Information Assurance
Acquia is dedicated to meeting the stringent security, availability, and compliance requirements of our customers who depend on us to serve their mission critical websites in Acquia Cloud.
We have produced this Security and Compliance Documentation Package to assist developers, security professionals, risk managers, and IT teams with their due diligence of the Acquia Cloud platform.
This package includes both our documentation about how we address security in our architecture and our processes, our independent auditors SOC 1 Type 2 attestations, and our compliance with well recognized industry standards such as the Cloud Security Alliance STAR.
At Acquia, we are dedicated to provide the world’s most dependable Drupal hosting and support platform.
Compliance with Standards and Regulations
Compliance and regulatory concerns are often voiced when it comes to cloud computing, and many of the interesting types of applications organizations would like to deploy to the cloud are often those governed by some form of regulatory standard. If you require additional information regarding your particular regulatory requirements, please contact Acquia. The following sections include Acquia’s compliance with the standards and regulations, both governmental and non-governmental.
Payment Card Industry (PCI), Data Security Standard (DSS)
As of April 1st, 2014, Acquia has officially been validated as complying with standards applicable to a Level 1 service provider under PCI - DSS Version 2.0.
FISMA
Acquia was granted a FISMA Authorization to Operate (ATO) at the Moderate level for one of our federal customers hosted in Acquia Cloud in July, 2012.
DoD
The DoD Information Assurance Certification and Accreditation Process (DIACAP) provides the accreditation framework to support security best practices for systems managed by DoD related federal agencies. Acquia has created a DIACAP package (at MAC II Sensitive level) for one of our federal DoD customers hosted in Acquia Cloud Enterprise and is ready to work with other DoD agencies to obtain DIACAP authorization. Acquia Cloud is built on AmazonWeb Services, which has obtained an IATO at MAC III Sensitive.
STAR
The Cloud Security Alliance Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by
cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Acquia has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in our PaaS offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.
ISO 27001
ISO 27001 is an international standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. The Amazon Web Services infrastructure, with specific focus on Amazon’s Information Security Management System, has been accredited with meeting the ISO 27001 standard by an independent third party.
For more on Amazon Web Services compliance with the ISO 27001 standard please see http://aws.amazon.com/security/iso-27001-certification-faqs/.
Safe Harbor
Safe Harbor is a certification program run by the U.S. Department of Commerce that aims to harmonize data privacy practices between the U.S. and the stricter privacy regulations of the European Union. Acquia is registered with the Safe Harbor program as of February 7, 2012. Acquia’s certification with Safe Harbor can be found at
http://safeharbor.export.gov/companyinfo.aspx?id=17472.
Privacy
Acquia abides by all privacy laws and regulations that are applicable to our hosting services and to our customers that host sites containing personal information on Acquia Cloud. Acquia personnel have logical access to customer data stored in customer sites only if they are authorized and have a need for access due to their job function. Neither Amazon nor any other third party employed by Acquia have logical access to customer data housed in customer sites hosted on Acquia Cloud. Acquia does not transfer customer data hosted on Acquia Cloud outside of Acquia Cloud or to any third party without customer authorization.
Customers must ensure privacy concerns and regulations are addressed and adhered to at the Application layer where customer personnel may have logical access to personal information uploaded or stored in customer sites.
Acquia’s Privacy Policy describes how Acquia handles any personal information gathered from visitors to our website at acquia.com and from users of our software and services from Acquia.
For additional information regarding Acquia’s security policies please reference the Security and Compliance Document that is listed under ‘supporting information.
Secure Drupal Hosting in Acquia Cloud
Acquia Cloud is built to ensure Drupal sites are hosted securely in accordance with best practices to prevent common vectors of attack. Major points include:
• The process owners of both the web server and the php server do not have write-access to the web root. The php server can write only to a specific set of directories: the [web root]/files and [web root]/sites/[sitename]/files or the corresponding files’ private
directories. These directories are writable by nature because they are intended to receive file uploads from end users.
• Files in the web root (Drupal core, its modules, etc.) are written by an automated process and pulled only from a version control system (SVN or Git).
Even customer users logged in to the OS layer on a web server do not have write access
Off Boarding
The customer has the right to exit any subscription following the minimum 12-month term.
