Acquia Inc

Acquia Cloud Site Factory

Acquia Cloud Site Factory is a website building and multi-site management platform accessed through a browser-based user interface. Site Factory subscriptions allow customers to perform administrative actions such as create, duplicate and export websites through the Site Factory Platform management dashboard, configure, customize, through customer code theme, and publish websites.


  • Fully-managed Service
  • Scalable infrastructure
  • 24x7 monitoring by Acquia's cloud security team
  • Redundant hosting
  • Security monitoring and testing
  • Multi-site management and governance
  • Backups
  • Alerting and support services
  • Site monitoring tools
  • Automated development workflow


  • High availability
  • Disaster Recovery
  • IT resource and cost savings
  • Thoroughly secure hosting environment
  • Multi-site publishing and governance
  • Faster time to market for content publishing
  • Reduced cost for website development


£34920 per licence per year

Service documents

G-Cloud 11


Acquia Inc

Jasmijn Cordewener

+44 (0) 755 444 7169

Service scope

Service scope
Service constraints None
System requirements
  • Drupal used as CMS
  • Modern Web browser
  • Multiple sites to manage
  • Must use version control processes to modify code
  • Single codebase for many sites
  • Website-specific files directory
  • Per-website theme directory
  • SSL encryption in place

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times vary based on urgency. Support is available at the same response SLAs 24x7.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Acquia provides standard technical support, technical account managers, advisory hours, a technical account manager and enablement services.

Support Levels: Starter, Basic, Business, Premium, Elite

See details at:

Customer may contact Acquia Support Services by submitting tickets or by phone. Response times to tickets are based on the level of urgency. 

"Critical" issues where the customer's production system is inoperative, production operations are several impacted, or involving a critical security issue have a 1 hour, 24x7 initial response time. 

"High" urgency issues (Customer’s production system is operating but the issue is disrupting Customer’s business operations; a workaround is not suitable for sustained operations) have a 2 hour maximum initial response time during business hours. 

"Medium" urgency issues (Customer’s system is operating and the issue’s impact on Customer’s business operations is moderate to low; a workaround or alternative is available) have a maximum 4 hour initial response time during business hours. 

"Low" urgency issues, which do not impact business operations in any significant way and have little or no time sensitivity, have a maximum initial response time of one business day.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Acquia Ready - The Acquia Ready team is a “welcome committee” including a Customer Success Manager and Customer Success Engineer aligned to you to ensure a smooth site launch. Acquia Ready Concierge begins with introducing you to our systems and tools and educating you on how to engage with us for support. We seek to understand your development lifecycle stage, timeline requirements, and testing and validation plans. We perform a complete end-to-end risk assessment of your environment, ensuring that your hardware is sized correctly and that your environment is load tested. We review the pre-launch checklist with you, proactively identifying areas you need to focus on and sharing best practices. We don’t just tell you what’s wrong; we tell you how to fix it. Online training and documentation is readily available.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction When a customer cancels service with Acquia, the customer’s servers are terminated and the website data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized so that the data cannot be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual“) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry-standard practices. Data is exported and provided to the customer via Redshift.
End-of-contract process End of contract does not include any extra charge for Acquia customers who are not renewing.

Using the service

Using the service
Web browser interface Yes
Using the web interface Web sites, users and other site components are monitored and managed through a centralized, Site Factory dashboard. The dashboard includes features including the following:
- One-click site creation and duplication
- Full site management and version control
- Export sites at will, and
- Full visibility at your fingertips for the ultimate in brand consistency and control
Web interface accessibility standard None or don’t know
How the web interface is accessible Accessible via an online dashboard/UI.
Web interface accessibility testing N/A
What users can and can't do using the API Acquia provides a Cloud API that allows our customers to automate
many site management tasks and access our cloud services remotely.
More information on the Acquia Cloud API is available
API automation tools Puppet
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
Command line interface Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface Acquia Cloud has two additional interfaces that developers can use to extend, enhance, and customize Acquia Cloud:

Acquia Cloud API - The Acquia Cloud API is a RESTful web interface that allows developers to extend, enhance, and customize Acquia Cloud. It includes developer workflow, site management, and provisioning capabilities.


