Overview¶

We are committed to ensuring the highest level of data protection as well as achieving and maintaining the trust of our customers. With this Acquia Optimize Product Information Security Overview, we provide an overview of how we have made a secure and resilient software platform by providing details into our application, cloud, and corporate securities. Current customers can request a copy of our full Acquia Optimize Product Information Security Practices Policy by contacting [email protected]. 
To learn more about the security practices of Acquia, Inc., for the Acquia organization and other Acquia products, please see https://www.acquia.com/sites/default/files/legal/acquia-security-annex.pdf.

General¶

• The Acquia Optimize platform is intended and designed to scan public-facing web pages, and that might include the processing of personal data, depending on what information our customers have published on their webpages
• Software Development Life Cycle (SDLC): Acquia Optimize offers an evergreen platform, meaning that our customers are always provided with the latest updates on what we have been working on.

Use of the Acquia Optimize platform and processing of personal data¶

• Our customers retain ownership and responsibility for all the content hosted and published on their websites.

Cloud storage and infrastructure security¶

• Google Cloud Platform (GCP) is a multi-certified data center provider and is used to host our services. GCP employs the strictest standards for both cloud and physical security, including: (i) strict rules for access authorization and its monitoring; (ii) privacy practices audited against international standards; (iii) encryption by default; (iv) several physical security layers protecting the servers. For further information on GCP’s security practices, please refer to Google’s Cloud Security Practices.
• All customer data resides entirely in our GCP production environment, which is physically located within various GCP data centers:
  • All of our European-based customers’ data is exclusively stored and processed by servers located in Europe.
  • Our US-based customers’ data is exclusively stored and processed by servers located in the USA.
  • Our Oceania-based customers’ data is exclusively stored and processed by servers located in Australia.

Physical security¶

• No data is stored locally or on Acquia’s premises.

Business continuity and disaster recovery¶

• Acquia maintains business continuity and disaster recovery plans. We conduct quarterly table-top exercises to test the efficacy of these plans.

Backup¶

• Point-in-Time Recovery is possible within thirty (30) minutes of a physical or technical incident, with a Recovery Time Objective of twenty-four (24) hours.
• Backups are retained for a period of thirty (30) days following processing. Additionally, we do daily disk snapshots which are kept for fourteen (14) days.
• Backups are stored geo-redundant within GCP.

Data retention policy¶

• Data is stored until it is overwritten by the customer, or until thirty (30) days following the termination date of the contract, after which the personal data is automatically overwritten by Acquia.
• Backup data remains for an extra 30 days, where it will be then automatically overwritten.

Data encryption and anonymization¶

• Acquia supports the latest recommended secure cipher suites to encrypt all external traffic in transit, including use of TLS 1.2 protocols and AES256 encryption.
• Server disks are encrypted at rest using AES256.
• Beginning in 2023, Acquia controls its own encryption keys for its European servers that store EEA/UK/Swiss customer data. This data sovereignty model will be rolled out first to new customers in Q3 2023 and to existing customers in Q4 2023. See our Data Sovereignty Statement for more information.
• Anonymization of personal data is applied wherever possible, including masking IP addresses before storage for our “Statistics” and “Privacy” modules
• The data saved in the “Data Privacy” module is double encrypted.

Security architecture¶

• We offer a multi-tenant solution. Logical separation between different customer accounts is tagged into all data stored and ensures that customers can only access their own data and no one else’s.
• The Acquia Optimize platform is designed around the principle of least privilege. All access controls are turned off by default. Privileges are independently managed by a configuration management process.
• Platform component access to and from the public Internet is delegated to several reverse proxying servers, such that no application instances or infrastructure components are directly reachable from the public Internet.

User management, authentication, and remote access¶

• Customer access to the Acquia Optimize Platform is done by HTTPS (TLS) while authentication is done with OAuth2 using our in-house identity provider (IdP).
• We support the use of single sign-on (SSO). SSO is set up via SAML 2.0, using an identity provider (IdP) of the customer’s choice.
• Remote access to the application environment is reserved for the system operations personnel. Remote access requires public key authentication and/or two-factor authentication, depending on the target.
• Remote access is controlled through the Google Cloud IAM regime.

System logging¶

• Logs include, but are not limited to: HTTP/HTTPS requests, platform events, system events, security events from access, or attempts to access individual servers.
• Updates and deletions to logs are kept in a searchable index accessible to only personnel with the highest level of system access.

Software development lifecycle¶

• All code deployments create archives of existing production-grade code in case failures are detected by post-deploy hooks.
• We use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch).
• Customer data is never used by Acquia in the staging environment, nor does any other testing use customer data.
• Acquia Optimize is built on a modern web stack with a core focus on which frameworks, libraries, and technologies are introduced into the stack. For example, guards against SQL injections are built directly into the database driver through bind variables so quoting is not left out in code.

Deployment¶

• We monitor all services ahead of, during and after a deployment to verify that no bugs or vulnerabilities have been introduced. This covers logging of all code errors and authentication warnings along with general error rates, global response times, and automated security scans.
• Testing procedures span both automated flows and manual ones, and they cover both product deployment and system administration. These include, but are not limited to: (i) testing for SQL injection; (ii) error logging and error rate monitoring; (iii) systematic scanning for XSS vulnerabilities; (iv) personal code review; and (v) quality assurance testing by a dedicated team.

Monitoring¶

• All services that make up Acquia Optimize are monitored internally, and we compute metrics both for availability and performance. In addition, access to external-facing services is monitored using Google Cloud Monitoring Uptime Checks.
• We perform vulnerability scanning continually against our applications, and infrastructure. Network-based and application-level vulnerability scans run at least weekly to ensure that we detect and respond to the latest vulnerabilities. Static code analysis automatically reviews the most current code to detect potential security flaws in the development lifecycle. Current customers can receive a copy of our latest penetration test opinion by contacting [email protected].

Application security¶

• Acquia has implemented Google Cloud Armor Web Application Firewall (WAF).

Operational Security¶

Configuration and change management¶

• Terraform and SaltStack, are utilized to centrally manage Acquia Optimize's production servers throughout their lifecycle and to ensure that baseline security configurations are consistently pushed out to all servers.

Vulnerability management¶

• Acquia’s security team receives threat intelligence feeds on a daily basis through industry partners, public-accessible feeds, and more, to monitor new vulnerabilities and threats.
• Weekly GCP Web Security Scanner and Security Command Center scans are performed to detect vulnerable services running across the production environment.
• High risk vulnerabilities are sought to be mitigated as soon as the personnel becomes aware of them, while low risk vulnerabilities are mitigated as soon as it can be proven that such a patch does not impact the stability of the platform.
• Non-security related software updates are applied in a continuous, rolling fashion to avoid any one update causing platform-wide interruptions.

Incident management and personal data breach¶

• Acquia has established policies and procedures for responding to potential incidents. In the event of an incident, affected customers will be informed by email.

Corporate Security¶

Confidentiality¶

• Acquia ensures that all personnel are contractually bound by confidentiality as a condition of employment. In addition, personnel receive appropriate training on their responsibilities, including regarding their confidentiality obligations.

Security awareness¶

• Acquia has implemented a security awareness training program where the entire team receives mandatory annual training, including role-based training. Employee Authentication and Authorization
• The concept of least privilege is applied to all Acquia systems. In the event that an employee is terminated or leaves, Acquia revokes all system access as soon as possible (always within 24 hours).

Corporate physical security¶

• Access to Acquia’s offices is only allowed to staff and is controlled by access cards or keys. Visitors are always registered and are never left unattended on Acquia’s premises.