--- title: "Web Governance Product Privacy Notice" date: "2026-02-04T17:39:40+00:00" summary: image: type: "page" url: "/web-governance/web-governance-product-privacy-notice" id: "57852f4b-33bc-47e8-aef9-cfe23e38c5ec" --- Acquia Web Governance  ---------------------- Last revision of this Product Notice: \[v2.3 – 27 April 2026\] Prior version of this Product Notice: \[v2.2 27 February 2026\] This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services. ### About the Product/Services Acquia Web Governance is a Software-as-a-Service (SaaS) platform that comprises various modules or features. Acquia Web Governance enables the (Data) Controller to scan public-facing web pages as well as collect information regarding visitors to such pages. The collection of visitors’ information is only possible when using the Statistics module. As part of the Product, the (Data) Processor reports on web pages’ performance and compliance with rules concerning website governance and accessibility (For example, WCAG 2.1.). * The Acquia API enables Customers to scan PDFs in the same way they scan web pages. * The Statistics and Script features provide Customers with statistics based on visits to web pages. * The Consent Manager module provides a consent management platform for collecting and managing cookie consents for GDPR, CCPA, and other regulatory compliance requirements. * The Data Privacy module helps to identify Personal Data points that may be disclosed on a customer's website. The Services are intended to be used to scan only Customer's public-facing web pages. 1 For details about this Product and its modules or features, refer to the Product guide available at Web Governance Product Guide. 1. ### Processing Operation(s) The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement. * Processing of Personal Data to deliver its core functionalities required: ☐ yes ☒ no ☐ n/a\* * Optional features processing Personal Data: ☒ yes ☐ no ☐ n/a\* * The optional features are deactivated by default: ☐ yes ☒ no ☐ n/a\* * Processing of sensitive Personal Data: ☐ yes\*\* ☒ no ☐ n/a\* * Profiling of individuals based on personal characteristics: ☐ yes ☒ no ☐ n/a\* * Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ ☐ n/a\* * Processing via an AI tool available with the Product ☐ yes ☒ no ☐ n/a\* * The AI feature is deactivated by default: ☐ yes ☒ no ☐ n/a\* * The AI feature processes Personal Data: ☐ yes ☒ no ☐ n/a\* * The AI feature processes sensitive Personal Data ☐ yes ☒ no ☐ n/a\* * The Customer can control what data the AI tool processes: ☐ yes☒ no ☐ n/a\* \* (n/a = not applicable) \*\* (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users). 2. ### Details of Personal Data being processed **Categories of Personal Data** **Categories of Data Subjects** **Purpose of Processing** **Categories of Data Recipients** **Needed for Core Features** **Processing Location** **Acquia Inc. acts as Processor** **Use of the Core Features of the Product:** Depending on the configuration of the Web Governance platform and the selected web pages for scanning, the Product will process both personal and non-personal data that is available on the Customers’ web pages. The selection of web pages for scanning is at the discretion of the Customer. The content of the web page will determine the categories that may be processed. These are generally business-related categories, such as individual identifiers of article authors, business contact details for employees, and online identifiers, if such are made available on these web pages. Through the selection of a web page for scanning, the Customer, at its sole discretion, determines and controls the categories of data processed by the Product, such as the employees of the Customer identified on its web page. Provision of the Services by Acquia to Customer Administrators and other users authorized by Customer to access the Product. Yes Acquia (for Web Governance operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with georedundancy. Yes **Acquia API for PDF Compliance Scanning:** Depending on the configuration of the Web Governance platform and the selected PDF files for scanning, the Product will process both personal and non-personal data that is available in the scanned PDF. The selection of PDFs for scanning is at the discretion of the Customer. The content of the PDF will determine the categories that may be processed. For example, individual identifiers, contact details, online identifiers, if such are made available in these PDFs. Through the selection of a PDF for scanning, the Customer, at its sole discretion, determines and controls the categories of data processed by the Product, such as the employees of the Customer identified in the PDF. Provision of the Services by Acquia to Customer Administrators and other users authorized by Customer to access the Product No The Acquia API is provided by Acquia, which operates two cloud-based data centers located in the United States and Europe for support of Web Governance customers. The data of European customers is stored on Acquia's server in Europe, and the data of all other customers is stored on the server in the United States. Yes **Statistics and Script modules/features:** If the Statistics module is activated, it will process IP addresses of visitors to the Customer’s web pages. IP addresses will be pseudoanonymized before storage and are therefore not traceable within the **Web Governance** platform. The data retention period for data from the Statistics module is 3 years. Through the activation of the Statistics module, the Customer, at its sole discretion, determines and controls the categories of data subjects processed by the Product, such as visitors to the Customer’s website. Provision of the Services by Acquia to Customer Administrators and other users authorized by Customer to access the Product No Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with georedundancy. Yes **Data Privacy module:** If the Data Privacy module is activated and depending on the configuration of the Web Governance platform and the selected web pages for scanning, the Product will process the personal data on those web pages that are selected for scanning is at the Customer’s sole discretion. The content of the web page will determine the categories that may be processed. The Data Privacy module identifies personal data points that may be available on a Customer’s web pages so that the Customer can determine if such personal data has been