Acquia Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to Acquia's Security Portal; notice we have three portals via the dropdown above. Please select the portal you are interested in.

Our commitment to data privacy and security is embedded in every part of our business. Use this portal to learn about our security posture and request access to our security documentation.

This portal is for our Acquia Cloud Platform and supporting products like Search, Email, Code Studio, Edge and Site Studio offerings.

Start your security review
View & download sensitive information
Ask for information
Johnson & Johnson-company-logoJohnson & Johnson
Internal Revenue Service-company-logoInternal Revenue Service
Bayer-company-logoBayer
Conagra Brands-company-logoConagra Brands
Blue Cross Blue Shield Association-company-logoBlue Cross Blue Shield Association
Novartis-company-logoNovartis
Shake Shack-company-logoShake Shack
Pegasystems-company-logoPegasystems
Novavax-company-logoNovavax
City of Los Angeles-company-logoCity of Los Angeles
Fannie Mae-company-logoFannie Mae
Charles Schwab-company-logoCharles Schwab
Financials

Knowledge Base

Acquia Trust Center Updates

Acquia Cloud Customer Notice: Polyfill.io

GeneralCopy link

Notice: Security exploit discovered with 3rd party service polyfill[.]io

Acquia has been made aware that a common third party service, polyfill[.]io, has known security vulnerabilities which may impact applications using this project. Further information regarding this vulnerability can be found on drupal.org: 3rd Party Libraries and Supply Chains - PSA-2024-06-26. The potential impact of this exploit includes but is not limited to the popular module: Drupal Webform module. A list of projects currently known to be impacted can be found here.

Due to our shared responsibility model Acquia is unable to mitigate this security vulnerability for impacted customer applications. Acquia’s recommendation for remediation can be found in this knowledge base article. For most customers this means updating impacted modules to a secure version, applying a patch to remediate the vulnerability, or removing impacted modules. We highly recommend that customers check their application(s) and take any necessary steps for remediation in order to ensure their application(s) remain secure.

If you have any questions or concerns regarding the polyfill[.]io library, please contact Acquia Support by logging in to accounts.acquia.com and visiting the Acquia Help Center.

Published at N/A

regreSSHion - CVE-2024-6387

VulnerabilitiesCopy link

Today, 7/1/2024, the Qualys Threat Research Unit released a blog post detailing a vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd) in glibc-based Linux systems. The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

At this point in time, the assessment is that Acquia remains unaffected as triaged by Canonical (https://ubuntu.com/security/CVE-2024-6387). Acquia continues its independent analysis and will update here with any further information.

Published at N/A

Progress Software MOVEit Vulnerability - CVE-2024-5805

VulnerabilitiesCopy link

Acquia was notified by a private party (thanks to that client) that there was an impending vulnerability release scheduled for 6-25-2024. Upon notification, we confirmed that MOVEit has not been introduced into Acquia's environment and that Acquia remains unaffected by any vulnerabilities facing MOVEit. Acquia will continue to act on any intelligence we gather or receive to protect our services and the data entrusted to us.

Published at N/A*

Snowflake Attack Bulletin

VulnerabilitiesCopy link

To Whom It May Concern, Acquia is aware of the ongoing discussion and information sharing relating to Snowflake and the attacks that are/were targeting their clients. Acquia utilizes Snowflake for Acquia DAM and CDP. Upon awareness of possible impact to services, Acquia began an investigation that to date has not identified any impact to our services. Continued monitoring and implementation of best practices for authentication and authorization will be followed to maintain the confidentiality, integrity and availability of services

Published at N/A

2024 PCI DSS AOC Release

ComplianceCopy link

The Acquia Cloud PCI DSS Attestation of Compliance is now available for review. For clients who procure the Acquia Cloud PCI Compliant Hosting, find the 2024 AOC available on the document tile "PCI DSS". The scope of this report is not limited to the classic or next infrastructure, instead scoped to all Acquia Cloud Hosting arrangements. We apologize for the delay in getting this published, some QSA unavailability delayed the QA process. Special Note: This is the first report on PCI DSS 4.0 for Acquia and includes a new responsibility matrix mapped to PCI DSS 4.0. If you have any questions, please reach out to your designated account manager!

Published at N/A

2023 SOC Reports Release

ComplianceCopy link

The 2023 SOC1 Type 2 and SOC2 Type 2 reports for the period January 1, 2023 through December 31, 2023 have been published on the trust center. The scope of these reports includes the products in Marketing Cloud (Campaign Studio/Campaign Factory, Acquia Personalization, Customer Data Platform) and Drupal Cloud (ACE Classic & Next, AC Site Factory, Email, Search, Pipelines, Site Studio, Code Studio, Content Hub, Cloud IDE).

Published at N/A

CVE-2023-44487 -- HTTP/2 Rapid Reset

VulnerabilitiesCopy link

Acquia is aware of the ongoing Rapid Reset vulnerability and is monitoring for upcoming patches and threats facing our systems. For Acquia Cloud hosted sites, Acquia continues to maintain that a WAF is the best protection against DDoS threats including Rapid Reset. Acquia Cloud Edge is one such option but many others can be used. Security Operations will continue to monitor all products in our portfolio for available patches and update our systems accordingly.

Published at N/A

2023 Acquia Cloud Next (ACN) Compliance Journey

ComplianceCopy link

The Acquia Cloud Next PCI DSS Attestation of Compliance is now available for review. For clients who procure the Acquia Cloud PCI Compliant Hosting, find the new AOC available for the next generation hosting. Your environment will be scheduled to move to at a time and date to be determined. Reach out to your account team with any questions.

Published at N/A

The Acquia Cloud Next SOC2T1 assessment report is now available for review. The next SOC2 assessment for Acquia Cloud Next will be a Type 2 assessment and is scheduled to be included in the larger Acquia SOC2T2 report in Q4 of 2023 to cover the period January through December of 2023.

Published at N/A

Acquia Cloud Next is actively following the compliance roadmap and the first compliance assessment report has been published on our security portal. For clients exploring/planning or having already migrated to our Acquia Cloud Next platform this ISO27001 Assessment Report is for you. The SOC2T1 assessment has concluded and is actively undergoing partner review by our third party auditor and is due to be issued shortly. Look for a follow on update when that is available.

Published at N/A

2023 PCI DSS 3.2.1 Release

ComplianceCopy link

The 2023 PCI DSS 3.2.1 AOC for Acquia Cloud Classic is now available for clients procuring our Acquia Cloud PCI Compliant hosting.

Published at N/A

2022 SOC2 Type 2 Release

ComplianceCopy link

The 2022 SOC2 Type 2 report for the period January 1, 2022 through December 31, 2022 has been published on the trust center. This report scope includes the products in Marketing Cloud (Campaign Studio/Campaign Factory, Personalization, Customer Data Platform) and Drupal Cloud Classic (ACE Classic, Site Factory, Email, Search, Pipelines, Site Studio, Content Hub, Cloud IDE).

The Acquia Cloud Next SOC2 Type 1 audit is actively underway.

Published at N/A

2022 SOC1 Type 2 Release

ComplianceCopy link

The 2022 SOC1 Type 2 report for the period January 1, 2022 through December 31, 2022 has been published on the trust center. This report scope includes the products in Marketing Cloud (Campaign Studio/Campaign Factory, Personalization, Customer Data Platform) and Drupal Cloud Classic (ACE Classic, Site Factory, Email, Search, Pipelines, Site Studio, Content Hub, Cloud IDE).

The 2022 SOC2 Type 2 report is going through the final stages of third party quality review.

The Acquia Cloud Next SOC2 Type 1 audit is pending.

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo