---
title: "Web Governance product privacy notice"
date: "2026-02-04T17:39:40+00:00"
summary:
image:
type: "page"
url: "/web-governance/web-governance-product-privacy-notice"
id: "57852f4b-33bc-47e8-aef9-cfe23e38c5ec"
---

Acquia Web Governance
---------------------

Last revision of this Product Notice: \[v2.2 – 27 February 2026\]  
Prior version of this Product Notice: \[v2.1 – 5 February 2026\]

This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.

### About the Product/Services

Acquia Web Governance is a Software-as-a-Service (SaaS) platform that comprises various modules or features. Acquia Web Governance enables the (Data) Controller to scan public-facing web pages as well as collect information regarding visitors to such pages. The collection of visitors’ information is only possible when using the Statistics module. As part of the Product, the (Data) Processor reports on web pages’ performance and compliance with rules concerning website governance and accessibility (For example, WCAG 2.1.).

*   The Clarity API is a tool that enables Customers to scan PDFs in the same way they scan web pages.
*   The Statistics and Script features provide Customers with statistics based on visits to web pages.
*   The Consent Manager module provides a consent management platform for collecting and managing cookie consents for GDPR, CCPA, and other regulatory compliance requirements.
*   The Data Privacy module helps to identify Personal Data points that may be disclosed on a customer's website.

The Services are intended to be used to scan only Customer's public-facing web pages. 1

For details about this Product and its modules or features, refer to the Product guide available at  
https://docs.acquia.com/web-governance/web-governance-product-guide.

### 1\. Processing Operation(s)

The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.

*   Processing of Personal Data to deliver its core functionalities required: ☐ yes ☒ no ☐ n/a\*
    *   Optional features processing Personal Data: ☒ yes ☐ no ☐ n/a\*
*   The optional features are deactivated by default: ☐ yes ☒ no ☐ n/a\*
*   Processing of sensitive Personal Data: ☐ yes\*\* ☒ no ☐ n/a\*
*   Profiling of individuals based on personal characteristics: ☐ yes ☒ no ☐ n/a\*
*   Automated decision making that produces legal or other significant impacts on individuals: ☐ yes ☒ no ☐ ☐ n/a\*
*   Processing via an AI tool available with the Product ☐ yes ☒ no ☐ n/a\*
    *   The AI feature is deactivated by default: ☐ yes ☒ no ☐ n/a\*
    *   The AI feature processes Personal Data: ☐ yes ☒ no ☐ n/a\*
    *   The AI feature processes sensitive Personal Data ☐ yes ☒ no ☐ n/a\*
    *   The Customer can control what data the AI tool processes: ☐ yes☒ no ☐ n/a\*

\* (n/a = not applicable)  
\*\* (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users).

### 2\. Details of Personal Data being processed

**Categories of Personal Data**

**Categories of Data Subjects**

**Purpose of**  
**Processing**

**Categories**  
**of Data Recipients**

**Needed**  
**for Core**  
**Features**

**Processing**  
**Location**

**Acquia Inc.**  
**acts as**  
**Processor**

**Use of the Core**  
**Features of the**  
**Product**:  
Depending on the  
configuration of the  
Web Governance platform and  
the selected web  
pages for scanning, the Product will  
process both personal  
and non-personal data  
that is available on the  
Customers’ web pages.  
The selection of web  
pages for scanning is  
at the discretion of the  
Customer.  
The content of the  
web page will  
determine the  
categories that may be  
processed. These are  
generally  
business-related  
categories, such as  
individual identifiers of  
article authors,  
business contact  
details for employees,  
and online identifiers,  
if such are made  
available on these web  
pages.

Through the  
selection of a  
web page for  
scanning, the  
Customer, at its  
sole discretion,  
determines and  
controls the categories of  
data processed  
by the Product,  
such as the  
employees of the  
Customer  
identified on its  
web page.

Provision of the  
Services by  
Acquia to  
Customer

Administrators and  
other users  
authorized by  
Customer to access  
the Product

Yes

Acquia (for  
Web Governance) operates  
three cloud servers  
located in Europe,  
the United States,  
and Australia for its  
global customer  
base. The data center where  
customer data is  
stored corresponds  
to the geographic  
location of the  
Customer. Backup  
data is stored with  
georedundancy.

