Web Governance
Web Governance product privacy notice
Last revision of this Product Notice: [v2.2 – 27 February 2026]
Prior version of this Product Notice: [v2.1 – 5 February 2026]
This Product Notices describes the privacy relevant aspects of the above-mentioned Acquia product/services.
Acquia Web Governance is a Software-as-a-Service (SaaS) platform that comprises various modules or features. Acquia Web Governance enables the (Data) Controller to scan public-facing web pages as well as collect information regarding visitors to such pages. The collection of visitors’ information is only possible when using the Statistics module. As part of the Product, the (Data) Processor reports on web pages’ performance and compliance with rules concerning website governance and accessibility (For example, WCAG 2.1.).
The Services are intended to be used to scan only Customer's public-facing web pages. 1
For details about this Product and its modules or features, refer to the Product guide available at
https://docs.acquia.com/web-governance/web-governance-product-guide.
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
* (n/a = not applicable)
** (optional; depends on the Customer’s configuration of the system, the connection to other systems, and the categories chosen by the Customer to be collected from Third Party Users).
| Categories of Personal Data | Categories of Data Subjects | Purpose of Processing | Categories of Data Recipients | Needed for Core Features | Processing Location | Acquia Inc. acts as Processor |
| Use of the Core Features of the Product: Depending on the configuration of the Web Governance platform and the selected web pages for scanning, the Product will process both personal and non-personal data that is available on the Customers’ web pages. The selection of web pages for scanning is at the discretion of the Customer. The content of the web page will determine the categories that may be processed. These are generally business-related categories, such as individual identifiers of article authors, business contact details for employees, and online identifiers, if such are made available on these web pages. | Through the selection of a web page for scanning, the Customer, at its sole discretion, determines and controls the categories of data processed by the Product, such as the employees of the Customer identified on its web page. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | Yes | Acquia (forWeb Governance) operatesthree cloud serverslocated in Europe,the United States,and Australia for itsglobal customerbase. The data center wherecustomer data isstored correspondsto the geographiclocation of theCustomer. Backupdata is stored withgeoredundancy. |
*** Alternative data centre locations are not supported at this time.
1 For the avoidance of doubt, in no event shall Customer utilize the Services to scan private areas of Customer's websites, such as
those areas that are password protected or contain private information about Customer and/or its users, employees, contractors,
officers, directors, and/or other agents. In the event Customer so utilizes the Services in such a manner, Customer agrees and
acknowledges that Service Provider shall not be held liable for any damages arising from or related to the same, including but not
limited to damages that may arise related to the failure to comply with data protection rules and regulations. Customer shall utilize
the Software to scan only those URLs and domains belonging to Customer and/or for which Customer has a license to operate and
manage the same. In no event shall the Software be used to scan URLs and domains outside of Customer's control or otherwise in
bad faith.
3. Privacy Enhancements
| Objective | Technology / Measure | Data at Rest | Data in Transit |
| Anonymization and Pseudonymization | Data anonymization at Customer level optional for Customer | Yes | Yes |
| Data confidentiality | Access control measures Encryption at Acquia level (see Security Annex and Product Description) | Yes Yes Yes
| Yes Yes Yes
|
| Data integrity | Anti-tampering technology (see Security Annex) | Yes | Yes |
| Data availability including restoring availability, restoring access to personal data, and data resilience | Business continuity and disaster recovery measures (see Security Annex) | Yes | N/A |
| Regular testing, assessing and evaluating of TOMs | Regular security and process reviews (see also Security Annex) | Yes | N/A |
Not applicable. Google Cloud Platform’s certifications can be found here: https://cloud.google.com/compliance.
With the help of Acquia Support, the Customer may manage, update, retrieve, and erase individual Personal Data.
Data shall be processed until overwritten by Data Controller’s use of the services, which typically occurs weekly when automatic
scans are enabled, or until thirty (30) days’ following the termination of the agreement for use of the Acquia Web Governance
Suite. Backups are retained for an additional thirty (30) days with audit logs retained for four hundred (400) days and system logs
retained for thirty (30) days.
The data retention period for raw visitor data from the Statistics module is 3 years. Aggregated reports of visits continue to be
available beyond 3 years, until an account is terminated.
