When working with Salesforce, there's an important distinction between metadata and data:
The structure of a Salesforce org is encoded in “The Metadata”. When a user makes changes through the Salesforce Setup menu or adds a new Apex class, they're altering the metadata.
The actual business information stored inside the Salesforce org is “The Data”. When a customer’s contact information is added into the Account object, that's adding data. Each data item in Salesforce is known as a record.
As a rough analogy, think of a spreadsheet. There are the column names and the rows in the table. The column names (e.g. “Name”, "Email address", "Date of birth") are metadata. The actual rows containing the names and email addresses are the data.
In the Salesforce world, take a simple example of a customer record. The fields “first name” and “last name” would be metadata, while “John” and “Smith” are data.
What is metadata?
Metadata is the fields, configuration, code, and logic of the underlying structure that's used to store the data records. Metadata also determines how Salesforce applications look, feel, and function.
The terms "customizations" and "metadata" are often used interchangeably in Salesforce.
There are well over 100 different types of metadata. Each one represents a different way in which the function of an org can be customised. Although we won't list every type here, there are a few broad categories into which metadata tends to fall:
Data: The core components that set the data structure of the org, and on top of which most other customisations are built. This will include Custom Objects, Custom Fields, Custom Apps, Value Sets, and Picklists.
Programmability: Custom code built on top of the platform. This includes Apex Classes, Components, Tests, and Triggers.
Presentation: Modifications to how end-users interact with the platform, such as VisualForce, Lightning pages and components, and Layouts.
Permissions and security model: The security model to ensure everyone has the correct access to org records. This includes field-level Security (FLS), Profiles, Permission Sets, Security settings, Roles, and Sharing Rules.
Other: A mish-mash of many other different metadata component types. This list includes things such as Email templates, Reports, Static Resources, Flows, Workflows, and Documents.
This is just a short list of some of the most common metadata types. For a full list, see the Salesforce API documentation.
What is data?
Data is the records that a business relies on, such as Users, Accounts, Contacts, and Leads. Every new customer, every phone number, every email, and every purchase is data. The scope of the data collected by an org is almost limitless, and is defined by the nature and purpose of the company using the org.
Data does not define the shape of an org. Data simply fill the configuration defined by the metadata.
Security implications of metadata versus data
For the most part, metadata is not considered sensitive information. Metadata encodes the structure of an org. It does not contain sensitive information about the records within it. As such, metadata doesn't fall under data regulations such as HIPAA or GDPR.
Data is highly sensitive. It comprises business information such as customer lists, purchase history, and internal documentation and processes. Data may include items such as credit card numbers and social security numbers, which have additional compliance and regulatory controls in place. Data should always be treated as confidential.