Advokat Frida crest Advokat Frida SafeSeed · Toolkit
One-page brief

SafeSeed: confirmably-synthetic test data

Your non-prod environments are full of “test” data that is really production data in a fake moustache. SafeSeed generates PII-shaped values from standards-reserved never-real ranges, then leaves a tamper-evident receipt a reviewer can check rather than trust.

Four jobs, all local: Generate never-real PII-shaped values from cited ranges, Attest each run with a tamper-evident SHA-256 receipt, Verify a file is unchanged and still synthetic, and Scan existing columns for anything out of range. A CLI, npm library, and GitHub Action — zero backend, zero network, MIT.

Four honesty tiers

1 · Provably non-real
Reserved by a published standard, so never a real person or system: RFC 2606 email domains, RFC 5737 and RFC 3849 documentation IPs.
2 · Reserved, never issued
Valid in format, but the issuer sets them aside and never assigns them: NANPA 555-01xx numbers, never-issued SSN ranges.
3 · Designated for testing
Real-looking values processors publish for testing, like Stripe test cards. Fake by agreement, not by physics.
4 · Structurally fake
No standard reserves names or addresses, so they’re made obviously synthetic: TEST_Person_000142, 123 Example Way.

What it proves, and the line it won’t cross

Proves

  • Every value came from one of the four cited tiers
  • Anonymous on their own — no identifiable person (GDPR Recital 26)
  • Tamper-evident SHA-256 record — confirm, don’t trust
  • Zero network in generate, attest, and verify

Does not prove

  • Not an enforcement boundary — no access control, no interception
  • Scan checks only named columns — misses free-text and unmapped
  • Not a lawful-basis or DSAR answer; not anonymisation
  • Doesn’t resemble real data — wrong for ML or load tests
Lift verbatim into your control register
Non-production test data is generated from standards-reserved non-real ranges (SafeSeed), with a tamper-evident run record (SHA-256 content fingerprint) and a verify/scan step run in CI to confirm files are unchanged and within reserved synthetic ranges. Supports a data-minimisation / privacy-by-design posture (GDPR Art. 25) and the “selected” and “protected” elements of ISO/IEC 27001:2022 Annex A 8.33; can form part of an Art. 32 measures narrative. It does not, on its own, satisfy these in full, address A 8.33’s “managed” duties (authorization, access control, retention, deletion), or constitute anonymisation of production data.
Download SafeSeedGitHub, MIT, npmgithub.com/advokat-frida/safeseed Read the full pieceThe full SafeSeed articleadvokatfrida.com/safeseed