Access to your customer specific data on termination can be arranged on request.
Full Termination T&Cs are detailed in the MSA that included in Supporting Information section.
High Availability Architecture
Acquia Cloud Enterprise is designed for high availability, with guaranteed 99.95% uptime. Below describes how Acquia delivers Acquia Cloud Enterprise's high availability.
Acquia Cloud is built on Amazon Web Services (AWS) infrastructure, which is physically remote from Acquia offices. The AWS environment consists of major regions and Availability Zones.
Acquia Cloud customers may choose the geographic region for their site's location. Acquia Cloud currently supports the US (East, West), EU (Ireland), Australia, and Asia (Singapore) regions.
Each region contains multiple Availability Zones. AWS Availability Zones are separate yet interconnected data centers within the major regions. Acquia Cloud Enterprise offers high availability by using multiple AWS Availability Zones in one AWS region with redundant servers serving each layer of the technology stack. The following are the three main components of a Drupal site hosted by Acquia Cloud Enterprise:
• Reverse proxy caching and load balancing servers (nginx and Varnish)
• Web servers (Apache with PHP and Drupal code)
• Database servers (Percona (MySQL))
At the Internet-facing tier, a software-based load balancer is deployed with a hot standby in a different availability zone in the same region. The load balancer distributes load across multiple web servers, which are also distributed across multiple availability zones. Acquia's expert operations team adds additional web servers to the resource pool as needed. The load balancer continuously monitors the web servers, and if a server becomes unavailable, it removes it from the pool of hosts serving the site. Web servers use a shared network file system (GlusterFS) so that all files are kept in sync and redundant to each other
At the database layer, a scalable database cluster serves the site with active and passive database servers in multiple availability zones. The active master database server continuously updates the passive master database using MySQL replication. In the event of a failure of the master database, the passive database becomes primary through a DNS-based failover.
It is Acquia’s policy to restore customer services in the event of a major disaster in the best time frames. If the services in the current zone or region were severely impacted, Acquia would do its best to restore services in an alternate Availability Zone or region.
Disaster Recovery – Multi-region replication
Optionally, for customers with very high availability requirements, Acquia offers Acquia Cloud Enterprise customer environments with hot standby sites in an alternate region, thus providing live failover capabilities for disaster recovery.
Backups
Acquia maintains a comprehensive backup solution that includes website code, static files, and databases. Integrated backup facilities use Amazon’s Elastic Block Store (EBS) and Simple Storage Service (S3).
Automatic snapshots for disaster recovery
Acquia Cloud takes hourly snapshots of the passive master database, file system, and code repository. These snapshots are programmatically stored in Amazon S3 buckets (Amazon's highly available cloud storage) and used to restore a site in the case of multiple disk failure or total data center loss. Backup data stored in Amazon S3 is maintained in the same region (US-East, US-West, EU-(US-East, etc) where the production site is located. Amazon S3 repositories are distributed amongst multiple Availability Zones (data centers) and multiple devices within each Availability Zone for redundancy.
Acquia Cloud retains the following:
• Monthly snapshots that are retained for three months
Acquia does not provide customer access to these snapshots and will not use these snapshots to restore sites due to either data loss or deletion by customers.
Customer on-demand backups
Customers have full server access to implement their own on-demand backups of code, files, and database content. To assist, Acquia provides the previous three days' database backups (dumps of the MySQL database) to Acquia Cloud customers via the Acquia Network management site.
Additionally, customers may make on-demand backups of any database at any time on the Workflow tab of the Acquia Cloud UI, or through SSH/SCP. Acquia Cloud keeps your on-demand backups until you delete them. Your backup copies count against the storage space of your account. Customers may download database backups and restore a previous backup on the Backups tab of the Acquia Cloud UI.
At the Drupal code layer, customers can manage and deploy their customer-developed code using Acquia’s Subversion (SVN or Git) code repository service. These services allow for rollback and redeployment of Drupal code, effectively backing up the site's code.
Service Management
Under Elite Network Subscription the Customer has a dedicated Technical Account Manager who will schedule Quarterly onsite review meetings with the customer.
Please refer to the Acquia Elite Support Subscription listing on Cloud Store for Subscription overview.
