Co.Marc Product Walkthrough

How it works.

From connecting to your first database, to a full audit trail of every governance decision. Here's the Co.Marc workflow — and what your team experiences at each stage.

01

Connect your databases.

You register your databases in the Co.Marc portal. The on-premises Marc component connects to them on your own network — no data leaves your environment. From that point on, Marc knows where to look.

SQL Server, PostgreSQL, MySQL, Snowflake, Oracle, and CSV — with more connectors on the way
No schema changes or application modifications required
Multiple databases from day one
Personal data values never leave your network
Connected Databases 4 active
CustomerDB
Last scanned 2 hours ago · 147 tables · 38 findings
2 pending
HRSystem
Last scanned 4 hours ago · 64 tables · 21 findings
7 pending
OrderManagement
Last scanned 6 hours ago · 92 tables · 12 findings
All governed
LegacyArchive
Last scanned 12 hours ago · 218 tables · 74 findings
Review needed
Data Discovery — Customer Records
Field Identified as Confidence Status
Customer ID R1
Customer name Full name 98% Pending
Email address Email address 99% Pending
Country R1
National ID No. Government ID 97% Pending
Account closed date Deletion trigger 91% Pending
02

Find every piece of personal data.

Marc analyses your database structure, looking at column names, data types, and statistical patterns in sample data. It identifies which columns are likely to hold personal data and assigns a category and confidence score to each finding.

Every table in every connected database is assessed — including legacy systems, archived data, and development environments. Nothing is skipped. Nothing is assumed clean.

Classification categories
Names Email addresses Phone numbers Postal addresses Date of birth Gov. identifiers Financial identifiers Sensitive attributes Retention triggers +6 more
03

Your team makes every decision.

Marc presents findings through a clear governance workflow. Your DPO, compliance lead, or data steward reviews each finding and assigns one of the 3Rs — Retain, Manage, or Delete. Every decision is attributed to the individual who made it and timestamped.

Marc guides you through the decision — but the human is always in charge. No enforcement action is taken until your team has reviewed and approved the treatment for each finding.

Decisions attributed to named individuals
Optional notes and rationale for each decision
Decisions can be reviewed and updated as policies change
All decisions form part of your audit trail
Treatment Decision — CustomerName
CustomerDB.dbo.Customers.CustomerName
Classification: PersonName · Confidence 98%
R1 Retain

No action required

R2 Manage

Apply access protection

R3 Delete

Schedule for deletion

Decision notes
Customer name required for account management and communications. Legitimate basis confirmed. Masking applied for non-customer-facing roles.
Sarah Chen · DPO · Just now
Active Enforcements
CustomerDB.Customers.CustomerName
R2 · Dynamic masking · Active since 14 Jan 2026
CustomerDB.Customers.EmailAddress
R2 · Dynamic masking · Active since 14 Jan 2026
HRSystem.Employees.NationalInsuranceNo
R2 · Encrypted vault · Active since 9 Jan 2026
CustomerDB.ClosedAccounts — AccountClosedDate
R3 · 7-year retention rule · 12 records due this quarter
LegacyArchive.UserProfiles.HomeAddress
R2 · Restricted view applied · Active since 2 Feb 2026
04

Protections applied automatically.

Once your team approves a treatment, Marc applies it. R2 protections — access controls, masking, and restricted views — are configured at the database level. There's no development work required, and no need to modify applications.

R3 deletion rules are scheduled and run continuously. When records become due, they are surfaced for final approval. Approved batches are deleted, with a permanent record of every deletion retained in the audit log.

No application changes or deployment required
Protection works across all tools accessing the database
Enforcements monitored and reported continuously
05

Subject Access Requests answered in minutes.

When a data subject asks what personal data you hold about them, you have one month to respond. With Co.Marc, that response starts with a single search — across all your connected databases simultaneously.

Marc finds every record linked to the data subject, presents a structured summary, and generates a signed Subject Access Certificate as your evidence. What used to take days of manual searching is completed in minutes.

Searches across all databases simultaneously
Generates a signed Subject Access Certificate
Right to Erasure requests trigger an R3 treatment
Every SAR is logged with timestamp and outcome
Subject Access Request Complete
Data subject
James Blackwood
CustomerDB — 3 records found
OrderManagement — 14 records found
HRSystem — no matching records
LegacyArchive — no matching records
Subject Access Certificate generated · Signed
Audit Log — February 2026
09:14 R2 Protection applied · HRSystem.Employees.NationalInsuranceNo
09:11 SAR Subject Access Certificate issued · James Blackwood
08:55 R3 7 records deleted · CustomerDB.ClosedAccounts — approved by S.Chen
08:30 R1 Decision recorded · OrderManagement.Orders.OrderRef — retain
07:55 SCAN Scheduled scan complete · LegacyArchive · 3 new findings
06

Your evidence, built as you work.

Every action in Co.Marc is logged — classifications, decisions, enforcements, deletions, access requests, and schedule checks. The audit trail is built automatically as your team works, not assembled under pressure before a review.

If a regulator, auditor, or senior stakeholder asks to see how you manage personal data, your evidence is already there — comprehensive, timestamped, and attributed to named individuals.

Immutable — log entries cannot be altered
Filterable by database, action type, user, or date
Exportable for ICO submissions, internal audits, or board reporting