Scaling available Yes
Scaling type
  • Automatic
  • Manual
Independence of resources He Acquia Cloud platform is tuned specifically for Drupal performance, resulting in faster rendering of dynamic content and improved site reliability. In creating the platform, Acquia's performance experts analysed performance characteristics and identified the configurations at each layer of the stack that make Drupal websites fast. The core of the Acquia Cloud platform is an open source LAMP server stack, combining the Linux (Ubuntu) operating system and PHP programming language with Drupal. The Acquia platform provides burstable, elastic cloud resources that let you scale your servers on demand. Our platform continuously monitors site performance.
Usage notifications Yes
Usage reporting
  • Email
  • SMS
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Website files
  • Static Code
  • Databases
Backup controls You can make on-demand backups of any database at any time either on the Cloud > Workflow page of your Acquia Cloud account or on the Cloud > Databases page. These backups are listed as User backups in the Acquia Cloud UI. Acquia Cloud keeps on-demand backups until the customer deletes them.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Users schedule backups through a web interface
Backup recovery Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks Acquia Cloud supports and encourages the use of SSL on it's customers' sites for protection of data in transit.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability - 99.95% Up-time SLA for infrastructure as well as application; 24x7x365
- 30-minute or 1-hour response time for critical application failure
Approach to resilience Enterprise customers achieve high availability by using multiple availability zones in one region with redundant servers serving each layer of the technology stack: extra web servers operating round-robin, including reserve capacity in the second availability zone; a fully redundant file system in the second availability zone that is constantly syncing; master-master replication for database pairs; multiple dedicated Memcache servers; and a secondary load balancer in a redundant environment. Acquia Cloud also offers automatic nightly and on-demand backups and restores.

Our Operations team will scale your resources up to meet predictable and unpredictable traffic spikes for any period of time, and then return resources back to normal levels when traffic subsides. Furthermore, when resource usage rises, our experts investigate why instead of immediately throwing more hardware at the problem. As a result, we often prevent customers from having to upsize. This allows you to pay only for the resources you need.
Outage reporting - email alerts

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Acquia has baseline access security requirements. Access controls can be configured by customers for increased security.
Access restriction testing frequency Never
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Schellman & Company, LLC
ISO/IEC 27001 accreditation date 1/8/2017
What the ISO/IEC 27001 doesn’t cover The certification covers our Information Security Management System as it pertains to the listed product, among others.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 12/1/2013
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover N/A
PCI certification Yes
Who accredited the PCI DSS certification Schellman & Company, LLC
PCI DSS accreditation date 30/1/2018
What the PCI DSS doesn’t cover -
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security No
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards - SOC 1
- SOC 2
Information security policies and processes Acquia follows its Information Security Policy and Procedures.The information security policy is required to be reviewed on an annual basis and approved by either the CISO or the Senior Director of Information Security. All Acquia employees, interns, contractors, and third party contractors are required to complete a security awareness training course upon hire and annually thereafter, that educates workers about Acquia's security policies. In addition, they are required to sign off on the Acquia acceptable use policy that includes acknowledging the receipt and review of the information security policy.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Acquia utilizes an agile change management process. System changes are managed by the Acquia engineering team who use a single server in each environment which is configured as the configuration management server. Changes are grouped into sprints. System changes are tracked in a change management ticketing system and required to be tested and approved prior to being implemented into the production environment. Version control software is in place to help ensure that code changes are tracked and can be rolled back as needed. Changes are assessed for potential security impact.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach At the Operating System and LAMP stack layers, Acquia employs a third-party vulnerability assessment platform, Rapid7, to perform authenticated host-based vulnerability scans against a representative sample of Acquia server types. The vulnerability scans are run weekly and reported to Acquia's security and operations teams. Vulnerabilities are reviewed, identified, and categorised by the Acquia security team, which assigns and prioritises reported vulnerabilities and documents mitigation steps to be implemented by the Acquia operations team.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Acquia uses OSSEC, an open-source, host-based Intrusion Detection System (IDS), which performs log analysis, integrity checking, and time-based alerting. Action is taken immediately if a compromise is identified. All affected or potentially affected customers are notified immediately of the incident.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Acquia has a formally documented Incident Response Plan that describes discovery, investigation, escalation, containment, notification, and documentation processes of security incidents. Upon initial notification that a Security Incident that has occurred, or is in progress, and is customer impacting it is the responsibility of Support team to notify the customers who are likely to be affected by the incident. Regular updates will be sent depending on the nature of the incident and as determined during the incident declaration stage.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon Web Services
How shared infrastructure is kept separate Each customer is provisioned on separate EC2 instances for each layer of their solution. Web application firewalls are in place. Data checks also verify that assets are located in the appropriate customer environments.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes
Description of energy efficient datacentres AWS manages datacentres.


Price £34920 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