Metadrop Security Commitment
Our commitment to security and privacy
We take security and privacy seriously at Metadrop, and place them as a high priority in our daily operations.
This technical document describes Metadrop’s perspective on security and compliance, and highlights the measures we take to remain secure and compliant. It focuses on security controls and details the processes by which Metadrop protects our customers’ data.
Security is our priority
Our goal is to create a strong security culture among all Metadrop employees. We firmly believe that each employee is an essential part of our defense against potential security breaches.
This culture has a strong impact on all employees and is present during the hiring process, employee onboarding and as part of ongoing employee training. All our employees must be familiar with our security policies and receive security training as part of the onboarding process and receive regular security training during their time here at Metadrop. During the onboarding process, new employees sign our NDA and undergo security training. This demonstrates our commitment to keeping our customers’ data safe.
All employees working at Metadrop must follow our lock and password security policy, use secure authentication (two-factor, HTTPS, etc.), have encrypted hard drives, have a secure Wi-Fi connection and be connected via VPN when connecting remotely.
Security development practices
Metadrop developers in the IT segment receive guidance on topics including clean coding (e.g., PHPcs, PHPcpc, PHPmd) and development best practices (e.g., Drupal coder), and the principle of least privilege (e.g., roles, users, permissions) when granting access rights. The IT department also monitors various security channels to stay up to date on any threats or bad practices.
Security monitoring
The Metadrop security team is responsible for monitoring any suspicious activity, addressing cybersecurity threats and conducting regular health checks and audits.
In addition, our team is tasked with monitoring GDPR compliance and other data protection laws, our data protection policies, awareness, training and GDPR audits.
Security management
Endpoint Security
We ensure that all our endpoint devices are protected in accordance with our Endpoint Security Policy. This includes all our endpoints having disk encryption, malware protection, disabled guest access and having an operating system updated periodically. We also carry out continuous checks to ensure we maintain this high level of security.
Vulnerability management
Metadrop has a vulnerability management policy that includes processes such as regular web scans (e.g., OWASP-based DAST, Mozilla Observatory) and security list monitoring (e.g., Drupal security list) to detect potential threats. Once a vulnerability requiring our attention is identified, it is followed up, prioritized according to its urgency and assigned to relevant people as a ticket. Our security team tracks these issues and follows up periodically until they can verify that they have been resolved.
Availability
We work with top-tier providers for our project allocation, we work with hosting platforms such as Acquia, OVH, or Hetzner; project management tools such as Asana, Jira or Trello and repository providers to store code such as GitLab, GitHub or Bitbucket.
All providers have a geographically distributed environment to support service availability. Data is distributed across a high-availability infrastructure, designed to store extremely large amounts of data on many servers.
Incident management
Metadrop has a well-defined incident management process for security events that may affect the confidentiality, integrity or availability of our client’s resources or data. If an incident occurs, the security team identifies it, reports it, assigns it to the correct resolver and prioritizes its resolution based on its urgency. Events that directly affect our clients are always given the highest priority and the shortest resolution time. This process includes action plans, identification, escalation, mitigation and reporting procedures.
Quality assurance
It is vital for us to properly test all new features before deploying them to ensure that no unexpected vulnerabilities are introduced into the application. The quality control team ensures that all new additions to our application are error-free before release. They also test new private instances for our new clients just before they reach our Customer Service team.
Traceability
All our processes are logged, we use Version Control Systems (e.g., GIT), Ticketing Systems (e.g., JIRA, Asana) and server logs that are reviewed periodically to detect any potential issues.
Protection of our customers’ data
Data encryption
Whenever we store data, we do so with external providers, usually contracted directly by the client, who have multiple layers of encryption.
GDPR compliance
Metadrop helps our clients find the best ways and tools to comply with GDPR.
Updated: September 2021
National security scheme (ENS) certification
Metadrop proudly holds certification under Spain’s National Security Scheme (ENS - Esquema Nacional de Seguridad). Being ENS certified demonstrates that Metadrop meets the strictest requirements to protect information and services for both public sector clients and private organizations alike.
This certification applies to all Public Sector bodies and the suppliers who support them, offering a common framework of security principles, requirements, and measures.
The ENS aims to guarantee access, confidentiality, integrity, traceability, authenticity, availability, and long-term preservation of information managed by electronic means.
It is closely aligned with European standards, including:
- GDPR (General Data Protection Regulation)
- NIS and NIS2 Directives (network and information security)
- International standards like ISO 27001 and ISO 27002
- Best practices from ENISA (European Union Agency for Cybersecurity)
The ENS framework evolves constantly, with major updates in 2015 and most recently under Royal Decree 311/2022.

Security development practices
Our developers are trained not only in security awareness but also in practical secure coding techniques.
We emphasize:
- Clean coding standards (PHPcs, PHPcpc, PHPmd)
- Development best practices (Drupal Coder)
- Principle of least privilege when setting roles, permissions, and access rights
The IT department continually monitors trusted security channels to stay ahead of emerging threats and vulnerabilities.
Security monitoring
Metadrop’s security team actively monitors for suspicious activities, assesses risks, and performs regular system health checks and audits.
They also oversee GDPR compliance, deliver training sessions, and ensure internal data protection policies are always enforced.
Security management
Endpoint security
All endpoint devices are protected according to our Endpoint Security Policy, including:
- Disk encryption
- Malware protection
- Disabling guest access
- Regular OS updates
We perform continuous audits to maintain high security standards across all devices.
Vulnerability management
Our process includes:
- Regular web scans (using tools like OWASP-based DAST, Mozilla Observatory)
- Monitoring security bulletins (e.g., Drupal Security List)
- Prioritized tracking, ticketing, and resolution of any detected vulnerabilities
Availability
Metadrop relies on premier providers such as Acquia, OVH, Hetzner, GitLab, GitHub, and Bitbucket.
Their globally distributed infrastructures ensure high availability, redundancy, and resilience for hosted projects.
Incident management
Our incident response process includes:
- Immediate identification and reporting
- Assigning responsible resolvers
- Prioritization based on urgency
- Escalation, mitigation, and transparent reporting to affected clients
Customer-facing incidents are always handled with the highest urgency.
Quality assurance
All features and updates undergo rigorous QA testing to eliminate vulnerabilities before release.
The QA team also validates new private instances before delivering them to client services.
Traceability
We log all development and operational activities using:
- Version control systems (e.g., Git)
- Ticketing systems (e.g., Jira, Asana)
- Regular server application log reviews
Protecting our clients’ data
Data encryption
We store data on external providers, typically contracted by clients, ensuring that it is protected with multiple encryption layers.
GDPR compliance
We actively help clients choose the best tools and practices to meet GDPR obligations and protect personal data.
Updated: May 2025