Submitted Sessions

Security and privacy compliance certifications—like SOC 2 (a leading audit standard for security, availability, and confidentiality) and HITRUST (a healthcare-focused security framework) — are becoming requirements for healthcare, finance, and other high-trust industries. Waiting until audit season to start to prepare can be overwhelming.

This session shares engineering-side lessons from Encore Healthcare’s journey to SOC 2 and HITRUST readiness. Instead of a checklist of requirements, we’ll focus on designing systems, processes, and documentation so you’re always ready to provide evidence to an auditor. We’ll walk through how we integrated compliance into our SDLC, infrastructure, access control, logging, and team processes—what worked, what didn’t, and the pitfalls we wish we’d avoided.

You’ll leave with a blueprint for making security compliance part of your natural engineering workflow, not a stressful scramble.

Learning Objectives

By the end of this session, attendees will be able to:

1. Apply engineering practices (SDLC, logging, IaC, access control) that generate audit-ready evidence automatically.
2. Perform internal reviews (onboarding checklists, policy adherence, vendor management) that reduce last-minute compliance gaps.
3. Develop a practical plan for working with consultants, clarifying ambiguous audit requests, and avoiding common pitfalls in SOC 2/HITRUST readiness.

Target Audience

• Engineering leaders and senior developers responsible for compliance-sensitive Drupal applications
• DevOps and infrastructure teams preparing for SOC 2 or HITRUST
• Technical managers balancing product delivery with compliance requirements

Prerequisites

• Familiarity with modern software development practices (version control, CI/CD, IaC)
• Experience operating Drupal or other SaaS/web applications in production
• No prior compliance experience required — this is about engineering preparation, not legal fine print

Drupal 10.3 quietly introduced a powerful new tool for handling complex access control: the Access Policy API. And if you missed it, you’re not alone.

Roles have always been Drupal’s primary tool for granting permissions. But as projects grow more complex, teams often end up battling role explosion — creating more and more narrowly-defined roles just to capture specific business rules. And when roles aren’t enough, access logic gets scattered across hooks, services, and conditionals.

The Access Policy API gives developers a flexible alternative: a clean, centralized way to grant permissions based on real-world conditions — without overloading  or multiplying roles, or scattering access logic throughout a codebase.

In this session, you’ll learn:

• What changed in Drupal core with the introduction of the Access Policy API
• The anatomy of an access policy — how policies are structured, how they work, and how to write your own
• How to decide when to use roles, policies, or both
• How access policies can save time for site administrators by reducing role clutter and simplifying permission management
• What documentation and community resources exist for understanding the API 

If you’ve ever struggled to model complex access rules cleanly in Drupal, this talk will give you new tools — and a new way to think about permissions.

Just like Atreyu’s epic quest, the journey toward digital accessibility is never truly over. Standards evolve, technologies shift, and new contributors appear out of the Nothing to add features and documentation that might undo your careful compliance. Even if your code and design follow today’s guidelines, tomorrow’s update can send you straight back into the Swamps of Sadness.

In this session, we’ll explore how to keep accessibility alive throughout the lifecycle of your open source projects, from the first line of code to ongoing maintenance. You’ll learn how to chase the next accessibility dragon without losing the magic you started with. We’ll even consult the Oracles of WCAG and peek into the mysterious new lands shaped by the European Accessibility Act to see what’s coming next for inclusive design.

Attendees will leave this adventure with:

• Ways to improve accessibility on existing projects without getting lost in the clouds over Fantasia
• Strategies for getting stakeholder and team buy-in to keep accessibility a long-term priority
• Tips on testing across browsers, devices, and assistive technologies (your modern-day luck dragons)
• A treasure map of free tools to keep your sites compliant before and after deployment
• A glimpse of what’s on the horizon for WCAG and the EAA, because this story, like accessibility, truly never ends

Drupal Canvas introduced Code Components in early 2025, opening a new avenue for Drupal frontend engineering by shipping a zero-setup, in-browser code editor, and out-of-the-box support for React and Tailwind CSS. A lot has happened since then. As the technical lead for Code Components, I've watched the possibilities steadily grow as Drupal Canvas has matured and become stable.

New features have been introduced to support data fetching and Next.js-style image optimization. Experiments are underway to support server-side rendering and third-party imports. Editing Code Components is no longer bound to the browser: A CLI tool makes it possible to work with them in any development environment. This opens up interesting opportunities, such as building decoupled frontends.

This session will discuss different approaches and techniques for working with Code Components in Drupal Canvas, as well as the current state of all features, experiments, and plans for the future.

During the transition from Drupal 7 to 9 there was much hate for the front end experience of Drupal Development. What with Twig being new, the dependence on jQuery, and limitations to CSS, many believed that Decoupled was the new way to go.

Now we have a better understanding of Twig, Single Directory Components, and more options with native CSS. As well, now we have better caching and libraries. In this talk I will highlight these technologies which make the Frontend experience once again the way to go. 

The Events module is a useful tool for Drupal camp event-organizers to schedule featured speakers, customized sessions, and event job listings to the various sponsors. 

What is the best way to begin creating an automated test script for a contributed module? How do you go about making a standardized and enterprise standard test for you to contribute, apply, and share with your own organization? 

