Metadata Consulting Ltd

Metadata Exchange

Our service provides data governance capabilities through the cloud with tooling that allow users to curate datasets and data models. Based on the idea of a metadata registry, it includes a data dictionary linked to logical data models and mappings to existing databases allowing data stewards manage their data effectively.


  • XML, XSD, UML and Schema creation and management
  • Data integration and transformation
  • Auditing and upgrade of existing database schemas
  • Tagging datasets across the enterprise for particular use
  • Tagging data elements with data stewardship details
  • Linking of data elements in different databases
  • Data Dictionary
  • Data policy management
  • Metadata management
  • Dataset curation


  • Enhanced Data Quality
  • Knowledge of where your data resides in the enterprise
  • Increased security
  • Effective data management and integration
  • More reliable data
  • Data Provenance
  • Automatic model driven form creation
  • Automatic verification of business rules throughout the enterprise
  • Improved Data Governance


£5 to £100 per user per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 3 6 5 0 1 9 9 8 7 8 7 4 3 1


Metadata Consulting Ltd

Adam Milward


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Data governance and data management consultancy, this cloud service can also be provided as an in-house stand-alone option
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints Maintenance is normally carried out at times when users are not online, if no such time is found then we can notify users in advance of any planned maintenance. However maintenance is normally fairly transparent to the user, there have not been any occurrences of prolonged downtime to date.
System requirements Buyers need to have access to an up-to-date browser

User support

User support
Email or online ticketing support No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels Tier 0 - included in standard pricing
Tier 1 - included in standard pricing
Tier 2 - as part of a support contract starting at £500 per month - varying on number of users.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a wiki with a number of you tube tutorials to help get users up and running
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction They download the data via a set of word, excel, pdf or xml reports
End-of-contract process Use of a the online metadata exchange, with access to documentation, wiki and tutorials is included in the price of a contract.
Specific consultancy relating to a particular users instance data is not included, but can be purchased as an extra.
At the end of the contract the user can download any particular reports, models and data that they need, or renew the contract online.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile works, since we take care to use a bootstrap/jquery library on the frontend, however it is very awkward and we recommend a large screen for optimal effect and useability
Service interface No
What users can and can't do using the API Users can set up the data curation service using a REST interface, and carry out most of the functions of the web interface.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Buyers can commission plugins which can be added to their cloud instance.


Independence of resources The cloud service for each user is handled by a separate virtual machine, as are the storage mechanisms which are configured using AWS or Azure virtual servers configured for maximum security, flexibility and scale-ability.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Excel spreadsheets, XML and word documents.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Our service will be available 99.9 percent of the time, excluding scheduled maintenance time - 1 hour per month.
If the service is down for more than 30minutes in a week then we refund 30% of the costs
Approach to resilience Its available on request
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels We use a role based access control system for all services, users have the ability to manage users within there own organisation using the same role based system
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We adhere to the gov uk security policy framework. We have a dedicated SIRO, DSO and IAOs who actively manage our security processes. We review our security policies on a quarterly basis to ensure we are compliant and up-to-date.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach We are committed to automating as much of our build and test process as possible. We use github (and bitbucket) for source control and have recently moved to “gitflow lite” for release management. Git integrates with JIRA for change management and Zephyr for test management. All JIRA tasks / bugs are linked to epics and stories within the tool to provide traceability. We’ve used a variety of continuous integration servers including Jenkins, Bamboo and Travis. We run codenarc to assess code for consistency and basic security, as well as manual code review for every commit.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We employ an agency to review vulnerabilities and conduct pen testing. We also subscribe to amazon inspector, security focus to remain up-to-date with the latest threats.
We aim to patch major security vulnerabilities within 24hrs.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We employ a security agency to monitor our services and conduct regular reviews to monitor potential compromises.
We attempt to counter the compromise, whether through enhanced configuration or creating a patch.
We aim to respond within a few hours of identification of a potential compromise.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Security incidents are managed by an accredited agency. Their incident management tools integrate with our JIRA bug and task management system. Users report security incidents via our helpdesk this is tracked by us and forwarded to our security agency, who prioritise the incidents, and provide us with incident reports.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5 to £100 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial 28 days free trial service

Service documents

Return to top ↑