Acquia Source (powered by Drupal)
Last revision of this Product Notice: 1 October 2025
Prior version(s) of this Product Notice: 31 July 2025
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
About the Product/Services
For details about these Products, please refer to the Product Description available online at
https://docs.acquia.com/service-offerings/products-and-services-guide.
1. Processing Operation(s)
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
- Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
- Optional features processing Personal Data: ☒ yes ☐ no
- The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
- Processing of sensitive Personal Data: ☒ yes ** ☐ no ☐ n/a*
- Profiling of individuals based on personal characteristics: ☒ yes ** ☐ no ☐ n/a*
- Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*
- Processing via an AI tool available with the Product ☒ yes ☐ no
- The AI feature is deactivated by default: ☐ yes ☒ no
- The AI feature processes Personal Data: ☐ yes ☒ no
- The AI feature processes sensitive Personal Data ☐ yes ☒ no
- The Customer can control what data the AI tool processes: ☒ yes ☐ no
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users).
2. Details of Personal Data being processed
| Categories of Personal Data | Categories of Data Subjects | Purpose of
Processing | Categories
of Data Recipients | Needed
for Core
Features | Processing
Location | Acquia Inc.
acts as
Processor |
Through the configuration,
design, and administration of
its own Drupal application,
Customer, in its sole discretion,
determines and controls the
categories of personal data
collected by their Drupal
Application and, thus, provided
to Acquia for processing. These
may be individual identifiers,
contact details, online
identifiers, network activity,
location data, and any sensitive
data categories. | Through the configuration,
design, and administration
of its own Drupal
application, Customer in its
sole discretion determines
and controls the categories
of data subjects collected
by their Drupal Application.
Primarily, these would be
Customer’s site
administrators and
end-users, such as visitors
to Customer’s website. | Provision of
the Services
by Acquia to
Customer | Site
administrat
ors; Acquia
Service
Providers
and
Subprocess
ors; | Yes | US-East***
EU-Central*** | Yes |
*** Alternative data centre locations are not supported at this time.
3. Privacy Enhancements
| Objective | Technology / Measure | Data at Rest | Data in Transit |
Anonymization and
Pseudonymization | Data anonymization at Customer level optional for
Customer | Partial
(Individual
CMS accounts
excluded) | Partial (Individual
CMS accounts
excluded) |
| Data confidentiality | Access control measures
Encryption at customer level Encryption at Acquia level | Yes Yes Yes | Yes Yes Yes |
| Data integrity | Anti-tampering technology (see Security Annex) | Yes | Yes |
Data availability including
restoring availability,
restoring access to personal
data, and data resilience | Business continuity and disaster recovery measures (see
Security Annex) | Yes | N/A |
Regular testing, assessing and
evaluating of TOMs | Regular security and process reviews (see also Security
Annex) | Yes | N/A |
4. Certifications
Working toward SOC2 Type 2
5. Data Subject Rights
Through the Product’s administration console and through the Customer’s own Drupal application, the Customer may manage,
update, retrieve, and erase individual Personal Data.
6. (Personal) Data Retention Cycles
The retention of data in the Product is managed by the Customer and may be stored during the entire term of the Services. Latest 90
days after the end of the contractual term of the Services, Acquia will purge any customer data in the Services including personal
data from its systems.
7. Sub-Processing
The specific list of Acquia’s sub-processors is available from: www.acquia.com/about-us/legal/subprocessors
Any current Acquia customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or
changed sub-processors through the above website.
8. Description of the technical and organisational security measures implemented by the data importer in accordance with
Clauses 4(d) and 5(c) (or document/legislation attached)
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of
the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex
(available from https://www.acquia.com/sites/default/files/legal/acquia-security-annex.pdf) applicable to the specific Services
purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is
wholly responsible for implementing and maintaining security and data administration within any data exporter applications,
configuration settings, or log settings used by data exporter in conjunction with the Services.