For the Remediation Companion, input data (snippets) and output data (suggestions) are processed transiently to generate the response and are retained only as necessary for audit logs (400 days) unless otherwise configured.
The specific list of sub-processors is available at: www.acquia.com/about-us/legal/subprocessors. Any current Acquia Web Governance customer with a data processing agreement in place with Acquia may subscribe to receive notifications of new or changed sub-processors through the mentioned website.
Data importer has implemented and will maintain appropriate administrative, physical, and technical safeguards for the protection
of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Web Governance Information
Security Overview (https://security.acquia.com/) and, where applicable, the Acquia Security Annex (available from
https://www.acquia.com/about-us/legal/privacy-trust-center) applicable to the specific Services purchased by data exporter, as
updated from time to time, and made available by data importer upon request. The data exporter is wholly responsible for
implementing and maintaining security and data administration within any data exporter applications, configuration settings, or log
settings used by data exporter in conjunction with the Services.
| Yes |
| Clarity API for PDF Compliance Scanning: Depending on the configuration of the Web Governance platform and the selected PDF files for scanning, the Product will process both personal and non-personal data that is available in the scanned PDF. The selection of PDFs for scanning is at the discretion of the Customer. The content of the PDF will determine the categories that may be processed. For example, individual identifiers, contact details, online identifiers, if such are made available in these PDFs. | Through the selection of a PDF for scanning, the Customer, at its sole discretion, determines and controls the categories of data processed by the Product, such as the employees of the Customer identified in the PDF. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | No | The Clarity API is provided by NetCentric Technologies, Inc., which operates two cloud-based data centers located in the United States and Europe for support of Web Governance customers. The data of European customers is stored on the NetCentric's server in Europe, and the data of all other customers is stored on the NetCentric's server in the United States. | Yes |
| Statistics and Script modules/features: If the Statistics module is activated, it will process IP addresses of visitors to the Customer’s web pages. IP addresses will be pseudoanonymized before storage and are therefore not traceable within the Web Governance platform. The data retention period for data from the Statistics module is 3 years. | Through the activation of the Statistics module, the Customer, at its sole discretion, determines and controls the categories of data subjects processed by the Product, such as visitors to the Customer’s website. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | No | Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | Yes |
| Data Privacy module: If the Data Privacy module is activated and depending on the configuration of the Web Governance platform and the selected web pages for scanning, the Product will process the personal data on those web pages that are selected for scanning is at the Customer’s sole discretion. The content of the web page will determine the categories that may be processed. The Data Privacy module identifies personal data points that may be available on a Customer’s web pages so that the Customer can determine if such personal data has been placed online in conformity with the basis for publication and processing that it has established with the affected data subjects. | Through the selection of a web page for scanning (see also “Categories of Personal Data” to the left), the Customer in its sole discretion determines and controls the categories of data subjects processed by the Product. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | Yes | Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | Yes |
| Consent Manager module: If the Consent Manager module is activated, it will process IP addresses of visitors to the Customer’s web pages. IP addresses will be pseudoanonymized before storage and are therefore not traceable within the Web Governance platform. | Through the activation of the Consent Manager module, the Customer, at its sole discretion, determines and controls the categories of data subjects processed by the Product, such as visitors to the Customer’s website. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | No | Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | Yes |
| Administration of the Product by Customer: Individual identifiers and contact details of Customer’s admins | Customer admins | Access to the Service’s configuration and management console | Customer admins | Yes | Identifiers are stored in Belgium | Yes |
Remediation Companion (Browser Extension) If the Remediation Companion is activated via the browser extension and depending on the specific web pages selected for remediation, the Product will process the data on those web pages that are selected for analysis at the Customer’s sole discretion. The content of the web page will determine the categories that may be processed. The Remediation Companion uses generative AI to provide suggestions to the most important accessibility errors so that the Customer can determine the appropriate remediation to ensure content is inclusive and compliant. | Through the activation of the Remediation Companion within the Browser Extension, the Customer, at its sole discretion, determines which pages are analyzed. The Customer is responsible for ensuring the extension is not activated on pages containing sensitive personal data (PII) that the Customer does not wish to be processed by the AI service. | When activated by a user, the Product processes HTML snippets, website content, and accessibility metadata from the active browser tab to provide generative AI-driven suggestions to resolve web accessibility errors. | Administrators and other users authorized by Customer to access the Product. | No | Acquia (for Optimize) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | No |
If this content did not answer your questions, try searching or contacting our support team for further assistance.
