Discover
Marc automatically maps every column across your databases that may contain personal data — SQL Server, PostgreSQL, MySQL, Snowflake, Oracle, and more. No manual cataloguing. No assumptions about what's clean.
Co.Marc gives compliance and data protection teams a clear, auditable path from unknown personal data to governed, protected, and evidenced compliance — without disrupting operations.
Records grow over years. New information is collected, systems are integrated, data is copied. What started as manageable becomes an undocumented accumulation of personal information — and regulators expect you to account for every piece of it.
The ICO doesn't accept "we weren't sure what we had" as a defence. GDPR requires you to know what personal data you hold, protect it appropriately, and delete it when the time comes — and to be able to prove all three.
For most organisations, that's currently a manual, incomplete, and hard-to-evidence process.
GDPR fines reach €20M or 4% of global annual turnover. The ICO expects documented evidence — not best intentions.
Personal data you haven't identified can't be protected. Internal systems and working copies of data are particularly exposed.
The Storage Limitation principle requires deletion when data is no longer needed. Manual processes rarely keep up.
You have one month to respond. Without a complete picture of what you hold, compiling an accurate response is difficult and risky.
Co.Marc connects to your databases, finds the personal data, helps your team make the right decisions, and applies them automatically — while building the audit evidence you need to demonstrate compliance.
Marc automatically maps every column across your databases that may contain personal data — SQL Server, PostgreSQL, MySQL, Snowflake, Oracle, and more. No manual cataloguing. No assumptions about what's clean.
Each piece of data is categorised — names, email addresses, national insurance numbers, financial identifiers — with a confidence score so your team focuses on what matters most.
Your DPO or compliance lead makes a deliberate, documented decision for every finding using the 3Rs framework — Retain, Protect, or Delete. Every decision is recorded with who made it and when.
Decisions are applied automatically. Personal data is masked, access-controlled, or deleted on schedule — without developers needing to build custom solutions.
Everything is logged — decisions, enforcement actions, deletions, and access requests. Your audit trail is built as you work, not assembled in a panic before an inspection.
The 3Rs give your team a clear, consistent vocabulary for data governance. No ambiguity. No ungoverned columns. Every finding gets a deliberate, documented treatment.
Order references, status codes, system identifiers — low-risk data that doesn't need treatment. The decision is recorded and attributed. R1 is not inaction; it's a deliberate, documented assessment.
Names, email addresses, national insurance numbers. Data your business needs to keep but must protect. Marc applies access controls automatically — masking data for those who don't need to see it, while legitimate users retain full access.
Data that must go when its retention period expires. You define the rule — account closed, application rejected, consent withdrawn. Marc evaluates on schedule, presents records for your approval, then deletes them. Every deletion is logged.
Every classification, decision, and enforcement action is logged with who did it and when. If the ICO comes calling, your evidence is already prepared.
Find every record held about a data subject across all your databases with a single search. Generate a signed certificate of findings. Respond with confidence, on time.
Marc works with metadata — not personal data values. The on-premises component processes everything locally. Nothing sensitive is transmitted, ever.
Databases change — new columns, new tables, new data flows. Marc monitors continuously, surfacing new personal data for review as it appears. Compliance doesn't go stale.
Marc discovers and classifies — but humans make every governance decision. Every treatment is reviewed, approved, and attributed. You are always the decision-maker.
Set the rules once — account closed plus 7 years, consent withdrawn plus 30 days. Marc evaluates on schedule and prepares deletion batches for your approval. Storage limitation, systematised.
Co.Marc is built around a principle that should be non-negotiable: the personal data in your databases never needs to leave your network for you to govern it properly.
The Marc component that connects to your databases runs on your own infrastructure. It sends only structural information — column names, data types, findings — to the governance portal. The actual values inside your databases are never transmitted, ever. This isn't a feature you configure; it's the way the system is built.
Read about Privacy by DesignBook a guided walkthrough with one of our compliance specialists. We'll show you the discovery, classification, and decision workflow applied to your own environment.