Cloud Platform

Compliance with standards and regulations


For detailed compliance information for Cloud Next technologies, see Security and compliance in Cloud Next.


When it comes to cloud service providers, it’s in an organization’s best interest to perform due diligence on vendor’s compliance with applicable industry standards and regulations. What organizations deploy to the cloud may be governed by some form of regulatory standard. If you require more information about your particular regulatory requirements, contact your Acquia Account Manager or Technical Account Manager.

This page summarizes Acquia’s compliance with the various standards and regulations.

SOC 1 (SSAE No. 18 and ISAE No. 3402)

Statement on Standards for Attestation Engagement (SSAE) No. 18 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA) and is used to create a Service Organization Control (SOC) 1 branded report. Acquia’s SSAE 18 audit report is aligned with the International Standards for Assurance Engagements (ISAE) No. 3402 auditing standard. This allows for the report to be recognized both in the U.S. and throughout the world.

Acquia has a SOC 1 SSAE 18/ISAE 3402 Type 2 audit performed on an annual basis by an independent third-party audit firm. The audit report attests to the design and operating effectiveness of Acquia’s business and security controls in safeguarding systems and data. Acquia’s SSAE 18/ISAE 3402 audit report is available to current customers and prospective customers upon request and with a fully executed non disclosure agreement (NDA).


A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. SOC 2 reports are based on the following AICPA Trust Services Principles and Criteria (TSPC):

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA. The TSPC of security, availability, and processing integrity are used to evaluate whether a system is reliable.

Acquia has a SOC 2 Type 2 audit performed on an annual basis by an independent third party audit firm. The audit report attests to the suitability of the design and operating effectiveness of Acquia’s controls to meet the Security, Availability and Confidentiality Trust Services Principles. Acquia’s SOC 2 audit report is available to current customers and prospective customers upon request and with a fully executed NDA.

PCI DSS (Payment Card Industry Data Security Standard)

Payment Card Industry Data Security Standard (PCI DSS) compliance applies to merchants and services providers that process, store, or send credit card data. PCI DSS is a multifaceted security standard that includes requirements for security management, policies and procedures, network architecture, software design, and other critical protective measures. This comprehensive standard helps organizations proactively protect credit card data sent or stored on the Acquia platform. Acquia’s PCI compliance is only applicable to customers building web applications within the Acquia shared PCI Virtual Private Cloud (VPC) or via dedicated PCI VPC Shield offering. Acquia has been validated by an independent Quality Security Assessor (QSA) approved by the PCI Security Standards Council that validated Acquia’s adherence with standards applicable to a Level 1 service provider under PCI DSS Version 3.2. The Attestation of Compliance (AOC) and Report on Compliance (ROC) documents validate Acquia’s PCI DSS compliance. Acquia can provide the AOC to prospective or current customers upon request.

PCI DSS compliance requires a separation of processes on physical infrastructure. Acquia meets this compliance infrastructure requirement with the PCI compliance offering. This offering includes, but is not limited to:

  • Full Tier Infrastructure Configuration: This configuration includes a separation of instances for load balancers, web layer, filesystem, and database servers. This includes a minimum of eight virtual instances, with each tier having two servers to maintain high availability.
  • Shared PCI Environment: PCI customers’ infrastructure is logically separated from non-PCI customers in a PCI environment.
  • Encrypted EBS Volumes: Additional encryption is applied to the filesystem and database servers.

Cloud Platform Enterprise and Site Factory customers with websites requiring PCI DSS compliant environments should contact their Account Manager to discuss other infrastructure changes necessary for their websites to meet PCI DSS requirements.

Cloud Platform for Partners customers with websites requiring PCI DSS compliant environments should create a Support ticket.

Although Acquia provides a PCI-compliant hosting environment as part of Cloud Platform Enterprise, only your PCI QSA or your internal security resource completing a PCI DSS self assessment questionnaire (SAQ) can confirm if the way your website processes credit card payments will meet PCI DSS compliance requirements. We encourage you to contact your QSA auditor with any other questions you may have. Acquia can’t determine if your website is PCI DSS compliant.

Websites hosted on Cloud Platform processing payments through a third-party service (such as WorldPay, Paypal, or are generally PCI DSS compliant.

The Acquia Security team has spoken at length with our PCI-Auditors, as well as various PCI auditors working with our customers. Since your website is connected to your payment gateway, it’s considered in-scope for PCI DSS compliance.

Your main website, which is hosted with Acquia, is required to be PCI DSS compliant, even though the transaction is performed through a third-party service. Consequently, your website must move into our shared VPC to meet PCI DSS compliance.