Yes

**Clarity API for PDF**  
**Compliance Scanning**:  
Depending on the  
configuration of the  
Web Governance platform and  
the selected PDF files  
for scanning, the  
Product will process  
both personal and  
non-personal data that  
is available in the  
scanned PDF. The  
selection of PDFs for  
scanning is at the  
discretion of the  
Customer.  
The content of the PDF  
will determine the  
categories that may be  
processed. For  
example, individual  
identifiers, contact  
details, online  
identifiers, if such are  
made available in  
these PDFs.

Through the  
selection of a  
PDF for scanning,  
the Customer, at  
its sole  
discretion,  
determines and  
controls the  
categories of  
data processed  
by the Product,  
such as the  
employees of the  
Customer  
identified in the  
PDF.

Provision of the  
Services by  
Acquia to  
Customer

Administrators and  
other users  
authorized by  
Customer to access  
the Product

No

The Clarity API is  
provided by  
NetCentric  
Technologies, Inc.,  
which operates two  
cloud-based data  
centers located in  
the United States  
and Europe for  
support of Web Governance  
customers. The data  
of European  
customers is stored  
on the NetCentric's  
server in Europe,  
and the data of all  
other customers is  
stored on the  
NetCentric's server  
in the United States.

Yes

**Statistics**  
**and Script**  
**modules/features:**  
If the Statistics module  
is activated, it will  
process IP addresses  
of visitors to the  
Customer’s web pages.  
IP addresses will be  
pseudoanonymized  
before storage and are  
therefore not  
traceable within the  
Web Governance platform.  
The data retention  
period for data from the Statistics module is 3 years.

Through the  
activation of the  
Statistics  
module, the  
Customer, at its  
sole discretion,  
determines and  
controls the  
categories of  
data subjects  
processed by the  
Product, such as  
visitors to the  
Customer’s  
website.

Provision of the  
Services by  
Acquia to  
Customer

Administrators and  
other users  
authorized by  
Customer to access  
the Product

No

Acquia (for  
Web Governance) operates  
three cloud servers  
located in Europe,  
the United States,  
and Australia for its  
global customer  
base. The data  
center where  
customer data is  
stored corresponds  
to the geographic  
location of the  
Customer. Backup  
data is stored with  
geo-redundancy.

Yes

**Data Privacy module:**  
If the Data Privacy  
module is activated  
and depending on the  
configuration of the  
Web Governance platform and  
the selected web  
pages for scanning,  
the Product will  
process the personal  
data on those web  
pages that are  
selected for scanning  
is at the Customer’s  
sole discretion.  
The content of the  
web page will  
determine the  
categories that may be  
processed. The Data  
Privacy module  
identifies personal  
data points that may  
be available on a  
Customer’s web pages  
so that the Customer  
can determine if such  
personal data has  
been placed online in  
conformity with the  
basis for publication  
and processing that it  
has established with  
the affected data  
subjects.

Through the  
selection of a  
web page for  
scanning (see  
also “Categories  
of Personal Data”  
to the left), the  
Customer in its  
sole discretion  
determines and  
controls the  
categories of  
data subjects  
processed by the  
Product.

Provision of the  
Services by  
Acquia to  
Customer

Administrators and  
other users  
authorized by  
Customer to access  
the Product

Yes

Acquia (for  
Web Governance) operates  
three cloud servers  
located in Europe,  
the United States,  
and Australia for its  
global customer  
base. The data  
center where  
customer data is  
stored corresponds  
to the geographic  
location of the  
Customer. Backup  
data is stored with  
geo-redundancy.

Yes

**Consent Manager**  
**module:**  
If the Consent  
Manager module is  
activated, it will  
process IP addresses  
of visitors to the  
Customer’s web pages.  
IP addresses will be  
pseudoanonymized  
before storage and are  
therefore not  
traceable within the  
Web Governance platform.

Through the  
activation of the  
Consent  
Manager  
module, the  
Customer, at its  
sole discretion,  
determines and  
controls the  
categories of  
data subjects  
processed by the  
Product, such as  
visitors to the  
Customer’s  
website.

Provision of the  
Services by  
Acquia to  
Customer

Administrators and  
other users  
authorized by  
Customer to access  
the Product

No

Acquia (for  
Web Governance) operates  
three cloud servers  
located in Europe,  
the United States,  
and Australia for its  
global customer  
base. The data  
center where  
customer data is  
stored corresponds  
to the geographic  
location of the  
Customer. Backup  
data is stored with  
geo-redundancy.

