Acquia Inc

Acquia Cloud Site Factory

Acquia Cloud Site Factory is a website building and multi-site management platform accessed through a browser-based user interface. Site Factory subscriptions allow customers to perform administrative actions such as create, duplicate and export websites through the Site Factory Platform management dashboard, configure, customize, through customer code theme, and publish websites.

Features

  • Fully-managed Service
  • Scalable infrastructure
  • 24x7 monitoring by Acquia's cloud security team
  • Redundant hosting
  • Security monitoring and testing
  • Multi-site management and governance
  • Backups
  • Alerting and support services
  • Site monitoring tools
  • Automated development workflow

Benefits

  • High availability
  • Disaster Recovery
  • IT resource and cost savings
  • Thoroughly secure hosting environment
  • Multi-site publishing and governance
  • Faster time to market for content publishing
  • Reduced cost for website development

Pricing

£34920 per licence per year

Service documents

Framework

G-Cloud 11

Service ID

7 6 6 6 9 8 2 6 0 2 1 5 9 6 6

Contact

Acquia Inc

Jessica Zhang

+44 (0) 118 370 1655

jessica.zhang@acquia.com

Service scope

Service constraints
None
System requirements
  • Drupal used as CMS
  • Modern Web browser
  • Multiple sites to manage
  • Must use version control processes to modify code
  • Single codebase for many sites
  • Website-specific files directory
  • Per-website theme directory
  • SSL encryption in place

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times vary based on urgency. Support is available at the same response SLAs 24x7.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Acquia provides standard technical support, technical account managers, advisory hours, a technical account manager and enablement services.

Support Levels: Starter, Basic, Business, Premium, Elite

See details at: https://docs.acquia.com/support/guide#overview_subscriptions

Customer may contact Acquia Support Services by submitting tickets or by phone. Response times to tickets are based on the level of urgency. 

"Critical" issues where the customer's production system is inoperative, production operations are several impacted, or involving a critical security issue have a 1 hour, 24x7 initial response time. 

"High" urgency issues (Customer’s production system is operating but the issue is disrupting Customer’s business operations; a workaround is not suitable for sustained operations) have a 2 hour maximum initial response time during business hours. 

"Medium" urgency issues (Customer’s system is operating and the issue’s impact on Customer’s business operations is moderate to low; a workaround or alternative is available) have a maximum 4 hour initial response time during business hours. 

"Low" urgency issues, which do not impact business operations in any significant way and have little or no time sensitivity, have a maximum initial response time of one business day.
Support available to third parties
No

Onboarding and offboarding

Getting started
Acquia Ready - The Acquia Ready team is a “welcome committee” including a Customer Success Manager and Customer Success Engineer aligned to you to ensure a smooth site launch. Acquia Ready Concierge begins with introducing you to our systems and tools and educating you on how to engage with us for support. We seek to understand your development lifecycle stage, timeline requirements, and testing and validation plans. We perform a complete end-to-end risk assessment of your environment, ensuring that your hardware is sized correctly and that your environment is load tested. We review the pre-launch checklist with you, proactively identifying areas you need to focus on and sharing best practices. We don’t just tell you what’s wrong; we tell you how to fix it. Online training and documentation is readily available.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
When a customer cancels service with Acquia, the customer’s servers are terminated and the website data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized so that the data cannot be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual“) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry-standard practices. Data is exported and provided to the customer via Redshift.
End-of-contract process
End of contract does not include any extra charge for Acquia customers who are not renewing.

Using the service

Web browser interface
Yes
Using the web interface
Web sites, users and other site components are monitored and managed through a centralized, Site Factory dashboard. The dashboard includes features including the following:
- One-click site creation and duplication
- Full site management and version control
- Export sites at will, and
- Full visibility at your fingertips for the ultimate in brand consistency and control
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Accessible via an online dashboard/UI.
Web interface accessibility testing
N/A
API
Yes
What users can and can't do using the API
Acquia provides a Cloud API that allows our customers to automate
many site management tasks and access our cloud services remotely.
More information on the Acquia Cloud API is available
here:https://cloudapi.acquia.com/
API automation tools
Puppet
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Acquia Cloud has two additional interfaces that developers can use to extend, enhance, and customize Acquia Cloud:

Acquia Cloud API - The Acquia Cloud API is a RESTful web interface that allows developers to extend, enhance, and customize Acquia Cloud. It includes developer workflow, site management, and provisioning capabilities.

