Acquia Trust Center

Acquia is pleased to announce the release of the 2025 SOC1 Type 2 and SOC2 Type 2 reports, covering January 1, 2025 through December 31, 2025. These reports are now available on our Trust Center and confirm our commitment to the highest standards of security, confidentiality and availability. The audit scope for this cycle included Acquia Cloud (Classic & Next with supporting services), Acquia Customer Data Platform, Acquia Campaign Studio/Factory and Acquia DAM.

Acquia Web Governance, formerly known as Optimize or Monsido, is not included but will follow a similar roadmap as to the acquisition of Acquia DAM (via Widen Enterprises). Effective 12-31-2025 Acquia Web Governance is officially on Acquia policy and procedure and will be operating on the company controls for the full calendar year audit period to be included in the 2026 Audit Cycle assessment.

If your access has expired, please request an extension and our team will review and renew that promptly.

Acquia is aware of the React2Shell vulnerability and has not detected any public exposures to React2Shell at this time, but investigation is still underway. We were able to identify potential exposures on internal, non-public facing tools and immediately executed remediations. As this is an externally facing attack, we encourage all Acquia customers to review their implementations and take appropriate remediation actions.

Acquia has evaluated the RCA's published publicly and reviewed privately shared materials. At this time we are closing this event with plans underway to restore connectivity in a secure manner between Gainsight and Salesforce.

Acquia continues to monitor the guidance published by various entities associated with this event including Gainsight, Salesforce and Snowflake. At this time, Acquia has concluded its investigation and determined that no malicious activity occurred associated with the Gainsight services leveraged by Acquia. Gainsight services continue to be disconnected from all integration points including Salesforce and Snowflake.

Acquia is keeping the event open internally while we await a final incident report and RCA from Gainsight. A restoration plan is being developed to restore services and all integrations that were in place.

We appreciate those that have reached out with questions and will keep the mailbox open through the end of the year if any other questions do come up.

At Acquia we take great responsibility in protecting your data. We are aware of the Gainsight OAUTH token compromise. Gainsight is one of the technologies we use to enhance customer experience.

Immediately after the breach was made public, we initiated an investigation and procedures to prevent any further potential compromise. We revoked all connections to other Acquia systems in an effort to isolate the Gainsight incident. Acquia confirmed, shortly before being notified by Salesforce, that a single log entry was associated with the published IOCs. At this point, we are aware of this being associated only with reconnaissance.

Please be assured that Acquia takes these incidents very seriously and we will continue to investigate any potential impact on customer data. At this time, we do not see that any data has been breached. We will publish future updates here. You can also email any inquiries to gainsightinquiries@acquia.com which will be monitored until this incident is closed.

Acquia is aware of the current Shai-Hulud 2.0 supply chain attack. Acquia is monitoring the threat and investigating any recommended mitigations to our development pipelines. At this time, no identified impacts have been observed.

Acquia clients can review the Wiz Security article which details mitigations and detections that can be leveraged to monitor client development pipelines.

In alignment with Acquia's Digital Experience Platform (DXP) vision, Acquia is formally releasing the 2025 ISO27001 and CSA STAR Certificates and associated supporting Statement of Applicability today. This concludes the 2025 Surveillance Assessment process.

For the first time, Acquia Web Governance (formerly Optimize or Monsido) has been assessed against the ISO27001 and CSA frameworks and is now included within the ISMS. This demonstrates Acquia's commitment to delivering an enterprise-grade solution for Web Governance—one that provides marketers with automated tools for quality, accessibility, and compliance validation—through a clear compliance roadmap.

The scope of the Acquia Information Security Management System (ISMS) includes the full Acquia DXP, with the exception of OEM services (Search powered by SearchStax, SEO powered by Conductor, Convert powered by VWO, Edge powered by Cloudflare/Akamai/Fastly).