Playbook: Building a No-PII Demo Environment for Sales Engineering
Sales engineering live in tension. The demo has to be realistic enough to convince a sophisticated buyer the product is production-ready, and the demo can't expose any real customer data, ever. Most fintech demos solve this by creating a 'sample customer' account in production with hand-curated fake-but-not-really-fake data — which works until the day someone copies a screenshot to a deck or the auditor asks about the data classification of that account. This playbook covers a clean alternative: a fully synthetic demo environment, architecturally isolated, with the personalization and reset patterns that make it sales-ready.
Architecture: isolation as the foundation
The demo environment must be architecturally separate from production — separate database, separate auth realm, separate vendor sandboxes. Anything else degrades into 'we have a discipline that we don't paste prod URLs in demos,' which fails the moment the discipline lapses.
The minimum viable architecture: separate VPC or project, separate database with no replication from prod, separate identity provider tenant or realm, separate API keys for any external integrations (or sandbox-mode keys), and an explicit network egress allow-list that prevents the demo environment from reaching production endpoints.
The synthetic-data substrate
Load the demo environment with a synthetic corpus structured to reflect your top 3-5 buyer personas. The mistake is loading 'a generic dataset' — buyers see through generic data instantly. The corpus should be archetypally curated: an emerging-affluent prospect, an HNW family-office prospect, a small-RIA aggregating prospect, etc. Each archetype maps to a specific buyer's mental model.
- ·Persona 1: Mass-affluent W-2 professional (modal customer for emerging-affluent buyers)
- ·Persona 2: HNW with concentrated equity / RSU vesting (relevant for direct-indexing, equity-comp buyers)
- ·Persona 3: Pre-retiree with multiple account types (relevant for retirement-income buyers)
- ·Persona 4: Small-business owner with K-1 + complex tax (relevant for tax-aware buyers)
- ·Persona 5: Multi-generation family (relevant for family-office, estate-planning buyers)
Per-prospect personalization without prod data leak
Buyers want to see 'their' name in the demo. The temptation is to type the buyer's actual name into a production-shaped form. Don't. Build a per-prospect personalization layer that takes a buyer's name + firm + a few preferences and overlays them onto the synthetic substrate without ever touching production.
The pattern: each demo session creates a forked working copy of the synthetic corpus with the prospect's display preferences applied (their firm name in the branding, a household name pattern matching their target customers, a couple of products they sell mapped to the demo's product menu). The fork is destroyed at session end.
// Sketch of session-fork personalization
async function personalizeDemo({
prospect_name,
prospect_firm,
target_persona,
product_menu_overrides
}) {
const baseCorpus = await loadCorpus(target_persona);
const session = await createDemoSession({
prospect_name,
prospect_firm,
base_corpus_id: baseCorpus.id,
overrides: {
branding: { firm_name: prospect_firm },
products: product_menu_overrides
}
});
// Session is destroyed after demo
return session;
}Account-isolation per sales engineer
Each sales engineer has their own demo-environment account with their own seed corpus. Don't share a single 'demo account' across the SE team — that's the pattern that produces 'wait, why does the household have these transactions, I didn't add them' confusion mid-demo.
The seed corpus per SE is identical (same starting state) but the working state diverges as the SE customizes. Resets bring all SE accounts back to the seed state on a known cadence (typically nightly).
Reset cadence and cleanup
Daily reset is the default — overnight, all SE accounts revert to seed state. Demo-session forks (from the personalization layer) are destroyed at session end automatically. Audit logs are retained for 30 days for support purposes.
Reset failures are the operational failure mode to monitor. If a reset fails, the SE may walk into the next morning's demo with state from yesterday's customization. The reset job should fail loud (paged alert) so the SE knows to manually re-seed before the demo.
Vendor / integration sandboxes
External vendors (CRM, custodian, payment processor) typically have sandbox environments. The demo environment must use the sandbox keys, not the production keys. Sandbox data must be synchronized with the synthetic corpus — if a custodian-sandbox account ID doesn't match a synthetic-corpus account ID, the integration step in the demo fails confusingly.
The pattern: maintain a mapping document tying synthetic corpus IDs to sandbox IDs across all integrations. The mapping is part of the seed corpus and resets with it.
What the auditor / customer asks
When the prospect asks 'what data is this?', the answer must be: 'fully synthetic, never touched production.' Be ready to walk through the architecture briefly. When the auditor asks the same question for a SOC 2 review, the answer must be the same plus the architecture diagram showing isolation.
The artifacts: an architecture diagram showing the isolation boundary, a documented data substitution policy stating demo uses synthetic data exclusively, and the reset / personalization runbook. These three artifacts together satisfy the question.
Key takeaways
- Isolation is architectural, not procedural. 'We have a discipline' fails the moment the discipline lapses. Separate VPC, database, auth, vendor sandboxes are non-negotiable.
- Per-prospect personalization without prod leak is the killer feature for sales engineering — buyer sees 'their' branding, household names matching their target customers, without any prod-data exposure.
- Each sales engineer gets their own account with their own seed corpus, reset nightly. Shared demo accounts produce mid-demo confusion that costs deals.
- When asked 'what data is this?', the answer is the architecture diagram + data substitution policy + reset runbook. Have these as a 3-artifact package.
FAQ
Can we use this for sales engineer training too, not just demos?+
Yes. The same environment supports SE training — each new SE gets their own account, works through training scenarios on the seed corpus, and resets daily. This is the cheapest training environment because it shares architecture with the demo environment.
What about competitive comparisons that show 'data from a real customer scenario'?+
Replace those with archetypally-similar synthetic households. The 'realness' of the original case isn't what makes the comparison compelling — the structural pattern is. A synthetic household with the same structural pattern lands the same point without the disclosure question.
How do we handle the 'this customer is in our actual portfolio' references that creep in mid-demo?+
Train SEs explicitly that the demo environment has no real-customer references and any such reference is a violation. Add a pre-demo checklist that includes 'no real customer references will be used.' Cultural reinforcement plus explicit checklist trumps occasional reminders.
What's the cost of running this versus the prod-account-with-fake-data approach?+
Marginal infrastructure cost — a separate small environment with a manageable database. Far less than the cost of a single security incident from a leaked prod-account screenshot. Most teams discover the demo environment also pays for itself by replacing ad-hoc 'create me a test account' tickets.
How do we handle on-site demos with intermittent connectivity?+
Cache a snapshot of the SE's environment locally (typically a Docker compose with seeded data) for offline demos. Reset the cached snapshot from the canonical seed before each multi-day on-site trip.
What about regulators visiting the demo? They sometimes ask to see real screens.+
Show them the synthetic environment and explain the architecture. Offer a separate, highly-controlled prod-screen walkthrough on request, with appropriate access logging. Conflating the two is what creates problems.
Does the demo environment need its own SOC 2 controls?+
Inherits from the same program but explicitly scoped. The synthetic-data substitution is itself a control that benefits the audit. The reset and personalization processes are change-management surfaces that get reviewed.