Explanation
To ensure sensitive information needed for email sends is not imported and stored in Marketing Cloud, NTO should implement Tokenized Sending4. Tokenized Sending is a feature that allows NTO to send emails using encrypted tokens instead of actual email addresses. The tokens are generated by an external system and stored in a secure database outside of Marketing Cloud. When NTO sends an email, Marketing Cloud sends the token to the external system, which decrypts it and returns the actual email address. This way, NTO can avoid importing and storing sensitive information in Marketing Cloud. The other options are incorrect because:
Transparent Data Encryption. This is a feature that encrypts data at rest in Marketing Cloud using encryption keys managed by Salesforce. However, this feature does not prevent NTO from importing and storing sensitive information in Marketing Cloud; it only protects it from unauthorized access5.
Key Management. This is a feature that allows NTO to manage their own encryption keys for data at rest in Marketing Cloud using an external key management system. However, this feature does not prevent NTO from importing and storing sensitive information in Marketing Cloud; it only gives them more control over their encryption keys.
Field Level Encryption. This is a feature that encrypts specific fields in data extensions using encryption keys managed by NTO. However, this feature does not prevent NTO from importing and storing sensitive information in Marketing Cloud; it only encrypts it within data extensions.