Source Product Privacy Notice
Acquia Source (powered by Drupal)
Last revision of this Product Notice: 1 October 2025
Prior version(s) of this Product Notice: 31 July 2025
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
About the Product/Services
For details about these Products, please refer to the Product Description available online at
https://docs.acquia.com/service-offerings/products-and-services-guide.
1. Processing Operation(s)
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
- Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
- Optional features processing Personal Data: ☒ yes ☐ no
- The optional features are deactivated by default: ☒ yes ☐ no ☐ n/a*
- Processing of sensitive Personal Data: ☒ yes ** ☐ no ☐ n/a*
- Profiling of individuals based on personal characteristics: ☒ yes ** ☐ no ☐ n/a*
- Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a*
- Processing via an AI tool available with the Product ☒ yes ☐ no
- The AI feature is deactivated by default: ☐ yes ☒ no
- The AI feature processes Personal Data: ☐ yes ☒ no
- The AI feature processes sensitive Personal Data ☐ yes ☒ no
- The Customer can control what data the AI tool processes: ☒ yes ☐ no
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users).
2. Details of Personal Data being processed
| Categories of Personal Data | Categories of Data Subjects | Purpose of
Processing | Categories
of Data Recipients | Needed
for Core
Features | Processing
Location | Acquia Inc.
acts as
Processor |
Through the configuration,
design, and administration of
its own Drupal application,
Customer, in its sole discretion,
determines and controls the
categories of personal data
collected by their Drupal
Application and, thus, provided
to Acquia for processing. These
may be individual identifiers,
contact details, online
identifiers, network activity,
location data, and any sensitive
data categories. | Through the configuration,
design, and administration
of its own Drupal
application, Customer in its
sole discretion determines
and controls the categories
of data subjects collected
by their Drupal Application.
Primarily, these would be
Customer’s site
administrators and
end-users, such as visitors
to Customer’s website. | Provision of
the Services
by Acquia to
Customer | Site
administrat
ors; Acquia
Service
Providers
and
Subprocess
ors; | Yes | US-East***
EU-Central*** | Yes |
*** Alternative data centre locations are not supported at this time.
3. Privacy Enhancements
| Objective | Technology / Measure | Data at Rest | Data in Transit |
Anonymization and
Pseudonymization | Data anonymization at Customer level optional for
Customer | Partial
(Individual
CMS accounts
excluded) | Partial (Individual
CMS accounts
excluded) |
| Data confidentiality | Access control measures
Encryption at customer level Encryption at Acquia level | Yes Yes Yes | Yes Yes Yes |
| Data integrity | Anti-tampering technology (see Security Annex) | Yes | Yes |
Data availability including
restoring availability,
restoring access to personal
data, and data resilience | Business continuity and disaster recovery measures (see
Security Annex) | Yes | N/A |
Regular testing, assessing and
evaluating of TOMs | Regular security and process reviews (see also Security
Annex) | Yes | N/A |
4. Certifications
Working toward SOC2 Type 2
5. Data Subject Rights
Through the Product’s administration console and through the Customer’s own Drupal application, the Customer may manage,
update, retrieve, and erase individual Personal Data.
6. (Personal) Data Retention Cycles
The retention of data in the Product is managed by the Customer and may be stored during the entire term of the Services. Latest 90
days after the end of the contractual term of the Services, Acquia will purge any customer data in the Services including personal
data from its systems.
7. Sub-Processing
The specific list of Acquia’s sub-processors is available from: www.acquia.com/about-us/legal/subprocessors
Any current Acquia customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or
changed sub-processors through the above website.
8. Description of the technical and organisational security measures implemented by the data importer in accordance with
Clauses 4(d) and 5(c) (or document/legislation attached)
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of
the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex
(available from https://www.acquia.com/sites/default/files/legal/acquia-security-annex.pdf) applicable to the specific Services
purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is
wholly responsible for implementing and maintaining security and data administration within any data exporter applications,
configuration settings, or log settings used by data exporter in conjunction with the Services.
Acquia Source