For information about Amazon’s PCI accreditation, see Amazon’s PCI DSS Compliance page. For more information about e-commerce and PCI DSS compliance, see the PCI Security Standards Council’s documentation for PCI DSS E-commerce Guidelines.

ISO 27001 certification

Acquia is ISO 27001 certified. You can download our certificate. ISO 27001 is a globally recognized security standard driven by the implementation of an information security management system (ISMS). An ISMS is a security framework of policies, procedures and controls including administrative, physical and technical safeguards to manage information security risks to internal and subscriber information.


Acquia is a Federal Risk Authorization and Management Program (FedRAMP) authorized system and has received an agency Authority to Operate (ATO) from the Department of the Treasury. As a FedRAMP authorized Cloud Service Provider (CSP) supporting U.S. government agencies and departments, Acquia is committed to meeting the guidelines of FedRAMP and will provide insight into Acquia’s security architecture and the continuous monitoring processes related to the Acquia Platform as a Service (PaaS).

Our system has been designed to meet NIST 800-53 standards for customers who must complete their local security authorization process, sometimes called the Risk Management Framework (RMF), or FISMA.

Cloud Platform is built on Amazon AWS and inherits infrastructure layer controls from Amazon. Amazon AWS has received FedRAMP authorization for the infrastructure layer.


Acquia enables US government agencies to achieve and sustain compliance with FISMA. Numerous Federal organizations have successfully achieved security authorizations and made risk-based decisions to allow websites to be hosted on Cloud Platform in accordance with the Risk Management Framework (RMF) process defined in the NIST Special Publication (SP) 800-37. Acquia’s platform has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud, while complying with the rigorous security requirements of federal standards.

CSA STAR (Cloud Security Alliance Security, Trust and Assurance Registry)

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.

CSA’s Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry documenting the security controls provided by cloud computing offerings. This registry helps organizations assess the security of cloud providers they use or are considering contracting with. Acquia has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions a cloud consumer and cloud auditor may wish to inquire of a cloud provider. Acquia has completed both Level 1: Self-Assessment and Level 2: Third-Party Audit phases of the CSA STAR compliance.

Acquia’s CAIQ is available for download from the CSA STAR registry..


Cloud Platform enables customers to comply with the HIPAA Security Rule and HITECH for electronic Protected Health Information (ePHI). Acquia has a third-party firm annually perform a SOC 2 Type 2 audit, which generates an audit report containing a section that maps controls to HIPAA security requirements. The report is available to both existing and prospective customers upon request and with a fully executed NDA.

Acquia offers a HIPAA compliance offering for customers that need to maintain HIPAA compliance requirements. This offering includes, but is not limited to:

  • Shared HIPAA Environment: HIPAA customers’ infrastructure is logically separated from non-HIPAA customers in a HIPAA environment.
  • Encrypted EBS Volumes: Additional encryption is applied to the filesystem and database servers.
  • Business Associate Agreement (BAA): Customers with this offering must sign a BAA through Acquia to meet the HIPAA requirements.

Cloud Platform Enterprise and Site Factory customers with websites requiring HIPAA compliant environments should contact their Account Manager to discuss these settings and other infrastructure changes necessary for their websites to meet HIPAA requirements.

California Consumer Privacy Act (CCPA)

For information about Acquia’s compliance with the California Consumer Privacy Act, see Acquia’s CCPA policy statement.


Acquia abides by all privacy laws and regulations applicable to our hosting services and to our customers hosting websites that may contain personal information on Cloud Platform. Acquia personnel have logical access to subscriber data stored in subscriber websites only if they are authorized, and require access due to their job function. Acquia doesn’t transfer subscriber data hosted on Cloud Platform outside of Cloud Platform or to any third party without subscriber authorization.

Customers must ensure that privacy concerns and regulations are addressed and adhered to at the application layer where subscriber personnel may have logical access to personal information uploaded or stored in subscriber websites.

Acquia’s Privacy Policy describes how Acquia handles any personal information gathered from visitors to its website at and from users of Acquia’s software and services.


The Voluntary Product Accessibility Template, or VPAT®, is a template used to document a product’s conformance with accessibility standards and guidelines. The purpose of the VPAT is to assist customers and buyers in making preliminary assessments regarding the availability of commercial “Electronic and Information Technology”, also referred to as “Information and Communication Technology” (ICT) products and services with features that support accessibility.

Acquia information and communications technology (ICT) partially complies with Section 508 of the Rehabilitation Act of 1973 standards.

To download Acquia’s VPAT report, access VPAT - Cloud Platform