Application Launcher

Acquia DAM¹

Last revision of this Product Notice: [v1.1 – 30 June 2025]
Prior version(s) of this Product Notice: [v1.0 – 12 November 2021 – initial version]
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.

About the Product

Acquia DAM is a SaaS solution and enables Customers to centrally organize digital content (assets) in one system, to keep track of versions of such assets, automatize publishing of update versions across various locations, convert such assets to different formats, and create automated workflows. Assets may be logos, documents, videos, work-in-progress files, photography, etc. and the Service supports a multitude of different products.

Customer’s dedicated users may log into the Service administration portal using their login credentials to administer and use the Service. Published assets may be viewed and accessed by anybody to whom Customers have granted access.

For details about these Products, please refer to the Product Description available online at https://docs.acquia.com/guide.

1. Processing Operation(s)

The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.

Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
Optional features processing Personal Data: ☒ yes ☐ no
- The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
Processing of sensitive Personal Data: ☐ yes** ☒no ☐ n/a*
Profiling of individuals based on personal characteristics: ☐ yes *** ☒no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*
Processing via an AI tool available with the Product ☒ yes ☐ no
- The AI feature is deactivated by default: ☒ yes ☐ no
- The AI feature processes Personal Data: ☒ yes** ☐ no
- The AI feature processes sensitive Personal Data ☐ yes ☒ no
- The Customer can control what data the AI tool processes: ☒ yes ☐ no

* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users)
*** (optional and disabled by default; depends on the Customer’s configuration of the system, the connection to external analytics tools such as Google Analytics, and the categories chosen by the Customer to be collected from Third Party Users)

2. Details of Personal Data being processed

Categories of Personal Data	Categories of Data Subjects	Purpose of Processing	Categories of Data Recipients	Needed for Core Features	Processing Location	Acquia Inc. acts as Processor
Regarding the use of the Service by the Customer: Through the configuration, design, and administration of an Acquia DAM instance, Customer may limit the categories of data subjects collected by their Acquia DAM instance to generic contact information of its administration staff. The categories of Personal Data are solely contact information of the user of Acquia DAM, including name, email, IP address, title, phone.	Through the configuration, design, and administration of their own Acquia DAM instance, Customer in its sole discretion determines and controls the categories of data subjects collected by their Acquia DAM instance. Primarily, the categories of Data Subjects are the Customer’s internal administrative personnel, e.g. personnel in its marketing department.	Provision of the Services by Acquia to Customer and use of the Service by Customer’s personnel	Customer’s personnel including admins and users	Yes	Depends on the data center location chosen by Customer; data collected in a given region will exist only within that region. Subprocessors, Support: see Acquia Affiliates If Customer uses the Service to connect to third parties (e.g. CRM), processing of the respective data may occur at the place of such third party. Such third parties are (sub)processors of Customer, not Acquia.	Yes
Regarding the administration of the Service by Customer: Individual identifiers and contact details of Custtomer’s admins, including name, email, IP address, title, phone.	Customer admins	Provision and administration of the Service	Customer’s admin personnel	Yes		Yes

Categories of Personal Data

Categories of Data Subjects

Purpose of Processing

Categories of Data Recipients

Needed for Core Features

Processing Location

Acquia Inc. acts as Processor

Regarding the use of the Service by the Customer:
Through the configuration, design, and administration of an Acquia DAM instance, Customer may limit the categories of data subjects collected by their Acquia DAM instance to generic contact information of its administration staff.
The categories of Personal Data are solely contact information of the user of Acquia DAM, including name, email, IP address, title, phone.

Through the configuration, design, and administration of their own Acquia DAM instance, Customer in its sole discretion determines and controls the categories of data subjects collected by their Acquia DAM instance. Primarily, the categories of Data Subjects are the Customer’s internal administrative personnel, e.g. personnel in its marketing department.

Provision of the Services by Acquia to Customer and use of the Service by Customer’s personnel

Customer’s personnel including admins and users

Yes

Depends on the data center location chosen by Customer; data collected in a given region will exist only within that region.

Subprocessors, Support: see Acquia Affiliates

If Customer uses the Service to connect to third parties (e.g. CRM), processing of the respective data may occur at the place of such third party. Such third parties are (sub)processors of Customer, not Acquia.

Yes

Regarding the administration of the Service by Customer:

Individual identifiers and contact details of Custtomer’s admins, including name, email, IP address, title, phone.

Customer admins

Provision and administration of the Service

Customer’s admin personnel

Yes

3. Privacy Enhancements

Objective	Technology / Measure	Data at Rest	Data in Transit
Anonymyzation and Pseudonymization	Data anonymization at Customer level optional for Customer	No	No
Data confidentiality	Access control measures Encryption at customer level Encryption at Acquia level Encryption at Acquia Sub-processor level (see Security Annex and Product Description)	Yes N/A* N/A* Yes	Yes Yes Yes Yes
Data integrity	Anti-tampering technology (see Security Annex)	Yes	Yes
Data availability including restoring availability, restoring access to personal data, and data resilience	Business continuity and disaster recovery measures (see Security Annex)	Yes	Yes
Regular testing, assessing and evaluating of TOMs	Regular security and process reviews (see also Security Annex)	Yes	Yes

* uses sub-processor level encryption

4. Data Subject Rights

Through the Product’s administration console, the Customer may manage, update, retrieve, and erase individual Personal Data.