Yes

**Administration of the**  
**Product by Customer:**  
Individual identifiers  
and contact details of  
Customer’s admins

Customer admins 

Access to the  
Service’s  
configuration  
and  
management  
console

Customer admins

Yes

Identifiers are stored  
in Belgium

Yes

**Remediation Companion (Browser Extension)**

If the Remediation Companion is activated via the browser extension and depending on the specific web pages selected for remediation, the Product will process the data on those web pages that are selected for analysis at the Customer’s sole discretion.

The content of the web page will determine the categories that may be processed. The Remediation Companion uses generative AI to provide suggestions to the most important accessibility errors so that the Customer can determine the appropriate remediation to ensure content is inclusive and compliant.

Through the activation of the Remediation Companion within the Browser Extension, the Customer, at its sole discretion, determines which pages are analyzed. The Customer is responsible for ensuring the extension is not activated on pages containing sensitive personal data (PII) that the Customer does not wish to be processed by the AI service.

When activated by a user, the Product processes HTML snippets, website content, and accessibility metadata from the active browser tab to provide generative AI-driven suggestions to resolve web accessibility errors.

Administrators and other users authorized by Customer to access the Product.

No

Acquia (for Optimize) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy.

No

\*\*\* Alternative data centre locations are not supported at this time.

1 For the avoidance of doubt, in no event shall Customer utilize the Services to scan private areas of Customer's websites, such as  
those areas that are password protected or contain private information about Customer and/or its users, employees, contractors,  
officers, directors, and/or other agents. In the event Customer so utilizes the Services in such a manner, Customer agrees and  
acknowledges that Service Provider shall not be held liable for any damages arising from or related to the same, including but not  
limited to damages that may arise related to the failure to comply with data protection rules and regulations. Customer shall utilize  
the Software to scan only those URLs and domains belonging to Customer and/or for which Customer has a license to operate and  
manage the same. In no event shall the Software be used to scan URLs and domains outside of Customer's control or otherwise in  
bad faith.

**3\. Privacy Enhancements**

**Objective**

**Technology / Measure**

**Data at Rest**

**Data in Transit**

Anonymization and  
Pseudonymization

Data anonymization at Customer level optional for  
Customer

Yes

Yes

Data confidentiality

Access control measures  
Encryption at customer level

Encryption at Acquia level

(see Security Annex and Product Description)

Yes

Yes

Yes

Yes

Yes

Yes

Data integrity

Anti-tampering technology (see Security Annex)

Yes

Yes

Data availability including  
restoring availability,  
restoring access to personal  
data, and data resilience

Business continuity and disaster recovery measures (see  
Security Annex)

Yes

N/A

Regular testing, assessing and  
evaluating of TOMs

Regular security and process reviews (see also Security  
Annex)

Yes

N/A

### 4\. Certifications

Not applicable. Google Cloud Platform’s certifications can be found here: [https://cloud.google.com/compliance](https://Google Cloud Platform’s certifications can be found here: https://cloud.google.com/compliance).

### 5\. Data Subject Rights

With the help of Acquia Support, the Customer may manage, update, retrieve, and erase individual Personal Data.

### 6\. (Personal) Data Retention Cycles

Data shall be processed until overwritten by Data Controller’s use of the services, which typically occurs weekly when automatic  
scans are enabled, or until thirty (30) days’ following the termination of the agreement for use of the Acquia Web Governance  
Suite. Backups are retained for an additional thirty (30) days with audit logs retained for four hundred (400) days and system logs  
retained for thirty (30) days.

The data retention period for raw visitor data from the Statistics module is 3 years. Aggregated reports of visits continue to be  
available beyond 3 years, until an account is terminated.

For the Remediation Companion, input data (snippets) and output data (suggestions) are processed transiently to generate the response and are retained only as necessary for audit logs (400 days) unless otherwise configured.

### 7\. Sub-Processing

The specific list of sub-processors is available at: [www.acquia.com/about-us/legal/subprocessors](https://www.acquia.com/about-us/legal/subprocessors). Any current Acquia Web Governance customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the mentioned website.

### 8\. Description of the technical and organizational security measures implemented by the data importer in accordance with  
Clauses 4(d) and 5(c) (or document/legislation attached)

Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection  
of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Web Governance Information  
Security Overview ([https://security.acquia.com/](https://security.acquia.com/)) and, where applicable, the Acquia Security Annex (available from  
https://www.acquia.com/about-us/legal/privacy-trust-center) applicable to the specific Services purchased by data exporter, as  
updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for  
implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log  
settings used by data exporter in conjunction with the Services.