placed online in conformity with the basis for publication and processing that it has established with the affected data subjects. Through the selection of a web page for scanning (see also “Categories of Personal Data” to the left), the Customer in its sole discretion determines and controls the categories of data subjects processed by the Product. Provision of the Services by Acquia to Customer Administrators and other users authorized by Customer to access the Product Yes Acquia (for Web Governance operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with georedundancy. Yes **Consent Manager module:** If the Consent Manager module is activated, it will process IP addresses of visitors to the Customer’s web pages. IP addresses will be pseudoanonymized before storage and are therefore not traceable within the Web Governance platform. Through the activation of the Consent Manager module, the Customer, at its sole discretion, determines and controls the categories of data subjects processed by the Product, such as visitors to the Customer’s website. Provision of the Services by Acquia to Customer Administrators and other users authorized by Customer to access the Product No Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with georedundancy. Yes **Administration of the Product by Customer:** Individual identifiers and contact details of Customer’s admins Customer admins Access to the Service’s configuration and management console Customer admins Yes Identifiers are stored in Belgium Yes **Remediation Companion (Browser Extension)** If the Remediation Companion is activated via the browser extension and depending on the specific web pages selected for remediation, the Product will process the data on those web pages that are selected for analysis at the Customer’s sole discretion. The content of the web page will determine the categories that may be processed. The Remediation Companion uses generative AI to provide suggestions to the most important accessibility errors so that the Customer can determine the appropriate remediation to ensure content is inclusive and compliant. Through the activation of the Remediation Companion within the Browser Extension, the Customer, at its sole discretion, determines which pages are analyzed. The Customer is responsible for ensuring the extension is not activated on pages containing sensitive personal data (PII) that the Customer does not wish to be processed by the AI service. When activated by a user, the Product processes HTML snippets, website content, and accessibility metadata from the active browser tab to provide generative AI-driven suggestions to resolve web accessibility errors. Administrators and other users authorized by Customer to access the Product. No Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with georedundancy. No \*\*\* Alternative data center locations are not supported at this time. (1) For the avoidance of doubt, in no event shall Customer utilize the Services to scan private areas of Customer's websites, such as those areas that are password protected or contain private information about Customer and/or its users, employees, contractors, officers, directors, and/or other agents. In the event Customer so utilizes the Services in such a manner, Customer agrees and acknowledges that Service Provider shall not be held liable for any damages arising from or related to the same, including but not limited to damages that may arise related to the failure to comply with data protection rules and regulations. Customer shall utilize the Software to scan only those URLs and domains belonging to Customer and/or for which Customer has a license to operate and manage the same. In no event shall the Software be used to scan URLs and domains outside of Customer's control or otherwise in bad faith. 3. **Privacy Enhancements** **Objective** **Technology / Measure** **Data at Rest** **Data in Transit** Anonymization and Pseudonymization Data anonymization at Customer level optional for Customer Yes Yes Data confidentiality **Access control measures:** Encryption at customer level Encryption at Acquia level (see Security Annex and Product Description) Yes Yes Yes Yes Yes Yes Data integrity Anti-tampering technology (see Security Annex) Yes Yes Data availability including restoring availability, restoring access to personal data, and data resilience Business continuity and disaster recovery measures (see Security Annex) Yes N/A Regular testing, assessing and evaluating of TOMs Regular security and process reviews (see also Security Annex) Yes N/A 4. ### Certifications Not applicable. Google Cloud Platform’s certifications can be found at the [Google Cloud Compliance Resource Center](https://cloud.google.com/compliance). 5. ### Data Subject Rights With the help of Acquia Support, the Customer may manage, update, retrieve, and erase individual Personal Data. 6. ### (Personal) Data Retention Cycles Data shall be processed until overwritten by Data Controller’s use of the services, which typically occurs weekly when automatic scans are enabled, or until thirty (30) days following the termination of the agreement for use of the Acquia Web Governance Suite. Backups are retained for an additional thirty (30) days with audit logs retained for four hundred (400) days and system logs retained for thirty (30) days. The data retention period for raw visitor data from the Statistics module is 3 years. Aggregated reports of visits continue to be available beyond 3 years, until an account is terminated. For the Remediation Companion, input data (snippets) and output data (suggestions) are processed transiently to generate the response and are retained only as necessary for audit logs (400 days) unless otherwise configured. 7. ### Sub-Processing The specific list of sub-processors is available at [Acquia Sub-processors](https://www.acquia.com/about-us/legal/subprocessors). Any current Acquia Web Governance customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the mentioned website. 8. ### Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached) Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Web Governance Information [Security Overview](https://security.acquia.com/) and, where applicable, the [Acquia Security Annex](https://www.acquia.com/about-us/legal/privacy-trust-center) applicable to the specific Services purchased by data exporter, as updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log settings used by data exporter in conjunction with the Services.