| Yes |
| Clarity API for PDF Compliance Scanning: Depending on the configuration of the Web Governance platform and the selected PDF files for scanning, the Product will process both personal and non-personal data that is available in the scanned PDF. The selection of PDFs for scanning is at the discretion of the Customer. The content of the PDF will determine the categories that may be processed. For example, individual identifiers, contact details, online identifiers, if such are made available in these PDFs. | Through the selection of a PDF for scanning, the Customer, at its sole discretion, determines and controls the categories of data processed by the Product, such as the employees of the Customer identified in the PDF. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | No | The Clarity API is provided by NetCentric Technologies, Inc., which operates two cloud-based data centers located in the United States and Europe for support of Web Governance customers. The data of European customers is stored on the NetCentric's server in Europe, and the data of all other customers is stored on the NetCentric's server in the United States. | Yes |
| Statistics and Script modules/features: If the Statistics module is activated, it will process IP addresses of visitors to the Customer’s web pages. IP addresses will be pseudoanonymized before storage and are therefore not traceable within the Web Governance platform. The data retention period for data from the Statistics module is 3 years. | Through the activation of the Statistics module, the Customer, at its sole discretion, determines and controls the categories of data subjects processed by the Product, such as visitors to the Customer’s website. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | No | Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | Yes |
| Data Privacy module: If the Data Privacy module is activated and depending on the configuration of the Web Governance platform and the selected web pages for scanning, the Product will process the personal data on those web pages that are selected for scanning is at the Customer’s sole discretion. The content of the web page will determine the categories that may be processed. The Data Privacy module identifies personal data points that may be available on a Customer’s web pages so that the Customer can determine if such personal data has been placed online in conformity with the basis for publication and processing that it has established with the affected data subjects. | Through the selection of a web page for scanning (see also “Categories of Personal Data” to the left), the Customer in its sole discretion determines and controls the categories of data subjects processed by the Product. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | Yes | Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | Yes |
| Consent Manager module: If the Consent Manager module is activated, it will process IP addresses of visitors to the Customer’s web pages. IP addresses will be pseudoanonymized before storage and are therefore not traceable within the Web Governance platform. | Through the activation of the Consent Manager module, the Customer, at its sole discretion, determines and controls the categories of data subjects processed by the Product, such as visitors to the Customer’s website. | Provision of the Services by Acquia to Customer | Administrators and other users authorized by Customer to access the Product | No | Acquia (for Web Governance) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | Yes |
| Administration of the Product by Customer: Individual identifiers and contact details of Customer’s admins | Customer admins | Access to the Service’s configuration and management console | Customer admins | Yes | Identifiers are stored in Belgium | Yes |
Remediation Companion (Browser Extension) If the Remediation Companion is activated via the browser extension and depending on the specific web pages selected for remediation, the Product will process the data on those web pages that are selected for analysis at the Customer’s sole discretion. The content of the web page will determine the categories that may be processed. The Remediation Companion uses generative AI to provide suggestions to the most important accessibility errors so that the Customer can determine the appropriate remediation to ensure content is inclusive and compliant. | Through the activation of the Remediation Companion within the Browser Extension, the Customer, at its sole discretion, determines which pages are analyzed. The Customer is responsible for ensuring the extension is not activated on pages containing sensitive personal data (PII) that the Customer does not wish to be processed by the AI service. | When activated by a user, the Product processes HTML snippets, website content, and accessibility metadata from the active browser tab to provide generative AI-driven suggestions to resolve web accessibility errors. | Administrators and other users authorized by Customer to access the Product. | No | Acquia (for Optimize) operates three cloud servers located in Europe, the United States, and Australia for its global customer base. The data center where customer data is stored corresponds to the geographic location of the Customer. Backup data is stored with geo-redundancy. | No |
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Web Governance