Submitted Sessions

Security and privacy compliance certifications—like SOC 2 (a leading audit standard for security, availability, and confidentiality) and HITRUST (a healthcare-focused security framework) — are becoming requirements for healthcare, finance, and other high-trust industries. Waiting until audit season to start to prepare can be overwhelming.

This session shares engineering-side lessons from Encore Healthcare’s journey to SOC 2 and HITRUST readiness. Instead of a checklist of requirements, we’ll focus on designing systems, processes, and documentation so you’re always ready to provide evidence to an auditor. We’ll walk through how we integrated compliance into our SDLC, infrastructure, access control, logging, and team processes—what worked, what didn’t, and the pitfalls we wish we’d avoided.

You’ll leave with a blueprint for making security compliance part of your natural engineering workflow, not a stressful scramble.

Learning Objectives

By the end of this session, attendees will be able to:

1. Apply engineering practices (SDLC, logging, IaC, access control) that generate audit-ready evidence automatically.
2. Perform internal reviews (onboarding checklists, policy adherence, vendor management) that reduce last-minute compliance gaps.
3. Develop a practical plan for working with consultants, clarifying ambiguous audit requests, and avoiding common pitfalls in SOC 2/HITRUST readiness.

Target Audience

• Engineering leaders and senior developers responsible for compliance-sensitive Drupal applications
• DevOps and infrastructure teams preparing for SOC 2 or HITRUST
• Technical managers balancing product delivery with compliance requirements

Prerequisites

• Familiarity with modern software development practices (version control, CI/CD, IaC)
• Experience operating Drupal or other SaaS/web applications in production
• No prior compliance experience required — this is about engineering preparation, not legal fine print

Version control is a must-have in today’s web development landscape, yet many CMS developers find themselves grappling with Git workflows that are specifically designed for content-rich projects. In this session, we’ll dive into:

1. The basics of Git for CMS teams
2. Different branching strategies, including Git Flow and Trunk-Based Development
3. How to manage configuration and database changes in CMS settings
4. Helpful tips for integrating Git with CI/CD pipelines for platforms like Drupal and others 

Whether you’re just starting out with Git or you’re aiming to polish your existing workflow, this talk is here to help you enhance collaboration and ease those deployment challenges.

This session provides a comprehensive overview of Drupal's caching layers. We will start with the fundamentals of cacheable metadata, including cache tags, contexts, and max-age, which are the building blocks of the Cache API. Then, we'll dive into the render pipeline and fragment caching, exploring how Drupal caches parts of the render tree.

Next, the session will cover response caching, contrasting Dynamic Page Cache and Page Cache. We'll also discuss how to leverage reverse proxies and CDNs for even greater performance.

Finally, we'll equip you with practical skills for debugging the cache and writing cache-aware code, including creating custom cache contexts and avoiding common pitfalls like unintentionally uncacheable blocks.

This session is for Drupal developers and site builders that to build reliable and performant websites that update automatically without requiring constant cache rebuilds.

Merlin of Chaos created Drupal Views back in 2003 and it remains a Drupal super-power to this day. Ironically, it creates order from chaos. It is the ultimate list maker and report generator with access to nearly everything that is contained in Drupal.  This is an introduction to Views that will benefit site builders, designers, content managers, and developers of all sorts. Learn to leverage the power of Views to make your Drupal site more useful. Content for this session was graciously contributed to by DrupalEasy. 

Choosing the right content management system (CMS) can truly shape the success of your digital experience strategy. In this session, we’ll take a closer look at how Drupal stacks up against other well-known platforms like WordPress, Craft CMS, and Adobe Experience Manager (AEM) in terms of architecture, scalability, and customization. Here’s what we’ll cover: 

1. How each CMS approaches content modeling and flexibility
2. Key performance and scalability factors for large-scale projects
3. Insights on security, community support, and extensibility
4. When Drupal shines and when it might be wise to consider other options 

By the end of this session, attendees will walk away with a solid grasp of the strengths and weaknesses of each CMS, empowering them to make well-informed choices for their upcoming projects.

Just like Atreyu’s epic quest, the journey toward digital accessibility is never truly over. Standards evolve, technologies shift, and new contributors appear out of the Nothing to add features and documentation that might undo your careful compliance. Even if your code and design follow today’s guidelines, tomorrow’s update can send you straight back into the Swamps of Sadness.

In this session, we’ll explore how to keep accessibility alive throughout the lifecycle of your open source projects, from the first line of code to ongoing maintenance. You’ll learn how to chase the next accessibility dragon without losing the magic you started with. We’ll even consult the Oracles of WCAG and peek into the mysterious new lands shaped by the European Accessibility Act to see what’s coming next for inclusive design.

Attendees will leave this adventure with:

• Ways to improve accessibility on existing projects without getting lost in the clouds over Fantasia
• Strategies for getting stakeholder and team buy-in to keep accessibility a long-term priority
• Tips on testing across browsers, devices, and assistive technologies (your modern-day luck dragons)
• A treasure map of free tools to keep your sites compliant before and after deployment
• A glimpse of what’s on the horizon for WCAG and the EAA, because this story, like accessibility, truly never ends

Drupal 10.3 quietly introduced a powerful new tool for handling complex access control: the Access Policy API. And if you missed it, you’re not alone.

Roles have always been Drupal’s primary tool for granting permissions. But as projects grow more complex, teams often end up battling role explosion — creating more and more narrowly-defined roles just to capture specific business rules. And when roles aren’t enough, access logic gets scattered across hooks, services, and conditionals.

The Access Policy API gives developers a flexible alternative: a clean, centralized way to grant permissions based on real-world conditions — without overloading  or multiplying roles, or scattering access logic throughout a codebase.

In this session, you’ll learn:

• What changed in Drupal core with the introduction of the Access Policy API
• The anatomy of an access policy — how policies are structured, how they work, and how to write your own
• How to decide when to use roles, policies, or both
• How access policies can save time for site administrators by reducing role clutter and simplifying permission management
• What documentation and community resources exist for understanding the API 

If you’ve ever struggled to model complex access rules cleanly in Drupal, this talk will give you new tools — and a new way to think about permissions.

Single Directory Components have changed the way some Drupal sites are themed. Drupal Canvas (formerly Experience Builder) has the potential to change how some Drupal sites are built. What happens when both are available widely?

In this session, we'll take a look at how to create forward-looking Single Directory Components that will integrate nicely with Drupal Canvas. We'll cover the basics of SDCs (especially their component.yml files) as well as demonstrate SDC usage inside of Drupal Canvas.