Metadrop Security Commitment
Our commitment to Security and Privacy
We take the topics of security and privacy at Metadrop seriously, placing them as a high priority in our day-to-day business functioning.
This whitepaper outlines Metadrop’s perspective on security and compliance, highlighting the measures we take to stay secure and compliant. It focuses on security controls and elaborates on processes and details of how Metadrop protects our clients’ data.
Security is our priority
We aim to create a strong security culture amongst all employees of Metadrop. We strongly believe that every employee is an essential part of our defense against potential security breaches.
This culture has a strong impact on all employees and is present during the hiring process, employee onboarding, and as a part of the employees' ongoing training. All our employees must be familiar with our security policies and go through security training as part of the onboarding process and receive regular security training throughout their stay here at Metadrop. During the onboarding process, new employees agree to our NDA and go through OWASP training. This shows our commitment to keeping the data of our customers secure.
All employees working at Metadrop must follow our password security and lockout policy, use secure authentication (two-factor, HTTPS, etc.), have encrypted hard drives, have a secure Wi-Fi connection, and be connected by VPN when connecting remotely.
Security development practices
Metadrop’s developers in the IT segment receive instructions on topics including clean coding (e.g. PHPcs, PHPcpc, PHPmd) and development best practices (e.g. Drupal coder), and the principle of least privilege (e.g. roles, users, permissions) when granting access rights. The IT department also watches multiple security-related channels to be up to date on any new threats or bad practices.
Metadrop’s security team is responsible for monitoring any suspicious activity, addressing cybersecurity threats, and performing regular health checks and audits.
Additionally, our team is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, GDPR awareness-raising, training, and audits.
We take care that all of our endpoint devices are protected according to our Endpoint Security Policy. This includes that all of our endpoint devices have disc encryption, malware protection, guest access disabled, and have regularly updated OS. In addition, we perform continuous checks to make sure that we maintain this high level of security.
Metadrop has a vulnerability management policy that includes processes such as regular web scans (e.g. Oswap-based DAST, observatory Mozilla) and security list monitoring (e.g. Drupal Security List) for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked, given a priority according to how urgent it is, and assigned to relevant people as a ticket. Our security team tracks such issues and follows up regularly until they can check that the issues have been resolved.
We rely on first-level providers to allocate our projects, we work with hosting platforms like Acquia, OVH, or Hetzner; project management tools like Asana, Jira, or Trello and repository providers to store code like GitLab, GitHub, or Bitbucket.
All providers have a geographically distributed environment to support the availability of services. Data is distributed amongst a high availability infrastructure, designed to store extremely large amounts of data across many servers.
Metadrop has a well-defined incident management process for security events that may affect the confidentiality, integrity, or availability of our client’s resources or data. If an incident occurs, the security team identifies it, reports it, assigns it to the correct resolver, and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.
It is vital for us to properly test all new features before implementing them to ensure no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug-free prior to release. They also test new private instances for our fresh clients just before they get into the hands of our Client Services team.
All our processes are logged, we use Control Version Systems (e.g. GIT), Ticketing System (e.g. JIRA, Asana), and server application logs that are reviewed regularly to detect any possible issue.
Protecting our clients’ data
Whenever we store data we do it on external providers, usually contracted directly by the client, that has several layers of encryption.
The Metadrop supports our customers in finding the best ways and tools to be compliant with the GDPR.
Updated: Sep 2021