Capital on Tap Meeting Regulatory Compliance and Explosive Growth with DataVeil Data Masking

Problem

Data privacy is a key concern for organizations around the globe. This is needed to protect their customer base and sensitive data as well as achieve regulatory compliance. Meeting regulatory compliance across multiple countries is a significant undertaking. As more regulations surface (i.e., GDPR, ISO 27001, SOC2, CCPA, etc.), properly protecting Personally Identifiable Information (PII) in SQL Server databases is challenging. Protections are needed across numerous environments (i.e., Production, Pre-Production, QA, and Development). Implementing SQL Server data masking strategies can help achieve this protection.

The challenges quickly compound for IT Professionals. First, is the need to have realistic data in Development and Test environments. This is for developer productivity and testing to improve time to market for new product offerings. As an IT Professional, how can you meet the regulatory requirements? How can you provide anonymized data to your Development and Testing Teams to build new product offerings?

Solution

Let’s learn how one rapidly growing FinTech company has found the balance during a decade of explosive growth. We will discuss how they meet regulatory compliance and provide the technology teams with anonymized data.

Meet Arnold @ Capital on Tap

Arnold Lieberman is the Lead Data Engineer at Capital on Tap. He has over 30 years of experience as a software developer and data engineer within the financial services industry. Arnold and his team are responsible for management, security, and performance of the OLTP SQL Server environment. This platform processes over a billion British Pounds Sterling (1.3 billion USD) of transactions each month.

Capital on Tap is a leading business credit card and spend management platform. Their goal is to simplify financial operations for small businesses. Since its founding in 2012, over 200,000 businesses have spent more than £10 billion using Capital on Tap Business Credit Cards. Offering credit limits of up to £250,000, uncapped 1% cashback on all card spending, and innovative features like Preloading to extend credit flexibility, the platform empowers businesses to manage expenses and earn rewards such as cashback, travel perks, and gift cards. Recognized for its exceptional growth, Capital on Tap recently ranked #1 in the Fintech, Financial Services & Insurance category and #5 overall in the Financial Times’ inaugural Europe’s Long-Term Growth Champions 2025 list.

Challenges

With this level of growth, Arnold and his team have recognized several challenges to properly support the sensitive data needed by the organization.

The SQL Server environment supports 60 OLTP databases with nearly 2TB of data within a microservices architecture. As with all financial services providers, the data being stored is highly sensitive, and as Arnold remarked during a recent interview, this is “the sort of data you would not want leaking.” Arnold and his team recognize that “we need to be careful about how we store this highly sensitive and personal data.”

Faced with strict regulations from the Information Commissions Office (ICO) in the United Kingdom and legislation in the United States, related to data retention, usage, and access, Arnold recognizes these privacy concerns. There is no compromising the data based on regulatory compliance and company reputation. This is the top priority with no room for error. To compound this, he also feels the pressure from his IT Management and Product Development Team. The first is to deliver a realistic database platform for Developers to build new functionality and validate performance at scale that will not impact existing customers. Second is the need to support the Product Development Teams’ ideas for building new products to continue the company’s growth.

Data Privacy vs. New Product Development

Balancing data privacy versus new product development is a continuous challenge for Arnold and his team. Arnold shared that “the business is keen on launching new products” to continuously enhance their credit card, savings account, and perks program for their clients. This left Arnold searching for a means to allow Developers to build and test with anonymized data that is representative of the production environment. Arnold calls this “production-like data with the full database” rather than data subsets or extracts that are not sufficient to validate performance under realistic system load. Further, his team wanted to “make sure Developers have data that looks and feels like real data.”

Another reality set in—the need to build and synchronize data across 60 databases totaling nearly 2TB of data. Trying to anonymize data is very difficult, but having to do so across 60 databases with weekly data refreshes that are all in sync left Arnold with a steep mountain to climb. Automation is key, but data that is time-aligned across the cleansed non-production environment is imperative for the Development and Testing teams to have a realistic database environment that maintains referential integrity.

Meeting Regulatory Compliance and Business Goals

After significant research on the regulations with his security team and clarifications from the business, Arnold began to research and test products in the market. With a firm set of requirements, he set out determined to find the right balance between regulatory compliance and business growth as well as automate the solution.

Arnold and his team initially researched a product that they had heard of and expected to meet their SQL Server data masking needs. Unfortunately, that product did not have the flexibility required and was very expensive. At that point, the team turned to Google, looking at alternatives and building a list of products they considered “suitable.”

Arnold found DataVeil and was quickly excited about numerous features:

  • Intuitive GUI for initial setup, configuration, and learning
  • Generation of realistic test data
  • Automation with DataVeil Command Line Interface (CLI)
  • Deterministic (consistent data with a seed value) and nondeterministic (random data that is not repeatable) pseudonymization
  • Data discovery
  • Data preservation or complete masking
  • Predefined masks
  • Custom masking options
  • Affordable price point

Arnold’s team worked on a pilot project to confirm that all features would meet their technical and business goals. Along the way, they reached out to DataVeil support for assistance and direction. Arnold remarked that “our communication with DataVeil support was always receptive and responsive – it gave us a comfortable feeling that if we have a problem, DataVeil will work with us to resolve it.”

As the pilot project progressed, Arnold quickly realized that “having data privacy code in place from DataVeil allows us to tick a lot of boxes (i.e., for regulatory compliance) much more quickly and move more quickly” to achieve the balance required by Capital on Tap. Arnold and his team have confidence in meeting ISO 27001, GDPR, and more regulations.

Automation and Time Savings

To meet the automation needs, Arnold uses Azure DevOps pipelines with PowerShell to automate the SQL Server database backup, restore, and call the DataVeil CLI for the data masking processes. This saves at least one day per week of a full-time employee and meets additional compliance requirements related to testing database backups. This refresh frequency gives the Development Team time to test and deploy new functionality as well as ensure the performance is acceptable under load. In turn, this enables the Development team to meet the Product Management team’s goals.

Why DataVeil for SQL Server Data Masking?

When Arnold was asked why his team selected DataVeil, he responded with numerous reasons:

Deterministic Masking

If Arnold was forced to select only one DataVeil favorite feature, Deterministic Masking would be it. This feature enables a single seed to be used across all 60 databases to ensure the data masking is consistent, enabling his development teams to build and test microservice-based applications.

Flexibility

As one example, with 5 main Development Teams at Capital on Tap, each on different code deployment schedules, database schema changes occur all the time. With DataVeil’s XML-based project file, Arnold and his team are also able to generate metadata for dynamic data masking and classification of columns with PII in one place. If DataVeil used a binary file, this would not have been possible. This small feature is a huge time saver.

Contextual Data

With DataVeil’s data masking, it is more than just changing John Smith to Bob Sawyer. DataVeil has the ability to group columns together and ensure each of the values remains associated. For example, with multiple address columns, the Postal Code stays with the City, even if that address ends up being linked to a different person. This enables realistic testing and avoids breaking validation processes.

Automation and Time Savings

DataVeil’s CLI is called by the Azure DevOps pipelines built by Arnold and his team to automate a complex process. They have been able to complete the data cleansing process for both UK-and USA-based clients within 8 hours.

Support

Whether evaluating DataVeil or supporting the solution once deployed, Arnold and his team have “confidence in the company itself that they are doing a good job in helping us.”

Compliance

It goes without saying, this is the core reason for Arnold and his team to select DataVeil.

Price Point

Arnold noted that DataVeil is “very competitive and offers something you just cannot get anywhere else.”

Next Steps

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *