makes Shield ideal for day-to-day business use, where the real data must remain accessible but also needs to be safeguarded from unauthorized exposure.
Comparing Them Both
In short:
- Data Mask is about removing sensitive production data from non-production environments entirely, replacing it with safe, fake-but-realistic values.
- Shield is about securing sensitive production data so it’s protected but still usable by those with the right access.
A good analogy: Data Mask is like making a photocopy of a document where all the sensitive information is replaced with placeholders before sharing it with outsiders. Shield is like locking the original document in a safe but still allowing the right people to take it out and read it when needed.
For a comprehensive Salesforce security strategy, many organizations use both: Shield to protect production data and Data Mask to protect sandbox data.
This dual approach ensures security across the entire Salesforce lifecycle, from active customer engagement in production to development, testing, and training in sandboxes.
How to Use Salesforce Data Mask
Salesforce Data Mask is a managed package that you install into your production org to generate masked data in any sandbox you create from it.
It is not a feature that works in real time in production; instead, you run it when you refresh or repopulate a sandbox, ensuring that sensitive information never leaves your secure production environment in clear form.
The process is straightforward once you understand the workflow.
1. Install the Salesforce Data Mask package
Data Mask is available from Salesforce AppExchange or directly through Salesforce’s setup menu if your license includes it. You install it into your production org, not a sandbox. This is important because masking happens during sandbox creation or refresh, so the configuration needs to live in production to apply downstream.
2. Define your masking rules
Before you run Data Mask, decide which fields to mask and how. Salesforce offers three masking techniques:
- Randomize — Replaces values with random characters that match the original data type and length. Useful for fields like phone numbers or names where format matters but actual values do not.
- Replace — Substitutes a field with a static value of your choice. Good for fields where consistency is more important than variety, such as replacing all emails with masked@example.com.
- Delete — Completely clears the field value. Works for fields that do not need any data in non-production environments.
You can apply these rules to standard fields such as Contact Email and custom fields such as SSN__c.
3. Target the right objects
You may not want to mask every field in every object. For example, product catalog data might be harmless in a sandbox, but customer PII is not. Carefully review your data model and identify sensitive fields that could expose:
- Personally identifiable information (PII)
- Protected health information (PHI)
- Financial details such as credit card numbers or bank accounts
- Proprietary business data such as pricing formulas or partner agreements
4. Run Data Mask during sandbox refresh
Once your masking rules are in place, run Data Mask as part of the sandbox creation or refresh process.
When you refresh a sandbox, Data Mask copies your production schema and data, applies the masking rules you set, and only then commits the data to the sandbox. This ensures that at no point does unmasked production data get stored in the sandbox, reducing the risk of exposure.
5. Test the masked data
After the sandbox is ready, test it to confirm the masked data is functional for your intended purpose. Verify that:
- Masked values conform to expected formats so workflows and validations still work.
- Key relationships and lookups remain intact.
- No sensitive values slipped through unmasked.
Testing is especially important if you use complex automation or integrations that depend on specific data formats.
6. Iterate and maintain your rules
Data models change, new fields are added, and regulations evolve. Review your masking rules periodically, especially after schema changes, to ensure they still meet your security and compliance needs.
If you forget to mask a newly added sensitive field, you risk accidental exposure in your next sandbox refresh.
Common Pitfalls
Even though masking is straightforward, there are a few common pitfalls to avoid:
- Over-masking data: If you mask too aggressively, you might break workflows or test scripts. Strike a balance between privacy and usability.
- Not planning ahead: Define your masking strategy before setting up rules. Inconsistent approaches can lead to confusion or broken tests.
- Ignoring access controls: Masking is only part of the security picture. Limit sandbox access to the people who actually need it.
- Neglecting maintenance: Review your masking rules regularly to keep up with changes in your Salesforce schema.
Wrapping It Up
If your Salesforce org handles customer data — and most do — data masking is a must for protecting that information in non-production environments. Salesforce’s Data Mask tool makes it much easier to do this automatically and consistently.
By masking data in your sandboxes, you reduce compliance risks, safeguard customer privacy, and still give your teams the realistic test data they need to work effectively.
Whether you’re preparing for a new implementation, expanding your testing processes, or tightening up security policies, implementing data masking in Salesforce is a smart move.