5. (Personal) Data Retention Cycles

Profile data can be deleted and updated at any time during the Term of the Service by the Customer. Profile data and application/configuration is retained latest until the end of the subscription term.

6. Sub-Processing

The specific list of Acquia’s sub-processors is available from: www.acquia.com/about-us/legal/subprocessors
Any current Acquia customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the above website.

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex (available from https://www.acquia.com/about-us/legal/gdpr) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.1 This Product Notice applies solely to Acquia DAM and does not include Acquia DAM Classic. Further information regarding the difference between Acquia DAM and Acquia DAM Classic may be found here: https://docs.acquia.com/guide/dam/

Acquia DAM¹

About the Product

For details about these Products, please refer to the Product Description available online at https://docs.acquia.com/guide.

1. Processing Operation(s)

The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.

Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
Optional features processing Personal Data: ☒ yes ☐ no
- The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
Processing of sensitive Personal Data: ☐ yes** ☒no ☐ n/a*
Profiling of individuals based on personal characteristics: ☐ yes *** ☒no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*

Acquia DAM¹

About the Product

For details about these Products, please refer to the Product Description available online at https://docs.acquia.com/guide.

1. Processing Operation(s)

The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.

Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
Optional features processing Personal Data: ☒ yes ☐ no
- The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
Processing of sensitive Personal Data: ☐ yes** ☒no ☐ n/a*
Profiling of individuals based on personal characteristics: ☐ yes *** ☒no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*
Processing via an AI tool available with the Product ☒ yes ☐ no
- The AI feature is deactivated by default: ☒ yes ☐ no
- The AI feature processes Personal Data: ☒ yes** ☐ no
- The AI feature processes sensitive Personal Data ☐ yes ☒ no
- The Customer can control what data the AI tool processes: ☒ yes ☐ no

2. Details of Personal Data being processed

Categories of Personal Data	Categories of Data Subjects	Purpose of Processing	Categories of Data Recipients	Needed for Core Features	Processing Location	Acquia Inc. acts as Processor
Regarding the use of the Service by the Customer: Through the configuration, design, and administration of an Acquia DAM instance, Customer may limit the categories of data subjects collected by their Acquia DAM instance to generic contact information of its administration staff. The categories of Personal Data are solely contact information of the user of Acquia DAM, including name, email, IP address, title, phone.	Through the configuration, design, and administration of their own Acquia DAM instance, Customer in its sole discretion determines and controls the categories of data subjects collected by their Acquia DAM instance. Primarily, the categories of Data Subjects are the Customer’s internal administrative personnel, e.g. personnel in its marketing department.	Provision of the Services by Acquia to Customer and use of the Service by Customer’s personnel	Customer’s personnel including admins and users	Yes	Depends on the data center location chosen by Customer; data collected in a given region will exist only within that region. Subprocessors, Support: see Acquia Affiliates If Customer uses the Service to connect to third parties (e.g. CRM), processing of the respective data may occur at the place of such third party. Such third parties are (sub)processors of Customer, not Acquia.	Yes
Regarding the administration of the Service by Customer: Individual identifiers and contact details of Custtomer’s admins, including name, email, IP address, title, phone.	Customer admins	Provision and administration of the Service	Customer’s admin personnel	Yes		Yes

Categories of Personal Data

Categories of Data Subjects

Purpose of Processing

Categories of Data Recipients

Needed for Core Features

Processing Location

Acquia Inc. acts as Processor

Provision of the Services by Acquia to Customer and use of the Service by Customer’s personnel

Customer’s personnel including admins and users

Yes

Depends on the data center location chosen by Customer; data collected in a given region will exist only within that region.

Subprocessors, Support: see Acquia Affiliates

Yes

Regarding the administration of the Service by Customer:

Individual identifiers and contact details of Custtomer’s admins, including name, email, IP address, title, phone.

Customer admins

Provision and administration of the Service

Customer’s admin personnel

Yes

3. Privacy Enhancements

Objective	Technology / Measure	Data at Rest	Data in Transit
Anonymyzation and Pseudonymization	Data anonymization at Customer level optional for Customer	No	No
Data confidentiality	Access control measures Encryption at customer level Encryption at Acquia level Encryption at Acquia Sub-processor level (see Security Annex and Product Description)	Yes N/A* N/A* Yes	Yes Yes Yes Yes
Data integrity	Anti-tampering technology (see Security Annex)	Yes	Yes
Data availability including restoring availability, restoring access to personal data, and data resilience	Business continuity and disaster recovery measures (see Security Annex)	Yes	Yes
Regular testing, assessing and evaluating of TOMs	Regular security and process reviews (see also Security Annex)	Yes	Yes

* uses sub-processor level encryption

4. Data Subject Rights

Through the Product’s administration console, the Customer may manage, update, retrieve, and erase individual Personal Data.

