Last revision of this Product Notice: 24 February 2026
Prior version(s) of this Product Notice: 1 October 2025
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
About the Product/Services
Acquia Cloud Platform is a Drupal-tuned application lifecycle management suite with an infrastructure to support Drupal
deployment workflow processes from development and staging through to production. Acquia’s customer creates, owns, and maintains their Drupal application (a website for internal or external use) and submits it to Acquia Cloud Platform for the aforementioned lifecycle management.
For details about these Products, please refer to the Product Description available online at https://docs.acquia.com/guide.
1. Processing Operation(s)
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
Optional features processing Personal Data: ☒ yes ☐ no
The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
Processing of sensitive Personal Data: ☒ yes ** ☐no ☐ n/a*
Profiling of individuals based on personal characteristics: ☒ yes ** ☐no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*
Processing via an AI tool available with the Product ☒ yes ☐ no
The AI feature is deactivated by default: ☒ yes ☐ no
The AI feature processes Personal Data: ☐ yes ☒ no
The AI feature processes sensitive Personal Data ☐ yes ☒ no
The Customer can control what data the AI tool processes: ☒ yes ☐ no
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users)
2. Details of Personal Data being processed
Categories of Personal Data
Categories of Data Subjects
Purpose of Processing
Categories of Data Recipients
Needed for Core Features
Processing Location
Acquia Inc. acts as Processor
Through the configuration, design, and administration of their own Drupal application, Customer in its sole discretion determines and controls the categories of personal data collected by their Drupal Application. These may be individual identifiers, contact details, online identifiers, network activity, location data, and any sensitive data categories.
Through the configuration, design, and administration of their own Drupal application, Customer in its sole discretion determines and controls the categories of data subjects collected by their Drupal Application. Primarily, these would be Customer’s end-users including visitors to Customer’s website.
Provision of the Services by Acquia to Customer
Site administrators; customers and visitors of Customer’s Drupal application
yes
Depends on the data center location chosen by customer
Yes
3. Privacy Enhancements
Objective
Technology / Measure
Data at Rest
Data in Transit
Anonymization and Pseudonymization
Data anonymization at Customer level optional for Customer
Yes
Yes
Data confidentiality
Access control measures Encryption at customer level Encryption at Acquia level (see Security Annex and Product Description)
Yes
Yes
Yes
Yes
Yes
Yes
Data integrity
Ant-tampering technology (see Security Annex)
Yes
Yes
Data availability including restoring availability, restoring access to personal data, and data resilience
Business continuity and disaster recovery measures (see Security Annex)
Yes
n/a
Regular testing, assessing and evaluating of TOMs
Regular security and process reviews (see also Security Annex)
Yes
n/a
4. Certifications
SSAE16/ISAE 3402: SOC 1 Type II
SOC 2 Type II
ISO 27001:2013
FedRAMP
5. Data Subject Rights
Through the Product’s administration console and through the Customer’s own Drupal application, the Customer may manage, update, retrieve, and erase individual Personal Data.
6. (Personal) Data Retention Cycles
The retention of data in the Product is managed by the Customer and may be stored during the entire term of the Services. Latest 90 days after the end of the contractual term of the Services, Acquia will purge any customer data in the Services including personal data from its systems.
Any current Acquia customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the above website.
8. Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex (available from https://www.acquia.com/about-us/legal/gdpr) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.
Cloud Platform Product Privacy Notice
Acquia Cloud Platform
Last revision of this Product Notice: 24 February 2026
Prior version(s) of this Product Notice: 1 October 2025
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
About the Product/Services
Acquia Cloud Platform is a Drupal-tuned application lifecycle management suite with an infrastructure to support Drupal
deployment workflow processes from development and staging through to production. Acquia’s customer creates, owns, and maintains their Drupal application (a website for internal or external use) and submits it to Acquia Cloud Platform for the aforementioned lifecycle management.
For details about these Products, please refer to the Product Description available online at https://docs.acquia.com/guide.
1. Processing Operation(s)
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
Optional features processing Personal Data: ☒ yes ☐ no
The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
Processing of sensitive Personal Data: ☒ yes ** ☐no ☐ n/a*
Profiling of individuals based on personal characteristics: ☒ yes ** ☐no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*
Processing via an AI tool available with the Product ☒ yes ☐ no
The AI feature is deactivated by default: ☒ yes ☐ no
The AI feature processes Personal Data: ☐ yes ☒ no
The AI feature processes sensitive Personal Data ☐ yes ☒ no
The Customer can control what data the AI tool processes: ☒ yes ☐ no
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users)
2. Details of Personal Data being processed
Categories of Personal Data
Categories of Data Subjects
Purpose of Processing
Categories of Data Recipients
Needed for Core Features
Processing Location
Acquia Inc. acts as Processor
Through the configuration, design, and administration of their own Drupal application, Customer in its sole discretion determines and controls the categories of personal data collected by their Drupal Application. These may be individual identifiers, contact details, online identifiers, network activity, location data, and any sensitive data categories.
Through the configuration, design, and administration of their own Drupal application, Customer in its sole discretion determines and controls the categories of data subjects collected by their Drupal Application. Primarily, these would be Customer’s end-users including visitors to Customer’s website.
Provision of the Services by Acquia to Customer
Site administrators; customers and visitors of Customer’s Drupal application
yes
Depends on the data center location chosen by customer
Yes
3. Privacy Enhancements
Objective
Technology / Measure
Data at Rest
Data in Transit
Anonymization and Pseudonymization
Data anonymization at Customer level optional for Customer
Yes
Yes
Data confidentiality
Access control measures Encryption at customer level Encryption at Acquia level (see Security Annex and Product Description)
Yes
Yes
Yes
Yes
Yes
Yes
Data integrity
Ant-tampering technology (see Security Annex)
Yes
Yes
Data availability including restoring availability, restoring access to personal data, and data resilience
Business continuity and disaster recovery measures (see Security Annex)
Yes
n/a
Regular testing, assessing and evaluating of TOMs
Regular security and process reviews (see also Security Annex)
Yes
n/a
4. Certifications
SSAE16/ISAE 3402: SOC 1 Type II
SOC 2 Type II
ISO 27001:2013
FedRAMP
5. Data Subject Rights
Through the Product’s administration console and through the Customer’s own Drupal application, the Customer may manage, update, retrieve, and erase individual Personal Data.
6. (Personal) Data Retention Cycles
The retention of data in the Product is managed by the Customer and may be stored during the entire term of the Services. Latest 90 days after the end of the contractual term of the Services, Acquia will purge any customer data in the Services including personal data from its systems.
Any current Acquia customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the above website.
8. Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex (available from https://www.acquia.com/about-us/legal/gdpr) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Cloud Platform