Customers Impacted: EEA/UK

Version 1.0 Effective Date: September 9, 2023

Overview¶

Acquia understands that privacy and data protection is a critical concern for its customers. Since our founding in Copenhagen, Denmark, in 2014, we have always taken privacy seriously, adopting as our guiding principles the EU General Data Protection Regulation (“EU GDPR”): Regulation (EU) 2016/679 and Data Protection, Privacy and Electronic Communications Regulation 2019 (“UK GDPR”) (collectively herein the “GDPR.”) As we have expanded to include offices in the United Kingdom, United States of America, and Australia and in 2024, became a subsidiary of U.S-based Acquia, Inc., we listened to our international customers and sought to ensure that, no matter our global reach, we design our products and operational landscape to reflect the principles of privacy by design and privacy by default, while also ensuring compliance with the various data protection regulations that govern our offices.

As the GDPR is the global gold standard for data protection, we seek to ensure that our offices comply with its requirements. In this way we can serve all of our customers at the same, high level, by operating against a consistent baseline that allows us to adapt to changes within the world’s privacy landscape as they occur.

In order for our services to function, there is a certain amount of data we must collect and process. For more information about the data we process on behalf of our customers as part of our software-as-a-service offering, our customers are invited to review their respective data processing agreements.

All data we process is encrypted in transit and at rest. Acquia supports the latest recommended secure cipher suites to encrypt all external traffic in transit, including the use of TLS 1.2 protocols and AES256 encryption. Server disks are encrypted at rest using AES256 with the data processed by our privacy module receiving double encryption.

We believe that our customers should control who has access to their data, and, so after listening to the needs of our EEA/UK customers, we are pleased to offer our customers the confidence that Acquia controls its own encryption key for its EEA/UK servers. This allows us to guarantee to our EEA/UK-based customers that their data sovereignty can be maintained, and that their data will not be accessible by a foreign government or in the event of a data breach. Moreover, we are pleased to allow our customers the peace of mind that by selecting Acquia as a trusted processor, their data is processed in compliance with the decision of the European Court of Justice in Shrems II (CJEU – C-311/18) and the Recommendations of the European Data Protection Board 2020/1 and 2020/2.

The majority of our products do not process data that is not already in the public sphere, and, based on the U.S. Department of Justice’s April 2019 Cloud Act White Paper, we do not believe that the type of data we process would be subject to a government surveillance request. However, we understand that many of our EEA/UK customers are still concerned about the possibility of “back door” direct access to their data. We, too, oppose such access. This means that even for our non-EEA/UK customers, Acquia will never agree to allow access to the encryption keys for their data except where required for the functionality of our SaaS platform. We also closely track the transparency reports provided by our sub-processors and contractually require that they provide advance notice of any government requests, whenever legally possible.

How Our EEA/UK Data Sovereignty Program Works¶

For Acquia’s EEA and UK customers, the Google Cloud Platform External Key Management (EKM) feature in combination with Thales CPL’s Data Protection on Demand service is used to keep the data at rest encryption key out of Google Cloud Platform’s control. Google Cloud Platform uses an encryption principle called Envelope Encryption for data encryption.

All data at rest is encrypted using a randomly generated data encryption key (DEK,) which is then used to encrypt our customers’ data using AES256. The DEK is then, itself, encrypted using a key encryption key (KEK,) and the encrypted DEK is then stored with the data it was used to encrypt. This method allows for high performance, low latency data encryption at scale.

By using EKM in combination with Thales Data Protection on Demand, the KEK is kept outside Google Cloud Platform and is never exposed to it: instead, requests are sent to the Google Cloud Platform partner’s EKM endpoint with requests to encrypt and decrypt DEKs. By storing the KEK separate from the DEK and data, data is never shared with Thales, and a KEK is never shared with Google Cloud Platform. Revoking Google Cloud Platform’s access to Thales’ Data Protection on Demand removes Google Cloud Platform’s ability to read any data.

Thales keeps the KEK safely stored within its Luna Hardware Security Module (HSM,) primarily co-located with InterXion N.V., in its Frankfurt, Germany, data center, and Rogers Communications, Kanata, Canada, as the backup site for disaster recovery. Although Canada is subject to an Art. 45 Adequacy Decision, in order to better serve its European customers, Thales projects its disaster recovery site will be moved into Europe in Q4/23 or Q1/24.

Thales runs the management and EKM API services in Google Cloud Platform europe-west3 (primary) and europe-west1 (DR,) which then are connected to the Luna HSM modules outside Google Cloud Platform. EKM API services only see the DEK key as the encryption and decryption happens inside the Luna HSM modules.

MORE INFORMATION¶

As a processor, we provide an always-current list of our sub-processors on our website at Acquia Subprocessors. We also provide a Data Processing Agreement for our EEA/UK customers, which is incorporated into our customer agreements.

REFERENCES (links active as of December 08, 2023)¶

• Google Cloud Platform Encryption Key Management
• Google Cloud Platform Encryption
• Thales Own and Manage Your Own Key Whitepaper
• Thales What is Bring Your Own Key
• Thales Datacenters

Note: Vendor for the KEK subject to change prior to finalization of the data sovereignty program, but in such an event the offering shall not be downgraded.