Last revision of this Product Notice: [v.2.0 – 4 February 2026] Prior version of this Product Notice: [v1.1 – 17 May 2021 – hyperlinks updated]
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
About the Product/Services
Acquia Site Studio is a Drupal module plus SaaS service to enable low-code site building. For details about this Product, refer to the Product Description available online at Site Studio Product Guide.
Processing Operation(s)
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Processing of Personal Data to deliver its core functionalities required: ☐ yes ☒ no
Optional features processing Personal Data: ☐ yes ☒ no
The optional features are deactivated by default: ☐ yes ☒ no ☐ n/a*
Processing of sensitive Personal Data: ☐ yes ** ☐ no ☐ n/a*
Profiling of individuals based on personal characteristics: ☐ yes ** ☒ no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☒ n/a*
Processing via an AI tool available with the Product ☐ yes ☒ no
The AI feature is deactivated by default: ☐ yes ☒ no
The AI feature processes Personal Data: ☐ yes ☒ no
The AI feature processes sensitive Personal Data: ☐ yes ☒ no
The Customer can control what data the AI tool processes: ☐ yes ☒ no
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users).
Details of Personal Data being processed
Categories of Personal Data
Categories of Data Subjects
Purpose of Processing
Categories of Data Recipients
Needed for Core Features
Processing Location
Acquia Inc. acts as Processor
The service does not process personal data.
The service does not process personal data.
N/A
N/A
N/A
N/A
N/A
*** Alternative data center locations are not supported at this time.
Privacy Enhancements
Objective
Technology / Measure
Data at Rest
Data in Transit
Anonymization and Pseudonymization
Data anonymization at Customer level is optional for Customer
N/A
N/A
Data confidentiality
Access control measures:
Encryption at customer level
Encryption at Acquia level
For more information, visit Security Annex and Product Description.
N/A
N/A
N/A
N/A
N/A
N/A
Data integrity
Anti-tampering technology For more information, visit Security Annex.
N/A
N/A
Data availability including restoring availability, restoring access to personal data, and data resilience
Business continuity and disaster recovery measuresFor more information, visit .
Certifications
SSAE16/ISAE 3402: SOC 1 Type II
SOC 2 Type II
ISO 27001:2013
FedRAMP
Data Subject Rights
Not applicable.
(Personal) Data Retention Cycles
Data is retained in the Customer’s Drupal application, not in the Service.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex (available from Acqjuia Security Annex) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.
Site Studio Product Privacy Notice
Acquia Site Studio
Last revision of this Product Notice: [v.2.0 – 4 February 2026] Prior version of this Product Notice: [v1.1 – 17 May 2021 – hyperlinks updated]
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
About the Product/Services
Acquia Site Studio is a Drupal module plus SaaS service to enable low-code site building. For details about this Product, refer to the Product Description available online at Site Studio Product Guide.
Processing Operation(s)
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Processing of Personal Data to deliver its core functionalities required: ☐ yes ☒ no
Optional features processing Personal Data: ☐ yes ☒ no
The optional features are deactivated by default: ☐ yes ☒ no ☐ n/a*
Processing of sensitive Personal Data: ☐ yes ** ☐ no ☐ n/a*
Profiling of individuals based on personal characteristics: ☐ yes ** ☒ no ☐ n/a*
Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☒ n/a*
Processing via an AI tool available with the Product ☐ yes ☒ no
The AI feature is deactivated by default: ☐ yes ☒ no
The AI feature processes Personal Data: ☐ yes ☒ no
The AI feature processes sensitive Personal Data: ☐ yes ☒ no
The Customer can control what data the AI tool processes: ☐ yes ☒ no
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users).
Details of Personal Data being processed
Categories of Personal Data
Categories of Data Subjects
Purpose of Processing
Categories of Data Recipients
Needed for Core Features
Processing Location
Acquia Inc. acts as Processor
The service does not process personal data.
The service does not process personal data.
N/A
N/A
N/A
N/A
N/A
*** Alternative data center locations are not supported at this time.
Privacy Enhancements
Objective
Technology / Measure
Data at Rest
Data in Transit
Anonymization and Pseudonymization
Data anonymization at Customer level is optional for Customer
N/A
N/A
Data confidentiality
Access control measures:
Encryption at customer level
Encryption at Acquia level
For more information, visit Security Annex and Product Description.
N/A
N/A
N/A
N/A
N/A
N/A
Data integrity
Anti-tampering technology For more information, visit Security Annex.
N/A
N/A
Data availability including restoring availability, restoring access to personal data, and data resilience
Business continuity and disaster recovery measures For more information, visit Security Annex.
Certifications
SSAE16/ISAE 3402: SOC 1 Type II
SOC 2 Type II
ISO 27001:2013
FedRAMP
Data Subject Rights
Not applicable.
(Personal) Data Retention Cycles
Data is retained in the Customer’s Drupal application, not in the Service.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex (available from Acqjuia Security Annex) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.
Site Studio