Data discovery & anonymisation · Runs in your environment

Know exactly what sensitive data you hold. Prove what you did about it.

VestraData scans your databases and file stores, returns field-level findings with confidence scores, and lets you anonymise in place or generate production-like test data — all inside your own infrastructure.

Your cloud or air-gappedNo data leaves your environmentFindings in hours, not weeksBuilt in Cambridge, UK
Scan findings — prod-postgres-01Illustrative
14,823Maskedusers.email → PERSONAL_EMAIL (99.1%)
8,441Reviewpatients.full_name → FULL_NAME (97.8%)
22,109Scopedpayments.card_no → CREDIT_CARD (94.2%)
6,201Maskedcontacts.mobile → PHONE_NUMBER (98.5%)
4Fields shown
99.1%Top confidence
LiveRead-only creds

In a technical review, this is built live from one of your real sources.

Why teams look at this

Production data keeps ending up where it shouldn't be.

Staging databases refreshed from production. Analytics environments with real customer records. Every one of these is a standing regulatory exposure — and the masking scripts meant to prevent it break on every schema change.

UK GDPR — data minimisationPersonal data in staging, analytics, and test environments violates the minimisation principle unless technical measures are in place.
ICO anonymisation guidanceThe ICO's guidance sets the standard for effective anonymisation and pseudonymisation. Hand-rolled masking scripts rarely meet it.
GDPR Art. 30Records of processing require knowing what personal data you hold and where. Most organisations cannot answer that at field level.
PCI-DSS 4.0Cardholder data in non-production systems keeps those systems in PCI scope. Anonymisation removes the scope, not just the risk.
NHS DSPT / HIPAA §164Health data carries a higher technical bar: de-identification standards, audit evidence, and strict controls on data movement.
The platform

One engine: discover, anonymise, and generate safe data.

VestraData does one job thoroughly — it finds regulated data and produces governed, usable alternatives to it, with the audit trail to prove it.

01 · Discovery

Discovery & classification

Connect PostgreSQL, MySQL, Snowflake, S3, or SharePoint with a read-only credential. VestraData samples schemas and returns field-level findings — what was detected, how many rows, and at what confidence.

Adaptive sampling — no full table scans
Zero-shot detection, including custom entity types
Structured and unstructured sources in one queue
02 · Anonymisation

In-place anonymisation

Apply masking and anonymisation directly where the data lives. Remove personal data from staging and analytics environments without rebuilding pipelines.

Consistent surrogates across tables and time
Schema changes detected, rules updated automatically
Replaces hand-maintained masking scripts
03 · Test data

Production-like test data

Extract referentially intact subsets and generate statistically faithful synthetic datasets. Engineering, QA, and ML teams work with data that behaves like production.

Foreign keys preserved across related tables
Distribution, correlation, and null rates matched
Scheduled refresh direct to staging or object storage
04 · Audit

Audit evidence

Every finding, decision, and transformation is written to a tamper-evident, hash-chained record. When a regulator asks what you found, you export the log.

GDPR Art. 30 records generated from scan findings
Hash-chained — tampering breaks the chain
Export-ready for DSPT, PCI, and internal audit

Also in the platform: a data airlock for governed document sharing, an SDK/API for embedding detection in your own pipeline, and VestraShield — a companion browser tool that redacts sensitive content before it reaches external AI tools, available to evaluation customers.

How it works

From read-only credential to audit-ready evidence.

01ConnectAdd a source with a read-only, per-tenant encrypted credential. Scope is agreed before any scan runs.
02DiscoverA lightweight schema pass maps tables, estimates volume, and surfaces likely-sensitive fields.
03ScanDeep field-level scan with confidence scores, row counts, and the context evidence behind each finding.
04ActApply the right control: mask, anonymise in place, or generate a governed synthetic export.
05ProveThe decision trail is complete — what was found, what changed, and who approved it.
Deployment

Your infrastructure, not ours.

Every deployment model keeps production data inside your boundary. There is no VestraData cloud that your data passes through.

01Your cloud account

Deploy into your own AWS, Azure, or GCP account. Your networking, your IAM, your storage. No production data touches vendor infrastructure.

AWSAzureGCPTerraform
02On-premises / air-gap

Runs inside a private data centre or restricted network segment with no internet dependency at runtime. Offline licensing, no phone-home.

Air-gappedNo egressOffline licensing
03Embedded SDK

Run the detection and policy layer in-process inside your own product or pipeline when a standalone deployment is not the right fit.

PythonNode.jsJava.NET

Compare deployment models →

Where it applies

The same engine, applied to your regulatory reality.

The obligations differ by sector; the underlying problem doesn't.

The technical review

We don't do slide-deck demos. We scan your real data, live.

Forty-five minutes, one read-only credential to a representative source, and you watch discovery and scanning happen in real time. No prepared screenshots, no sandbox with fabricated data.

Minutes 0-5We start with one real sourceUsually a read-only database credential, file store, or bucket that is representative enough to answer whether the product fits your environment.
Minutes 5-20We run discovery and scanYou watch it happen live. The schema map builds in real time. Findings appear as the scan progresses. No prepared screenshots.
Minutes 20-35We walk through the findingsWhat was found, where, the risk level, and the confidence score. We explain any finding you want to understand in more depth.
Minutes 35-45You pressure-test the fitDeployment, controls, source coverage, air-gap requirements, and what a narrow pilot in your environment would actually involve.
Where we are

We're an early-stage company based in Cambridge, UK, and we'd rather you knew that.

Cambridge is home to one of Europe's densest concentrations of deep-tech and AI research — we're building alongside that ecosystem, not claiming it as our own track record. VestraData is working with a small number of organisations ahead of a wider release. You won't find customer logos or case studies here yet — which is exactly why our first conversation is a live scan of your real data rather than a pitch. Read more about the company, or email us directly — a founder replies, not a sales sequence.