Metadrop Security Commitment

Our commitment to security and privacy

At Metadrop, security and privacy are not optional extras — they are core pillars of how we operate every single day. We treat protecting our clients' data with the highest priority, embedding security best practices across our company, our projects, and our people.

This page outlines our perspective on security and compliance, highlighting the measures we take to keep your data protected. It covers the controls, certifications, processes, and culture that form the foundation of our security approach.

Security is our priority

We believe that a strong security culture starts with our people. Every employee at Metadrop is trained to be an active part of our defense against potential breaches.

From the hiring stage, through onboarding, and with regular training, all employees learn our security policies, sign NDAs, and undergo OWASP training. Ongoing education ensures everyone remains alert and up-to-date.

We enforce strict practices across the board, including:

  • Password security and lockout policies
  • Secure authentication (2FA, HTTPS)
  • Encrypted hard drives
  • Secure Wi-Fi connections
  • VPN usage for remote work

Our mindset: security is everyone’s job, not just the IT team’s.

National security scheme (ENS) certification

Metadrop proudly holds certification under Spain’s National Security Scheme (ENS - Esquema Nacional de Seguridad). Being ENS certified demonstrates that Metadrop meets the strictest requirements to protect information and services for both public sector clients and private organizations alike.

This certification applies to all Public Sector bodies and the suppliers who support them, offering a common framework of security principles, requirements, and measures.

The ENS aims to guarantee access, confidentiality, integrity, traceability, authenticity, availability, and long-term preservation of information managed by electronic means.
It is closely aligned with European standards, including:

  • GDPR (General Data Protection Regulation)
  • NIS and NIS2 Directives (network and information security)
  • International standards like ISO 27001 and ISO 27002
  • Best practices from ENISA (European Union Agency for Cybersecurity)

The ENS framework evolves constantly, with major updates in 2015 and most recently under Royal Decree 311/2022. 
 

ENS Certificate
distintivo_ens_certificacion

Security development practices

Our developers are trained not only in security awareness but also in practical secure coding techniques.
We emphasize:

  • Clean coding standards (PHPcs, PHPcpc, PHPmd)
  • Development best practices (Drupal Coder)
  • Principle of least privilege when setting roles, permissions, and access rights

The IT department continually monitors trusted security channels to stay ahead of emerging threats and vulnerabilities.

Security monitoring

Metadrop’s security team actively monitors for suspicious activities, assesses risks, and performs regular system health checks and audits.

They also oversee GDPR compliance, deliver training sessions, and ensure internal data protection policies are always enforced.

Security management

Endpoint security
All endpoint devices are protected according to our Endpoint Security Policy, including:

  • Disk encryption
  • Malware protection
  • Disabling guest access
  • Regular OS updates

We perform continuous audits to maintain high security standards across all devices.

Vulnerability management
Our process includes:

  • Regular web scans (using tools like OWASP-based DAST, Mozilla Observatory)
  • Monitoring security bulletins (e.g., Drupal Security List)
  • Prioritized tracking, ticketing, and resolution of any detected vulnerabilities

Availability
Metadrop relies on premier providers such as Acquia, OVH, Hetzner, GitLab, GitHub, and Bitbucket.
Their globally distributed infrastructures ensure high availability, redundancy, and resilience for hosted projects.

Incident management
Our incident response process includes:

  • Immediate identification and reporting
  • Assigning responsible resolvers
  • Prioritization based on urgency
  • Escalation, mitigation, and transparent reporting to affected clients

Customer-facing incidents are always handled with the highest urgency.

Quality assurance
All features and updates undergo rigorous QA testing to eliminate vulnerabilities before release.
The QA team also validates new private instances before delivering them to client services.

Traceability
We log all development and operational activities using:

  • Version control systems (e.g., Git)
  • Ticketing systems (e.g., Jira, Asana)
  • Regular server application log reviews

Protecting our clients’ data

Data encryption
We store data on external providers, typically contracted by clients, ensuring that it is protected with multiple encryption layers.

GDPR compliance
We actively help clients choose the best tools and practices to meet GDPR obligations and protect personal data.

Updated: May 2025

Values