Security Through Standards
Acquia has a comprehensive compliance portfolio that validates the security of our platform. This compliance portfolio includes a variety of industry-wide audits and certifications that are performed by independent third party auditors. These audits allow for Acquia’s security controls to be independently evaluated on their design and operating effectiveness. The internal controls Acquia has in place to mitigate risks are a testament to our commitment to a high level of security. Download the Security Through Standards PDF here.
SSAE16/ISAE 3402: Service Organization Control (SOC 1) Type II
Statement on Standards for Attestation Engagement (SSAE) No. 16 is an attestation standard used to evaluate the design and operating effectiveness of Acquia’s information technology controls that impact our customers’ own internal controls over financial reporting.
SSAE 16 is an American auditing standard issued by the American Institute of Certified Public Accountants (AIPCA). In order to meet the requirements of international accounting standards, Acquia receives a “SSAE 16/ISAE 3402 Combo Report.” The ISAE 3402 report provides coverage to support the financial reporting requirements of International organizations.
About SSAE16/ISAE3402: SOC 1
SOC 1 is the de facto standard for technology service providers to demonstrate the successful design and operation of their internal controls. The Acquia Cloud Platform is assessed by an independent auditing firm against a number of organizational security controls covering network security, logical access, change management, backup, system availability and monitoring, and customer support. The SOC 1 Type II report provides our customers assurance that the Acquia Cloud Platform has general, foundational information technology controls.
Service Organization Control (SOC 2) Type II
Acquia’s SOC 2 Report includes an assessment against the Common Criteria principles of Security, Availability, and Confidentiality.
The assessment is performed by an independent auditing firm. Customers get an additional level of assurance beyond organizationally-defined controls within the SOC 1 reporting that Acquia meets the requirements specified in the Common Criteria framework.
About SOC 2
In early 2011, the AICPA issued its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. Acquia's SOC 2 report covers the Common Criteria Security, Availability and Confidentiality principles.
Payment Card Industry - Data Security Standard (PCI-DSS)
For customers that process, store, or transmit cardholder data Acquia provides a PCI-DSS compliant hosting platform to ensure the protection of your customer's cardholder data in accordance with PCI-DSS version 3.0.
Acquia offers a separate PCI-DSS hardened environment in a virtual private cloud (VPC) to protect your cardholder data. PCI-DSS compliance is only applicable to certain subscriptions.
The Payment Card Industry Data Security Standard (PCI-DSS) was developed to encourage and enhance cardholder data security, and to facilitate the broad adoption of consistent data security measures globally. PCI-DSS is a set of security requirements established by the payment brands (AMEX, Visa, MasterCard, etc.) to help ensure security for the storage, processing, or transmission of cardholder data.
Health Insurance Portability and Accountability Act (HIPAA)
The Acquia Cloud Platform meets the requirements of the HIPAA Security Rule and HITECH for electronic Protected Health Information (ePHI).
Acquia validates alignment with each of the requirements of HIPAA and HITECH through an annual third party audit. With this independent validation, you can be confident that Acquia has controls in place that meet the HIPAA and HITECH requirements to protect ePHI. Acquia offers a separate HIPAA environment in a virtual private cloud (VPC) to protect your patients data. HIPAA compliance is only applicable to certain subscriptions.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect confidentiality and security of healthcare information, and help the healthcare industry control administrative costs. HIPAA was then expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. The combination of these legislations established a set of federal standards intended to protect the security and privacy of Public Health Information (PHI).
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records.
The law applies to all schools that receive funds under an applicable program of the US Department of Education. Acquia enables educational institutions to achieve and sustain compliance with FERPA.
EU Data Protection
On October 6, 2015, the European Court of Justice invalidated the EU-US Safe Harbor Framework.
The Safe Harbor was established by the European Commission and the U.S. Department of Commerce in 2000 to facilitate the transfer of personal data from European Union member countries to eligible US companies that certified compliance with the Safe Harbor principles. The Court of Justice has determined that the Safe Harbor Framework does not provide a valid legal framework for the transfer of personal data from Europe to the United States, so struck it down.
Acquia is always working to ensure the trust and confidence of our customers in the Acquia Platform and Services. Holding to these principles, Acquia will follow the guidance of the Article 29 Working Party, the members of which are representatives of the data protection authorities of the EU Member States and the European Commission, as it relates to data transfers in the wake of the decision of the Court of Justice. We are therefore offering our customers and partners that use our European Data Regions with a Data Processing Addendum (DPA) that incorporates the European Commission’s standard contractual clauses relating to data transfers, commonly referred to as the “Model Clauses.” The Model Clauses provide an alternative mechanism developed by the European Commission for parties to legally transfer personal data across borders.
Existing customers should contact their account managers with any questions or for additional information. We will continue to support our customers in every way possible.
Acquia is ISO 27001 certified. You can see our certification mark here. ISO/IEC 27001:2013 (ISO 27001) is a globally recognized security standard driven by the implementation of an information security management system (ISMS).
An ISMS is a security framework of policies, procedures and controls that includes administrative, physical and technical safeguards to manage information security risks to internal and customer information.
The Acquia Cloud Platform is FedRAMP compliant. Acquia received their Authorization to Operate (ATO) from the U.S. Department of the Treasury. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP leverages the National institute of Standards and Technology (NIST) 800-53 rev 4 framework for security control requirements. There are three information system categorization levels of lower, moderate, and high that align to sets of requirements within NIST 800-53 rev 4.