Service Levels
Response time SLAs are detailed earlier in this document. However, Clients have the ability to open a number of different types of tickets with Acquia
Ticket Type Description Limitation Drupal
Application Support
Diagnostic support of the Client’s Drupal applications
Some subscriptions limit the number of Drupal Application Support tickets that can be submitted over the term of the agreement. If additional tickets are required, Acquia allows Clients to extend the subscription.
Infrastructure Support
Diagnostic, change request, and break/fix tickets related to Acquia’s hosted infrastructure
Applies only to Acquia Cloud hosting services
Advisory Support Request for Client Advisory sessions.
Total Advisory hours provided are limited, per subscription but tickets are not limited
Remote Administration
Client files a request for a Remote Administration activity
For Clients with the Remote Administration service option.
Remote Administration hours provided are limited, per subscription but tickets are not limited
Maintenance Client requests an application maintenance task
For Clients with the Maintenance service option. Limited by hours per the Client’s agreement.
Under Elite Network Subscription the Customer has a dedicated Technical Account Manager who will own any tickets raised on Acquia. In addition the customer will receive a monthly report detailing tickets raised and performance SLA.
Severity Definitions
In general Acquia Service Level Agreements refer to 4 categories of ‘Urgency’ that need to be highlighted when a customer raises a support ticket. Please see the Problem Definition Categories below.
Acquia will respond to the submitted ticket based on the urgency indicated by the Client at the time of ticket/issue submission.
Urgency Description
Critical
Client’s production system is inoperative; or Client’s business operations or productivity are severely impacted with no available workaround; or is critical security issue. Critical issues are eligible for 24x7 support for certain Acquia subscriptions.High
Client’s production system is operating but issue is causing significant disruption of Client’s business operations; workaround is inadequate.Medium
Client’s system is operating and issue’s impact on the Client’s business operations is moderate to low; a workaround or alternative is available.Low
Issue is a minor inconvenience and does not impact business operations in any significant way;issues with little or no time sensitivity.
Availability
Clients with Elite, Enterprise and Professional Plus subscriptions are entitled to 24x7x365 for Critical issues. Acquia operates a ‘follow the sun’ support model from offices in our key regions – EMEA/APAC/N.America.
Platform Availability - Under Acquia Enterprise Cloud Acqiua offers a Guaranteed 99.95% uptime SLA.
Support Hours
Standard hours of operation for Acquia Support are as follows:
Region Hours Phone Number(s)
Americas 8am - 8pm Eastern Time Monday-Friday*
+1-888-922-7842 or +1-978-296-5250
Europe 8am - 6pm Central Europe Time Monday - Friday*
+44 -1865-520-011
Asia-Pacific and Japan
8am - 6pm AEST Monday-Friday* +61-284-168-021
*
Coverage for major holidays is limited to Critical issues only.Financial recompense model for not meeting service levels
During the Term, subject to the terms and conditions below, Acquia will use commercially reasonable efforts to make Client’s production Website(s) available for 99.95% of the time in any calendar month. Unavailability means that Acquia’s web hosting service or the Site Factory Platform is unresponsive or responds with an error.
Availability will be calculated per calendar month, as follows:
Where:
• total means the total number of minutes for the calendar month
• nonexcluded means downtime/unavailability that is not excluded
• excluded means the following:
o Any outages caused by a Force Majeure Event, network intrusions or denial of service attacks.
o Any outages that result from any actions or inactions of Client or any third parties engaged by Client.
o Any outages caused by programming errors in Client’s Website(s), programming bugs in the third-party extensions/modules made available through the the Acquia Network or the Site Factory Platform, Drupal Modules with Site Factory PaaS Tier, missing Client Content, errors caused by Client code or Drupal configuration errors, or usage capacity in excess of the Client purchased amount.
o Any outages lasting less than 1 minute but no more than 3 such outages in a 24 hour period.
o Any outages related to emergency maintenance to Client’s Website(s) (e.g., to install security fixes).
o Any outages resulting from scheduled maintenance (typically 11pm to 7am at the datacenter location identified on Client’s Order), if Acquia notified Client 48 hours prior to the commencement of the maintenance work(there will be no more than two (2) hours of scheduled maintenance downtime per calendar year).
o Unavailability that relates to any malware, viruses, Trojan horses, spyware, worms or other malicious or harmful code in the Website that (i) was not introduced by Acquia or (2) was not introduced as a result of Acquia’s failure to perform the Services in compliance with the standard included herein or in the Master Services Agreement.
o Acts or omissions caused by Client’s CDN.