Scaling

Scaling available
Yes
Scaling type
  • Automatic
  • Manual
Independence of resources
He Acquia Cloud platform is tuned specifically for Drupal performance, resulting in faster rendering of dynamic content and improved site reliability. In creating the platform, Acquia's performance experts analysed performance characteristics and identified the configurations at each layer of the stack that make Drupal websites fast. The core of the Acquia Cloud platform is an open source LAMP server stack, combining the Linux (Ubuntu) operating system and PHP programming language with Drupal. The Acquia platform provides burstable, elastic cloud resources that let you scale your servers on demand. Our platform continuously monitors site performance.
Usage notifications
Yes
Usage reporting
  • Email
  • SMS
  • Other

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Website files
  • Static Code
  • Databases
Backup controls
You can make on-demand backups of any database at any time either on the Cloud > Workflow page of your Acquia Cloud account or on the Cloud > Databases page. These backups are listed as User backups in the Acquia Cloud UI. Acquia Cloud keeps on-demand backups until the customer deletes them.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
Acquia Cloud supports and encourages the use of SSL on it's customers' sites for protection of data in transit.
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
- 99.95% Up-time SLA for infrastructure as well as application; 24x7x365
- 30-minute or 1-hour response time for critical application failure
Approach to resilience
Enterprise customers achieve high availability by using multiple availability zones in one region with redundant servers serving each layer of the technology stack: extra web servers operating round-robin, including reserve capacity in the second availability zone; a fully redundant file system in the second availability zone that is constantly syncing; master-master replication for database pairs; multiple dedicated Memcache servers; and a secondary load balancer in a redundant environment. Acquia Cloud also offers automatic nightly and on-demand backups and restores.

Our Operations team will scale your resources up to meet predictable and unpredictable traffic spikes for any period of time, and then return resources back to normal levels when traffic subsides. Furthermore, when resource usage rises, our experts investigate why instead of immediately throwing more hardware at the problem. As a result, we often prevent customers from having to upsize. This allows you to pay only for the resources you need.
Outage reporting
- email alerts

Identity and authentication

User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Acquia has baseline access security requirements. Access controls can be configured by customers for increased security.
Access restriction testing frequency
Never
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
No audit information available
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Schellman & Company, LLC
ISO/IEC 27001 accreditation date
1/8/2017
What the ISO/IEC 27001 doesn’t cover
The certification covers our Information Security Management System as it pertains to the listed product, among others.
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
12/1/2013
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
N/A
PCI certification
Yes
Who accredited the PCI DSS certification
Schellman & Company, LLC
PCI DSS accreditation date
30/1/2018
What the PCI DSS doesn’t cover
-
Other security certifications
No

Security governance

Named board-level person responsible for service security
No
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
- SOC 1
- SOC 2
- HIPAA
- PCI-DSS
- FedRAMP
Information security policies and processes
Acquia follows its Information Security Policy and Procedures.The information security policy is required to be reviewed on an annual basis and approved by either the CISO or the Senior Director of Information Security. All Acquia employees, interns, contractors, and third party contractors are required to complete a security awareness training course upon hire and annually thereafter, that educates workers about Acquia's security policies. In addition, they are required to sign off on the Acquia acceptable use policy that includes acknowledging the receipt and review of the information security policy.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Acquia utilizes an agile change management process. System changes are managed by the Acquia engineering team who use a single server in each environment which is configured as the configuration management server. Changes are grouped into sprints. System changes are tracked in a change management ticketing system and required to be tested and approved prior to being implemented into the production environment. Version control software is in place to help ensure that code changes are tracked and can be rolled back as needed. Changes are assessed for potential security impact.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
At the Operating System and LAMP stack layers, Acquia employs a third-party vulnerability assessment platform, Rapid7, to perform authenticated host-based vulnerability scans against a representative sample of Acquia server types. The vulnerability scans are run weekly and reported to Acquia's security and operations teams. Vulnerabilities are reviewed, identified, and categorised by the Acquia security team, which assigns and prioritises reported vulnerabilities and documents mitigation steps to be implemented by the Acquia operations team.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Acquia uses OSSEC, an open-source, host-based Intrusion Detection System (IDS), which performs log analysis, integrity checking, and time-based alerting. Action is taken immediately if a compromise is identified. All affected or potentially affected customers are notified immediately of the incident.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Acquia has a formally documented Incident Response Plan that describes discovery, investigation, escalation, containment, notification, and documentation processes of security incidents. Upon initial notification that a Security Incident that has occurred, or is in progress, and is customer impacting it is the responsibility of Support team to notify the customers who are likely to be affected by the incident. Regular updates will be sent depending on the nature of the incident and as determined during the incident declaration stage.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Third-party
Third-party virtualisation provider
Amazon Web Services
How shared infrastructure is kept separate
Each customer is provisioned on separate EC2 instances for each layer of their solution. Web application firewalls are in place. Data checks also verify that assets are located in the appropriate customer environments.

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
AWS manages datacentres.

Pricing

Price
£34920 per licence per year
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