Compliance with standards and regulations

When it comes to cloud computing, many organizations are concerned with compliance with standards and regulations, and many of the interesting types of applications that organizations would like to deploy to the cloud are often those governed by some form of regulatory standard. If you require additional information regarding your particular regulatory requirements, contact Acquia. This page summarizes Acquia's compliance with the following standards and regulations, both governmental and non-governmental:

SOC 1 (SSAE No. 16 and ISAE No. 3402)

Statement on Standards for Attestation Engagement (SSAE) No. 16 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA) and is used to create a SOC 1 branded report. Acquia’s SSAE 16 audit report is aligned with the International Standards for Assurance Engagements (ISAE) No. 3402 auditing standard. This allows for the report to be recognized both in the U.S. and throughout the world.

Acquia has a SOC 1 SSAE 16/ISAE 3402 Type 2 audit performed on an annual basis by an independent third-party audit firm. The audit report attests to the design and operating effectiveness of Acquia’s business and security controls safeguarding systems and data. Acquia’s SSAE 16/ISAE 3402 audit report is available to current customers and prospective customers upon request and with a fully executed nondisclosure agreement (NDA).


A Service Organization Control (SOC) 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. SOC 2 reports are based on the following AICPA Trust Services Principles and Criteria (TSPC):

  • Common Criteria (Security) - The system is protected against unauthorized access (both physical and logical).
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing Integrity - System processing is complete, accurate, timely, and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA. The TSPC of security, availability and processing integrity are used to evaluate whether a system is reliable.

Acquia has SOC 2 Type 2 audit performed on an annual basis by an independent third party audit firm. The audit report attests to the suitability of the design and operating effectiveness of Acquia’s controls to meet the Security, Availability and Confidentiality trust services criteria. Acquia’s SOC 2 audit report is available to current customers and prospective customers upon request and with a fully executed NDA.


Payment Card Industry Data Security Standard (PCI DSS) compliance applies to any organization that stores, transmits, or transacts credit card data. PCI compliance is important; failure to become PCI compliant may expose your businesses to legal and financial liabilities. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard helps organizations proactively protect customer account data.

The majority of Acquia Cloud Enterprise websites with e-commerce capabilities use third-party credit card processors, embedding the secure payment form code within their website so that credit card data is sent directly from the end user to the credit card processor. Because credit card data is not stored on the website that implements e-commerce in this way, the PCI compliance requirements are minimized.

Acquia Cloud Enterprise provides a PCI-compliant platform foundation for building PCI certified Drupal websites. Both Acquia Cloud Enterprise and Amazon Web Services have been QSA validated as complying with standards applicable to a Level 1 service provider under PCI - DSS Version 2.0.

For more on Amazon’s PCI accreditation, see

As a merchant, Acquia does not store its customers' credit card data when customers use credit cards to procure its services. Acquia has a completed PCI Self-Assessment Questionnaire C (SAQ C) on file and is certified quarterly by SecurityMetrics.


As a Cloud Service Provider (CSP) supporting U.S. government agencies and departments, Acquia is committed to meeting the guidelines of the Federal Risk Authorization and Management Program (FedRAMP). Completing FedRAMP will provide government organizations with insight into Acquia’s security architecture and the continuous monitoring processes related to the Acquia Platform as a Service (PaaS).

Acquia has completed our FedRAMP assessment with a certified third party assessment organization (3PAO) and is in the process of working through the Agency ATO process with the Department of Transportation. Our system has been designed to meet NIST 800-53 standards for customers who must complete their local security authorization process sometimes called the Risk Management Framework (RMF) or FISMA.

Acquia Cloud is built on Amazon AWS and thus inherits Infrastructure layer controls from Amazon. Separately, Amazon AWS has received FedRAMP authorization for the Infrastructure layer.


Acquia enables US government agencies to achieve and sustain compliance with FISMA. Numerous Federal organizations have successfully achieved security authorizations and made risk-based decisions to allow websites to be hosted on Acquia Cloud in accordance with the Risk Management Framework (RMF) process defined in the NIST Special Publication (SP) 800-37. Acquia's platform has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud, while complying with the rigorous security requirements of federal standards.


The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.

CSA's Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Acquia has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.

Acquia's CAIQ is available for download from the CSA STAR registry.

Safe Harbor

Safe Harbor is a certification program run by the US Department of Commerce that aims to harmonize data privacy practices between the US and the stricter privacy regulations of the European Union (EU). Acquia was registered with the Safe Harbor program on February 7, 2012. To view Acquia's certification with Safe Harbor, see

ISO 27001 certification

Acquia is ISO 27001 certified. You can see our certification mark here. ISO 27001 is a globally recognized security standard driven by the implementation of an information security management system (ISMS). An ISMS is a security framework of policies, procedures and controls that includes administrative, physical and technical safeguards to manage information security risks to internal and customer information.

EU cookie regulations

The Privacy and Electronic Communications Regulations 2003 (a European Community (EC) Directive) cover the use of cookies and similar technologies for storing information and accessing information stored on users' equipment, such as their computer or mobile phone. In 2009, this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent before a website stores cookies or similar technologies.

Drupal websites, like the vast majority of websites, make use of session cookies and may employ other types of cookies. Acquia's customers should consult with their legal counsel as to whether their website is required to implement consent before storing cookies on customer devices that serve EU users. Acquia can work with its customers to implement technical solutions, including modules or custom code, in order to satisfy the requirements from the customers' legal counsel.


Acquia abides by all privacy laws and regulations that are applicable to our hosting services and to our customers that host websites that may contain personal information on Acquia Cloud. Acquia personnel have logical access to customer data stored in customer websites only if they are authorized and have a need for access due to their job function. Neither Amazon nor any other third party employed by Acquia has logical access to customer data housed in customer websites hosted on Acquia Cloud. Acquia does not transfer customer data hosted on Acquia Cloud outside of Acquia Cloud or to any third party without customer authorization.

Customers must ensure that privacy concerns and regulations are addressed and adhered to at the application layer where customer personnel may have logical access to personal information uploaded or stored in customer websites.

Acquia’s Privacy Policy describes how Acquia handles any personal information gathered from visitors to its website at and from users of our software and services from Acquia. To read Acquia’s Privacy Policy, see

Sign in to vote or comment