When working with Salesforce, there is an important distinction between metadata and data:
The structure of a Salesforce org is encoded in “The Metadata”. When a user makes changes through the Salesforce Setup menu or adds a new Apex class, they're altering the metadata.
The actual business information stored inside the Salesforce org is “The Data”. When a customer’s contact information is added into the Account object, that's adding data. Each data item in Salesforce is known as a record.
As a rough analogy, think of a spreadsheet. There are the column names and the rows in the table. The column names (e.g. “Name”, "Email address", "Date of birth") are metadata. The actual rows containing the names and email addresses are the data.
In the Salesforce world, take a simple example of a customer record. The fields “first name” and “last name” would be metadata, while “John” and “Smith” is the data.
What is metadata
Metadata is the fields, configuration, code, and logic of the underlying structure which is used to store the data records. Metadata also determines how Salesforce applications look, feel and function.
The terms customizations and metadata are often used interchangeably in Salesforce.
There are well over 100 different types of metadata. Each one represents a different way in which the function of an org can be customised. Although we won't list every type here, there are a few broad categories into which metadata tends to fall:
Data: The core components which set the data structure of the org, and on top of which most other customisations are built. This will include Custom objects, Custom Fields, Custom Apps, Value Sets, and Picklists.
Programmability: Custom code built on top of the platform. This includes Apex: Classes, Components, Tests, and Triggers.
Presentation: Modifications to how end users interact with the platform, such as VisualForce, Lightning pages and components, and Layouts.
Permissions and security model: The security model to ensure everyone has the correct access to org records. This includes Field Level Security, Profiles, Permission Sets, Security settings, Roles, and Sharing Rules.
Other: A mish-mash of many other different metadata component types. This list includes things such as Email templates, Reports, Static Resources, Flows, Workflows and Documents.
This is just a short list of some of the most common metadata types. For a full list, see the Salesforce API documentation.
What is data
The records that a business relies on, such as Users, Accounts, Contacts, and Leads, are data. Every new customer, every phone number, every email, and every purchase is data. The scope of the data collected by an org is almost limitless, and is defined by the nature and purpose of the company using the org.
Data does not define the shape of an org. Data simply fills the configuration defined by the metadata.
Security implications of metadata versus data
For the most part, metadata is not considered sensitive information. Metadata encodes the structure of an org. It does not contain sensitive information about the records within it. As such, metadata doesn't fall under data regulations such as HIPAA or GDPR.
Data is highly sensitive. It comprises business information such as customer lists, purchase history, and internal documentation and processes. Data may include items such as credit card numbers and social security numbers which have additional compliance and regulatory controls in place. Data should always be treated as confidential.