---
title: "Acquia Search powered by SearchStax Product Privacy Notice"
date: "2026-04-16T22:46:58+00:00"
summary: "Understand how Acquia Search powered by SearchStax handles personal data, privacy controls, certifications, and data retention for Drupal search services."
image:
type: "page"
url: "/acquia-cloud-platform/acquia-search-powered-searchstax-product-privacy-notice"
id: "981fb395-5f04-4642-adfa-736376949188"
---

Acquia Search Powered by SearchStax
-----------------------------------

Last revision of this Product Notice: \[v1.1 – 20 May 2026 - Added AI-related details to Processing Operation(s)\]

Prior version(s) of this Product Notice: \[v1.0 – 21 January 2025\]

This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services. 

### About the Product

Acquia Search powered by SearchStax is a search service delivered as Software as a Service (SaaS) for Cloud Platform and Site Factory. This service empowers Drupal marketers to improve site search experiences with agile tools so that Drupal website visitors can find and discover relevant content faster. For details about this Product, please refer to the Product Description available online at [https://docs.acquia.com/guide.](https://docs.acquia.com/guide.)

### 1\. Processing Operation(s)

The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.

*   Processing of Personal Data to deliver its core functionalities required: ☒ yes ☐ no
*   Optional features processing Personal Data: ☐ yes ☒ no
    *   The optional features are deactivated by default: ☐ yes ☐ no ☒ n/a\*
*   Processing of sensitive Personal Data: ☒ yes\*\* ☐ no ☐ n/a\*
*   Profiling of individuals based on personal characteristics: ☐ yes ☒ no ☐ n/a\*
*   Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ n/a\*
*   Processing via an AI tool available within the Product:  ☒ yes ☐ no
    *   The AI feature is activated by default: ☐ yes ☒ no
    *   The AI feature processes personal data: ☐ yes ☒ no
    *   The AI feature processes sensitive personal data: ☐ yes ☒ no
    *   The customer can control what data the AI feature processes: ☒ yes ☐ no

\* (n/a = not applicable) \*\* (optional; depends on the Customer’s application) 

### 2\. Details of Personal Data being processed

**Categories of Personal Data**

**Categories of Data Subjects**

**Purpose of Processing**

**Categories of Data**

**Recipients Needed for Core Features**

**Processing Location**

**Acquia Inc. acts as Processor**

Regarding the use of the Service by the Customer: Through the configuration, design, and administration of their own application, Customer in its sole discretion determines and controls the categories of personal data indexed by Search. These may be individual identifiers, contact details, online identifiers, network activity, location data, and any sensitive data categories.

Through the configuration, design, and administration of their own Search application, Customer in its sole discretion determines and controls the categories of data subjects indexed by Search. Primarily, these would be Customer’s end-users, including visitors to Customer’s website.

Provision of the Services by Acquia to Customer

Customer administrators; visitors of Customer’s Drupal application

Yes

Depends on the data center location chosen by Customer. Disaster recovery backups stay in the selected region

No

Regarding the administration of the Service by Customer: Individual identifiers and contact details of Customer’s admins

Customer admins

Access to the Service’s configuration and management console

Customer admins

Yes

U.S. 

Yes

Data log files by Customer Applications

Any data captured by Customer Applications of their website visitors

Provision and Administration of the Services

Customer admins

No

U.S.

Yes

### 3\. Privacy Enhancements

**Objective**

**Technology / Measure**

**Data at Rest**

**Data in Transit**

Anonymization and Pseudonymization

Data anonymization at Customer level optional for Customer

☒

☒

Data confidentiality

Access control measures

Encryption at customer level

Encryption at Acquia level (see Security Annex and Product Description)

☒ 

☒ 

☒ 

☒ 

☒ 

☒ 

 Data integrity

Anti-tampering technology (see Security Annex) 

☒

☒

Data availability including restoring availability, restoring access to personal data, and data resilience

Business continuity and disaster recovery measures (see Security Annex)

☒

N/A

Regular testing, assessing and evaluating of TOMs

Regular security and process reviews (see also Security Annex)

☒

N/A

For data processed by SearchStax, please refer to SearchStax’s data processing agreement for a description of its privacy enhancements, [https://www.searchstax.com/legal/data-processing-addendum/.](https://www.searchstax.com/legal/data-processing-addendum/.)

### 4\. Certifications

SearchStax

*   SOC 2
*   GDPR
*   HIPAA
*   ISO 27001
*   WCAG

Acquia

*   SSAE16/ISAE 3402
*   SOC 1 Type II
*   SOC 2 Type II
*   FedRAMP - TBD 

### 5\. Data Subject Rights

Through the Product’s administration console and through the Customer’s own Drupal application, the Customer may manage, update, retrieve, and erase individual Personal Data.

### 6\. (Personal) Data Retention Cycles

The retention of data in the Product is managed by the Customer and may be stored during the entire term of the Services. Latest 90 days after the end of the contractual term of the Services, Acquia will purge any customer data in the Services including personal data from its systems. Data retention for data processed via SearchStax is subject to SearchStax’s data retention policies.

### 7\. Sub-Processing

The specific list of sub-processors is available from: www.acquia.com/about-us/legal/subprocessors Any current Acquia customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the above website.

### 8\. Description of the technical and organizational security measures implemented by the data importer (Acquia)

Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Acquia Security Annex (available from https://www.acquia.com/about-us/legal/gdpr) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.