Metadata Consulting Ltd

Metadata Exchange

Our service provides data governance capabilities through the cloud with tooling that allow users to curate datasets and data models. Based on the idea of a metadata registry, it includes a data dictionary linked to logical data models and mappings to existing databases allowing data stewards manage their data effectively.


  • XML, XSD, UML and Schema creation and management
  • Data integration and transformation
  • Auditing and upgrade of existing database schemas
  • Tagging datasets across the enterprise for particular use
  • Tagging data elements with data stewardship details
  • Linking of data elements in different databases
  • Data Dictionary
  • Data policy management
  • Metadata management
  • Dataset curation


  • Enhanced Data Quality
  • Knowledge of where your data resides in the enterprise
  • Increased security
  • Effective data management and integration
  • More reliable data
  • Data Provenance
  • Automatic model driven form creation
  • Automatic verification of business rules throughout the enterprise
  • Improved Data Governance


£5 to £100 per user per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 3 6 5 0 1 9 9 8 7 8 7 4 3 1


Metadata Consulting Ltd

Adam Milward


Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Data governance and data management consultancy, this cloud service can also be provided as an in-house stand-alone option
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
Maintenance is normally carried out at times when users are not online, if no such time is found then we can notify users in advance of any planned maintenance. However maintenance is normally fairly transparent to the user, there have not been any occurrences of prolonged downtime to date.
System requirements
Buyers need to have access to an up-to-date browser

User support

Email or online ticketing support
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Tier 0 - included in standard pricing
Tier 1 - included in standard pricing
Tier 2 - as part of a support contract starting at £500 per month - varying on number of users.
Support available to third parties

Onboarding and offboarding

Getting started
We provide a wiki with a number of you tube tutorials to help get users up and running
Service documentation
Documentation formats
End-of-contract data extraction
They download the data via a set of word, excel, pdf or xml reports
End-of-contract process
Use of a the online metadata exchange, with access to documentation, wiki and tutorials is included in the price of a contract.
Specific consultancy relating to a particular users instance data is not included, but can be purchased as an extra.
At the end of the contract the user can download any particular reports, models and data that they need, or renew the contract online.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Mobile works, since we take care to use a bootstrap/jquery library on the frontend, however it is very awkward and we recommend a large screen for optimal effect and useability
Service interface
What users can and can't do using the API
Users can set up the data curation service using a REST interface, and carry out most of the functions of the web interface.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
Buyers can commission plugins which can be added to their cloud instance.


Independence of resources
The cloud service for each user is handled by a separate virtual machine, as are the storage mechanisms which are configured using AWS or Azure virtual servers configured for maximum security, flexibility and scale-ability.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Excel spreadsheets, XML and word documents.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our service will be available 99.9 percent of the time, excluding scheduled maintenance time - 1 hour per month.
If the service is down for more than 30minutes in a week then we refund 30% of the costs
Approach to resilience
Its available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
We use a role based access control system for all services, users have the ability to manage users within there own organisation using the same role based system
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
We adhere to the gov uk security policy framework. We have a dedicated SIRO, DSO and IAOs who actively manage our security processes. We review our security policies on a quarterly basis to ensure we are compliant and up-to-date.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
We are committed to automating as much of our build and test process as possible. We use github (and bitbucket) for source control and have recently moved to “gitflow lite” for release management. Git integrates with JIRA for change management and Zephyr for test management. All JIRA tasks / bugs are linked to epics and stories within the tool to provide traceability. We’ve used a variety of continuous integration servers including Jenkins, Bamboo and Travis. We run codenarc to assess code for consistency and basic security, as well as manual code review for every commit.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We employ an agency to review vulnerabilities and conduct pen testing. We also subscribe to amazon inspector, security focus to remain up-to-date with the latest threats.
We aim to patch major security vulnerabilities within 24hrs.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We employ a security agency to monitor our services and conduct regular reviews to monitor potential compromises.
We attempt to counter the compromise, whether through enhanced configuration or creating a patch.
We aim to respond within a few hours of identification of a potential compromise.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Security incidents are managed by an accredited agency. Their incident management tools integrate with our JIRA bug and task management system. Users report security incidents via our helpdesk this is tracked by us and forwarded to our security agency, who prioritise the incidents, and provide us with incident reports.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£5 to £100 per user per month
Discount for educational organisations
Free trial available
Description of free trial
28 days free trial service

Service documents

Return to top ↑