In addition, unavailability of some specific features or functions within the Website while other features remain available will not constitute unavailability of the Website, so long as the unavailable features or functions are not, in the aggregate, material to the Website.
Should Acquia fail to meet 99.95% general availability of the Website for a calendar month, for each one-half hour of unavailability Client will receive a one day extension of their subscription.
To properly claim an extension, Client must inform Acquia within fifteen (15) days of the purported
(including the underlying code) where, despite reasonable notification from Acquia that such flaws are adversely impacting availability, Client fails to correct such flaws, then Acquia may terminate the applicable Order upon 30 days written notice to Client.
The subscription extensions and termination rights set forth above will constitute Client’s sole and exclusive remedy and Acquia’s sole and exclusive liability for any failure to maintain the
availability of the Website(s).
In the event of any outages described above, Acquia will use commercially reasonable efforts to minimize any disruption, inaccessibility and/or inoperability of the Website in connection with outages, whether scheduled or not. Such efforts will include hosting instances in another Availability Zone if available.
Out-‐of-‐Scope Applications
Applications listed below are not supported by Acquia. This list is not fully inclusive, but is meant to be representative. Please note that Clients may choose to install/implement these applications in their environment as part of their comprehensive solution. Acquia will not troubleshoot these or other installed and non-supported applications and reserves the right to ask Clients to disable these applications if it is preventing troubleshooting efforts. If the application is hosted on an Acquia platform, Acquia reserves the right to disable the application as part of diagnostic and recovery operations.
The following are considered out-of-scope for Acquia’s support offering:
• CiviCRM
• Disqus
• Magento
• Moodle
• phpBB
• phpMyAdmin
• piwik
• Shibboleth
• vBulletin
• Applications that require compiled standalone libraries (not php extensions)
• Custom (non-Drupal) modules constantly running ingestion scripts and or search indexing scripts
• Version control applications that are not Git or SVN
• WordPress
The following applications are not supported and cannot be installed on the Acquia Cloud:
• Aegir
• Custom daemons or services, such as Jabber or Microsoft Exchange
• Java applications
• Hudson / Jenkins
• MongoDB
• node.js
• Perl/Python/Ruby scripts that require additional libraries
• Redis
these features, please review this with the Acquia Client Support or Acquia Client Onboarding teams prior to launching your site or deploying updated code.
Maintenance Windows
Acquia does not have pre defined maintenance windows but provides customers with notification prior to any systems maintenance that is likely to impact a customers environment or service.
Maintenance typically occurs between 11pm to 7am at the datacenter location identified on Client’s Order.
(there will be no more than two (2) hours of scheduled maintenance downtime per calendar year).
Customisation Permitted
Acquia supports the following applications and versions for self-‐hosted and Acquia Cloud customers as listed in the table below:
Application Component Versions
Supported Support Scope Subscription
Information Drupal Drupal Core 6.x and
above Unmodified core, major drupal.org distributions, and the Pressflow 6.x fork are supported
• Elite
• Enterprise
• Pro Plus
• Professional
Drupal
Acquia provides diagnostic services for troubleshooting contributed modules. If an bug/issue is discovered in a contributed module, Acquia will submit an issue to the drupal.org module issue queue on the Client's behalf. Acquia may choose to address the issue directly if the solution is simple (can be addressed in 1 hour or less), and in those cases Acquia may submit a patch, too. The module maintainer controls whether the patch is accepted and included in a subsequent release, or not. If the maintainer choses not to include it in a release, then the Client is solely responsible for the module's maintenance and the merging of any security update changes. Support for modules that are not marked as recommended or are in a
beta/development state is limited to basic diagnostics only. Acquia does not "finish"
modules, code new features, or fix major
bugs. Acquia can help diagnose issues with theme output, however, may not be able to assist with troubleshooting or fixing browser rendering issues.
• Elite
• Enterprise
• Pro Plus
• Pro Plus