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

Categories of Personal Data	Categories of Data Subjects	Purpose of Processing	Categories of Data Recipients	Needed for Core Features	Processing Location	Acquia Inc. acts as Processor
Regarding the use of the Service by the Customer: Through the configuration, design, and administration of an Acquia DAM instance, Customer may limit the categories of data subjects collected by their Acquia DAM instance to generic contact information of its administration staff. The categories of Personal Data are solely contact information of the user of Acquia DAM, including name, email, IP address, title, phone.	Through the configuration, design, and administration of their own Acquia DAM instance, Customer in its sole discretion determines and controls the categories of data subjects collected by their Acquia DAM instance. Primarily, the categories of Data Subjects are the Customer’s internal administrative personnel, e.g. personnel in its marketing department.	Provision of the Services by Acquia to Customer and use of the Service by Customer’s personnel	Customer’s personnel including admins and users	Yes	Depends on the data center location chosen by Customer; data collected in a given region will exist only within that region. Subprocessors, Support: see Acquia Affiliates If Customer uses the Service to connect to third parties (e.g. CRM), processing of the respective data may occur at the place of such third party. Such third parties are (sub)processors of Customer, not Acquia.	Yes
Regarding the administration of the Service by Customer: Individual identifiers and contact details of Custtomer’s admins, including name, email, IP address, title, phone.	Customer admins	Provision and administration of the Service	Customer’s admin personnel	Yes		Yes
Regarding Assets uploaded by the Customer into the Service: In general, Assets do not contain personal data. However, some Assets may contain Personal Data (e.g. picture of a person).	Anyone’s personal data captured in the Asset	Use of the Service by Customer’s personnel	Customer’s personnel and any such person designated to use by Customer	No		Yes

Categories of Personal Data

Categories of Data Subjects

Purpose of Processing

Categories of Data Recipients

Needed for Core Features

Processing Location

Acquia Inc. acts as Processor

Provision of the Services by Acquia to Customer and use of the Service by Customer’s personnel

Customer’s personnel including admins and users

Yes

Depends on the data center location chosen by Customer; data collected in a given region will exist only within that region.

Subprocessors, Support: see Acquia Affiliates

Yes

Regarding the administration of the Service by Customer:

Individual identifiers and contact details of Custtomer’s admins, including name, email, IP address, title, phone.

Customer admins

Provision and administration of the Service

Customer’s admin personnel

Yes

Regarding Assets uploaded by the Customer into the Service:
In general, Assets do not contain personal data. However, some Assets may contain Personal Data (e.g. picture of a person).

Anyone’s personal data captured in the Asset

Use of the Service by Customer’s personnel

Customer’s personnel and any such person designated to use by Customer

Yes

Objective	Technology / Measure	Data at Rest	Data in Transit
Anonymyzation and Pseudonymization	Data anonymization at Customer level optional for Customer	No	No
Data confidentiality	Access control measures Encryption at customer level Encryption at Acquia level Encryption at Acquia Sub-processor level (see Security Annex and Product Description)	Yes N/A* N/A* Yes	Yes Yes Yes Yes
Data integrity	Anti-tampering technology (see Security Annex)	Yes	Yes
Data availability including restoring availability, restoring access to personal data, and data resilience	Business continuity and disaster recovery measures (see Security Annex)	Yes	Yes
Regular testing, assessing and evaluating of TOMs	Regular security and process reviews (see also Security Annex)	Yes	Yes

Acquia DAM¹

About the Product

1. Processing Operation(s)

2. Details of Personal Data being processed

3. Privacy Enhancements

4. Data Subject Rights

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

Acquia DAM¹

About the Product

1. Processing Operation(s)

Acquia DAM¹

About the Product

1. Processing Operation(s)

2. Details of Personal Data being processed

3. Privacy Enhancements

4. Data Subject Rights

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

2. Details of Personal Data being processed

3. Privacy Enhancements

4. Data Subject Rights

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

Did not find what you were looking for?

Did not find what you were looking for?

DAM Product Privacy Notice

Acquia DAM1

About the Product

1. Processing Operation(s)

2. Details of Personal Data being processed

3. Privacy Enhancements

4. Data Subject Rights

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

DAM Product Privacy Notice

Acquia DAM1

About the Product

1. Processing Operation(s)

DAM Product Privacy Notice

Acquia DAM1

About the Product

1. Processing Operation(s)

2. Details of Personal Data being processed

3. Privacy Enhancements

4. Data Subject Rights

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

2. Details of Personal Data being processed

3. Privacy Enhancements

4. Data Subject Rights

5. (Personal) Data Retention Cycles

6. Sub-Processing

7. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

Did not find what you were looking for?

Did not find what you were looking for?

Acquia DAM¹

Acquia DAM¹

Acquia DAM¹