Security Compliance


Security Through Standards

Acquia Compliance

Acquia has a comprehensive compliance portfolio that validates the security of our platform. This compliance portfolio includes a variety of industry-wide audits and certifications that are performed by independent third party auditors. These audits allow for Acquia’s security controls to be independently evaluated on their design and operating effectiveness. The internal controls Acquia has in place to mitigate risks are a testament to our commitment to a high level of security.


SSAE16/ISAE 3402: Service Organization Control (SOC 1) Type II

Statement on Standards for Attestation Engagement (SSAE) No. 16 is an attestation standard used to evaluate the design and operating effectiveness of Acquia’s information technology controls that impact our customers’ own internal controls over financial reporting.

SSAE 16 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA). In order to meet the requirements of international accounting standards, Acquia receives a “SSAE 16/ISAE 3402 Combo Report.” The ISAE 3402 report provides coverage to support the financial reporting requirements of International organizations.

About SSAE16/ISAE3402: SOC 1

SOC 1 is the de facto standard for technology service providers to demonstrate the successful design and operation of their internal controls. The Acquia Cloud Platform is assessed by an independent auditing firm against a number of organizational security controls covering network security, logical access, change management, backup, system availability and monitoring, and customer support. The SOC 1 Type II report provides our customers assurance that the Acquia Cloud Platform has general, foundational information technology controls.
SOC 1 Compliance

Service Organization Control (SOC 2) Type II

Acquia’s SOC 2 Report includes an assessment against the Common Criteria principles of Security, Availability, and Confidentiality.

The assessment is performed by an independent auditing firm. Customers get an additional level of assurance beyond organizationally-defined controls within the SOC 1 reporting that Acquia meets the requirements specified in the Common Criteria framework.

About SOC 2
In early 2011, the AICPA issued its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. Acquia's SOC 2 report covers the Common Criteria Security, Availability and Confidentiality principles.
SOC 1 Compliance

Payment Card Industry - Data Security Standard (PCI-DSS)

For customers that process, store, or transmit cardholder data Acquia provides a PCI-DSS compliant hosting platform to ensure the protection of your customer's cardholder data in accordance with PCI-DSS version 3.2.

Acquia offers a separate PCI-DSS hardened environment in a virtual private cloud (VPC) to protect your cardholder data. PCI-DSS compliance is only applicable to certain subscriptions.

The Payment Card Industry Data Security Standard (PCI-DSS) was developed to encourage and enhance cardholder data security, and to facilitate the broad adoption of consistent data security measures globally. PCI-DSS is a set of security requirements established by the payment brands (AMEX, Visa, MasterCard, etc.) to help ensure security for the storage, processing, or transmission of cardholder data.
PCI Compliance

Health Insurance Portability and Accountability Act (HIPAA)

The Acquia Cloud Platform meets the requirements of the HIPAA Security Rule and HITECH for electronic Protected Health Information (ePHI).

Acquia validates alignment with each of the requirements of HIPAA and HITECH through an annual third party audit. With this independent validation, you can be confident that Acquia has controls in place that meet the HIPAA and HITECH requirements to protect ePHI. Acquia offers a separate HIPAA environment in a virtual private cloud (VPC) to protect your patients data. HIPAA compliance is only applicable to certain subscriptions.

About HIPAA:
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect confidentiality and security of healthcare information, and help the healthcare industry control administrative costs. HIPAA was then expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. The combination of these legislations established a set of federal standards intended to protect the security and privacy of Public Health Information (PHI).


The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.

The law applies to all schools that receive funds under an applicable program of the US Department of Education. Acquia enables educational institutions to achieve and sustain compliance with FERPA.

ISO 27001

Acquia is ISO 27001 certified. You can see our certification mark here. ISO/IEC 27001:2013 (ISO 27001) is a globally recognized security standard driven by the implementation of an information security management system (ISMS).

An ISMS is a security framework of policies, procedures and controls that includes administrative, physical and technical safeguards to manage information security risks to internal and customer information.


The Acquia Cloud Platform is FedRAMP compliant, and detail on authorizing agencies can be viewed in the FedRAMP Marketplace.

FedRAMP leverages the National institute of Standards and Technology (NIST) 800-53 rev 4 framework for security control requirements. There are three information system categorization levels of lower, moderate, and high that align to sets of requirements within NIST 800-53 rev 4.