I haven't been able to find anything online, but would appreciate any thoughts on this subject. I understand best practice is to have a few lower level environments (e.g. dev, QA, Test, Stage). Are there any best practices on what data you have in your lower level environments? Currently, what I often see is DBAs replicating data in production down to these environments which have sensitive data. This is great for a developer because they can verify their code against real production data. However, from a security standpoint there must be a better way. For example, have a tool that generates data based on specifications. What do you do in your environments and why?