There are many steps in the process of making a useful automation test for your contributed module, so you can save time in testing and improve your test driven workflow toward a site feature you consistently work with.  

This session will go over the common practices that are used from: developing a test with targeting the right elements in your script, to refactoring your test script to code-standards, as well as ensuring generic application and test reliance as well. 

Discover how you can improve your existing testing workflow, contribute your own test to the Drupal work space, and use automated testing for your existing modules within your team.

Choosing the right content management system (CMS) can truly shape the success of your digital experience strategy. In this session, we’ll take a closer look at how Drupal stacks up against other well-known platforms like WordPress, Craft CMS, and Adobe Experience Manager (AEM) in terms of architecture, scalability, and customization. Here’s what we’ll cover: 

1. How each CMS approaches content modeling and flexibility
2. Key performance and scalability factors for large-scale projects
3. Insights on security, community support, and extensibility
4. When Drupal shines and when it might be wise to consider other options 

By the end of this session, attendees will walk away with a solid grasp of the strengths and weaknesses of each CMS, empowering them to make well-informed choices for their upcoming projects.

If recognizing the value of neurodiversity is the first step, the next is changing systems, environments, and behaviours to actually support neurodivergent people. Neuroinclusive spaces use the ethos of Universal Design.

Universal design (UD) is a concept that involves designing products and environments to be usable by as many people as possible, regardless of age, size, ability, or disability. The goal is to maximize usability without the need for specialized design or adaptation. UD can be applied to many things, including buildings, services, tools, learning strategies, and physical spaces. It focuses on equity in design.

This session will move beyond why neurodiversity matters and focus on how to operationalize inclusion at every level of an organization, from hiring, to team culture, to leadership practices.

It offers practical strategies for building neuro inclusive organizations by applying the principles of Universal Design to workplace systems, culture, and leadership. Participants will learn how to identify hidden barriers and implement changes that foster clarity, flexibility, and psychological safety for all minds.

Neuroinclusion isn’t about fixing people, it’s about fixing systems.

Learning objectives

• Recognize systemic barriers that neurodivergent people face in hiring, learning, and workplace environments. Most importantly, how these often go unnoticed.
• Apply Universal Design and neuro inclusive practices to support diverse cognitive styles, communication preferences, and working needs.
• Implement practical strategies that foster clarity, flexibility, and psychological safety while creating environments where all minds can thrive.

This session provides a comprehensive overview of Drupal's caching layers. We will start with the fundamentals of cacheable metadata, including cache tags, contexts, and max-age, which are the building blocks of the Cache API. Then, we'll dive into the render pipeline and fragment caching, exploring how Drupal caches parts of the render tree.

Next, the session will cover response caching, contrasting Dynamic Page Cache and Page Cache. We'll also discuss how to leverage reverse proxies and CDNs for even greater performance.

Finally, we'll equip you with practical skills for debugging the cache and writing cache-aware code, including creating custom cache contexts and avoiding common pitfalls like unintentionally uncacheable blocks.

This session is for Drupal developers and site builders that to build reliable and performant websites that update automatically without requiring constant cache rebuilds.

Single Directory Components have changed the way some Drupal sites are themed. Drupal Canvas (formerly Experience Builder) has the potential to change how some Drupal sites are built. What happens when both are available widely?

In this session, we'll take a look at how to create forward-looking Single Directory Components that will integrate nicely with Drupal Canvas. We'll cover the basics of SDCs (especially their component.yml files) as well as demonstrate SDC usage inside of Drupal Canvas.

Version control is a must-have in today’s web development landscape, yet many CMS developers find themselves grappling with Git workflows that are specifically designed for content-rich projects. In this session, we’ll dive into:

1. The basics of Git for CMS teams
2. Different branching strategies, including Git Flow and Trunk-Based Development
3. How to manage configuration and database changes in CMS settings
4. Helpful tips for integrating Git with CI/CD pipelines for platforms like Drupal and others 

Whether you’re just starting out with Git or you’re aiming to polish your existing workflow, this talk is here to help you enhance collaboration and ease those deployment challenges.

Merlin of Chaos created Drupal Views back in 2003 and it remains a Drupal super-power to this day. Ironically, it creates order from chaos. It is the ultimate list maker and report generator with access to nearly everything that is contained in Drupal.  This is an introduction to Views that will benefit site builders, designers, content managers, and developers of all sorts. Learn to leverage the power of Views to make your Drupal site more useful. Content for this session was graciously contributed to by DrupalEasy. 

Curious about what AI can do in Drupal—but not sure where to start? This beginner-friendly session will introduce you to DrupalAI using a series of short, live demos powered by amazee.ai. You’ll see how to use the amazee Provider Framework and key AI modules to streamline content creation, enhance UX, and even automate tedious site tasks, all without writing a line of code.

We’ll break down what makes a good AI prompt for different Drupal use cases, show how to generate content and categorize it intelligently, and walk through launching your own ready-to-play-with DrupalAI site using amazee’s Advanced User Demo. We’ll also cover how makers, trainers, and maintainers can get unlimited AI credits to power their development efforts.

Bring your laptop if you want to follow along—we’ll get hands-on and leave plenty of room for questions, play, and ideas.

Matthew is a Drupal AI trainer who has open-sourced materials for other trainers. He is deeply involved with the Drupal AI Strategic Initiative.