← All posts

Metadata-Only Scanning: How MyVaultMate Finds PII Without Storing It

June 1, 2026 · admin@myvaultmate.com

There's a paradox at the heart of data discovery: to protect sensitive data, you have to find it — but a careless scan can copy that data into a report and multiply the risk it was meant to reduce. MyVaultMate is built to avoid that trap.

What "metadata-only" means

For every finding, MyVaultMate records:

  • the PII type (SSN, payment card, date of birth, phone, email, health record, other),
  • the severity,
  • the file path where it was found,
  • an optional redacted sample such as ***-**-1234,
  • and the detection time.

What it never stores is the raw detected value. The finding record has no field for it, and the agent ignores any stray raw value a client might send. The result tells you exactly where to act without ever centralizing the sensitive data itself.

Why this design matters

  • Smaller blast radius: the dashboard isn't a honeypot of plaintext PII.
  • Easier compliance: you reduce risk instead of relocating it.
  • Confident adoption: teams can scan freely, knowing the tool isn't hoarding their data.

Defense in depth around it

Agent API tokens are stored as SHA-256 hashes, scoped per organization, and revocable. Findings are visible only to members of the organization that owns them. Discovery you can trust is discovery you'll actually run — and a scan you run regularly is worth far more than a perfect one you avoid.