Technical audit

We can perform this audit based on solely the code, even without having access to the database, the site, or to the production environment. On the functional level, we require only a short brief, a basic understanding of the purpose of the core feature-set.

Typical parts of a quick Drupal audit:

• Executive summary for the management, from a business perspective. No deep IT knowledge is required to understand this.
• Lighthouse. Google's open-source audit tool helps us to review the main performance, SEO, good practice and accessibility scores of the public part of the project.
• Traffic. We will ask for some basic analytics data e.g. monthly and peak time visitor and pageview count, and the geographical distribution of the audience.
• Integrations. We will ask for and also discover and assess any 3rd party integrations on the frontend and backend.
• We will check the technical solutions on the codebase layer.
• We will check the proportion of contrib vs. custom modules.
• We will get some base information regarding the quality of the code.
• Drupal coding standards and best practices compliance.
• Documentation quality.
• We will find out to what extent the system was maintained and built on a professional level.
• Were the security updates installed?
• Automated test coverage.
• We will check whether the system is future-proof e.g. if a Drupal 8 site is "Drupal 10 ready".
• We will check and review whether the system has an easy to discover security vulnerability.

A full copy (backup), or access to the live environment is required to perform this audit. We will also need to understand the functionality in-depth, so we will need user manuals and user stories. The prerequisite of the full Drupal audit is a Quick review Drupal audit.

Typical parts of a full Drupal audit:

• Executive summary for the management, from a business perspective. No deep IT knowledge is required to understand this.
• Frontend theme review.
• Display architecture.
• Content architecture.
• User accounts, roles, permissions, and access management.
• APIs.
• Performance.
• Security vulnerability scanning.
• Codebase review.
• Development and maintainability.
• Infrastructure.

We thoroughly analyze your Drupal solutions, identify where personal data is stored and how it is processed, map the data flow, and finally propose solutions to ensure your GDPR compliance.

Parts of the Drupal GDPR audit:

• Data discovery, data flow mapping for your Drupal database, core and contrib modules.
• Data security and protection
• Data protection by design and by default
• Records of processing activities
• Custom solution and integration discovery
• Data protection impact assessment
• Data minimisation and Storage limitation
• And many special audits based on your custom system

It’s always the client’s decision what to implement/automate on what level and what security measures to undertake. We’ve mastered a set of tools which are reasonable step to utilize for e.g.

• Anonymization
• Encryption supported by our trusted partner Lockr.io
• Data subject rights
• Personalized cookie consent solution capable of blocking even 3rd party cookies.
• Consents for forms
• and even more: we can deliver an organisation wide centralized solution.