Acquia Trust Center

The Acquia Cloud PCI DSS Attestation of Compliance is now available for review. For clients who procure the Acquia Cloud PCI Compliant Hosting, find the 2025 AOC available on the document tile "PCI DSS". If you have any questions, please reach out to your designated account manager!

Acquia has undertaken an evaluation of impact due to the recent CVSS9.8 severity vulnerability, CVE-2025-24813, in Apache Tomcat. At this point in our investigation, Acquia can confirm that Acquia services are not affected by this vulnerability. We will continue our investigation and remediate as necessary in accordance with Acquia remediation standards. As always, we continue to monitor for new threats facing our services and will act accordingly.

Acquia is pleased to announce the release of the 2024 SOC1 Type 2 and SOC2 Type 2 reports, covering January 1, 2024 through December 31, 2024. These reports are now available on our Trust Center and confirm our commitment to the highest standards of security, confidentiality and availability. The audit scope for this cycle included Acquia Cloud (Classic & Next with supporting services), Acquia Customer Data Platform, Acquia Campaign Studio/Factory, Acquia Personalization, and Acquia DAM.

We're excited to announce that this year's scope expansion includes Acquia DAM, marking a significant milestone in our continued growth and innovation. This addition further reinforces our commitment to delivering comprehensive, cutting-edge, secure solutions that meet the evolving needs of our customers.

Acquia Optimize, Monsido, is not included but will follow a similar roadmap as to the acquisition of Acquia DAM (via Widen Enterprises), so stay tuned!

In alignment with Acquia's Digital Experience Platform vision, Acquia is formally releasing today the 2024 ISO27001 and CSA STAR Certificates and associated supporting Statement of Applicability. With the 2024 recertification, we have terminated the Acquia DAM (Widen) ISO27001 Certificate in favor of one ISMS and one certificate.

To demonstrate the Company’s dedication to information security, Acquia implemented an Information Security Management System (ISMS) to conform to the requirements of ISO/IEC 27001:2022 (ISO 27001). A-LIGN Compliance and Security, Inc. (A-LIGN) was engaged by Acquia to perform the recertification audit to validate conformity and certify the Company’s ISMS against the ISO 27001:2022 and CSA CCM v4.0.3 standards.

The scope of the 2024 certification included the comprehensive Digital Experience Platform (DXP) which includes the Acquia Cloud Enterprise (ACE) & Site Factory (ACSF) services, Digital Asset Management (DAM), Customer Data Platform (CDP) and Campaign Studio/Factory (CS/CF) solutions.

Notice: Security exploit discovered with 3rd party service polyfill[.]io

Acquia has been made aware that a common third party service, polyfill[.]io, has known security vulnerabilities which may impact applications using this project. Further information regarding this vulnerability can be found on drupal.org: 3rd Party Libraries and Supply Chains - PSA-2024-06-26. The potential impact of this exploit includes but is not limited to the popular module: Drupal Webform module. A list of projects currently known to be impacted can be found here.

Due to our shared responsibility model Acquia is unable to mitigate this security vulnerability for impacted customer applications. Acquia’s recommendation for remediation can be found in this knowledge base article. For most customers this means updating impacted modules to a secure version, applying a patch to remediate the vulnerability, or removing impacted modules. We highly recommend that customers check their application(s) and take any necessary steps for remediation in order to ensure their application(s) remain secure.

If you have any questions or concerns regarding the polyfill[.]io library, please contact Acquia Support by logging in to accounts.acquia.com and visiting the Acquia Help Center.