Acquia Inc

Acquia Cloud Site Factory

Acquia Site Factory is a multi-site management platform accessed through a browser-based interface to build and manage sites. Site Factory subscriptions allow customers to perform administrative actions such as create, duplicate and export websites through the platform management dashboard. Users can configure, customize, and publish sites through customer code theme.

Features

• Fully-managed Service
• Scalable infrastructure
• 24x7 monitoring by Acquia's cloud security team
• Redundant hosting
• Security monitoring and testing
• Multi-site management and governance
• Backups
• Alerting and support services
• Site monitoring tools
• Automated development workflow

Benefits

• High availability
• Disaster Recovery
• IT resource and cost savings
• Thoroughly secure hosting environment
• Multi-site publishing and governance
• Faster time to market for content publishing
• Reduced cost for website development

£29,460 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at zac.edge@acquia.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

110000381018866

Contact

Zachary Edge
+44 07710240772
zac.edge@acquia.com

Service scope

• Service constraints: None
• System requirements:
  • Drupal used as CMS
  • Modern Web browser
  • Multiple sites to manage
  • Must use version control processes to modify code
  • Single codebase for many sites
  • Website-specific files directory
  • Per-website theme directory
  • SSL encryption in place

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times vary based on urgency. Support is available at the same response SLAs 24x7.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Acquia provides standard technical support, technical account managers, advisory hours, a technical account manager and enablement services. ; ; Support Levels: Starter, Basic, Business, Premium, Elite; ; See details at: https://docs.acquia.com/support/guide#overview_subscriptions. ; ; Customer may contact Acquia Support Services by submitting tickets or by phone. Response times to tickets are based on the level of urgency. ; ; "Critical" issues where the customer's production system is inoperative, production operations are several impacted, or involving a critical security issue have a 1 hour, 24x7 initial response time. ; ; "High" urgency issues (Customer’s production system is operating but the issue is disrupting Customer’s business operations; a workaround is not suitable for sustained operations) have a 2 hour maximum initial response time during business hours. ; ; "Medium" urgency issues (Customer’s system is operating and the issue’s impact on Customer’s business operations is moderate to low; a workaround or alternative is available) have a maximum 4 hour initial response time during business hours. ; ; "Low" urgency issues, which do not impact business operations in any significant way and have little or no time sensitivity, have a maximum initial response time of one business day.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Acquia Ready - The Acquia Ready team is a “welcome committee” including a Customer Success Manager and Customer Success Engineer aligned to you to ensure a smooth site launch. Acquia Ready Concierge begins with introducing you to our systems and tools and educating you on how to engage with us for support. We seek to understand your development lifecycle stage, timeline requirements, and testing and validation plans. We perform a complete end-to-end risk assessment of your environment, ensuring that your hardware is sized correctly and that your environment is load tested. We review the pre-launch checklist with you, proactively identifying areas you need to focus on and sharing best practices. We don’t just tell you what’s wrong; we tell you how to fix it. Online training and documentation is readily available.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: When a customer cancels service with Acquia, the customer’s servers are terminated and the website data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized so that the data cannot be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual“) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry-standard practices. Data is exported and provided to the customer via Redshift.
• End-of-contract process: End of contract does not include any extra charge for Acquia customers who are not renewing.

Using the service

• Web browser interface: Yes
• Using the web interface: Web sites, users and other site components are monitored and managed through a centralized, Site Factory dashboard. The dashboard includes features including the following:; one-click site creation and duplication,; full site management and version control,; export sites at will, and; full visibility at your fingertips for the ultimate in brand consistency and control.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Accessible via an online dashboard/UI.
• Web interface accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Acquia provides a Cloud API that allows our customers to automate; many site management tasks and access our cloud services remotely.; More information on the Acquia Cloud API is available; here:https://cloudapi.acquia.com/
• API automation tools: Puppet
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: Acquia Cloud has two additional interfaces that developers can use to extend, enhance, and customize Acquia Cloud:; ; Acquia Cloud API - The Acquia Cloud API is a RESTful web interface that allows developers to extend, enhance, and customize Acquia Cloud. It includes developer workflow, site management, and provisioning capabilities.

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: The Acquia Cloud platform is tuned specifically for Drupal performance, resulting in faster rendering of dynamic content and improved site reliability. In creating the platform, Acquia's performance experts completed analysis of performance characteristics and identified the configurations at each layer of the stack that make Drupal websites fast. The core of the Acquia Cloud platform is an open source LAMP server stack, combining the Linux (Ubuntu) operating system and PHP programming language with Drupal. The Acquia platform provides burstable, elastic cloud resources that let you scale your servers on demand. Our platform continuously monitors site performance.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • SMS
  • Other

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Website files
  • Static Code
  • Databases
• Backup controls: You can make on-demand backups of any database at any time either on the Cloud > Workflow page of your Acquia Cloud account or on the Cloud > Databases page. These backups are listed as User backups in the Acquia Cloud UI. Acquia Cloud keeps on-demand backups until the customer deletes them.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Acquia Cloud supports and encourages the use of SSL on it's customers' sites for protection of data in transit.
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.95% Up-time SLA for infrastructure as well as application; 24x7x365 and 30-minute or 1-hour response time for critical application failure.
• Approach to resilience: Enterprise customers achieve high availability by using multiple availability zones in one region with redundant servers serving each layer of the technology stack: extra web servers operating round-robin, including reserve capacity in the second availability zone; a fully redundant file system in the second availability zone that is constantly syncing; master-master replication for database pairs; multiple dedicated Memcache servers; and a secondary load balancer in a redundant environment. Acquia Cloud also offers automatic nightly and on-demand backups and restores.; ; Our Operations team will scale your resources up to meet predictable and unpredictable traffic spikes for any period of time, and then return resources back to normal levels when traffic subsides. Furthermore, when resource usage rises, our experts investigate why instead of immediately throwing more hardware at the problem. As a result, we often prevent customers from having to upsize. This allows you to pay only for the resources you need.
• Outage reporting: - email alerts

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Acquia has baseline access security requirements. Access controls can be configured by customers for increased security.
• Access restriction testing frequency: Never
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman & Company, LLC
• ISO/IEC 27001 accreditation date: 23/12/2021
• What the ISO/IEC 27001 doesn’t cover: The certification covers our Information Security Management System as it pertains to the listed product, among others.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 23/12/2021
• CSA STAR certification level: Level 3: CSA STAR Certification
• What the CSA STAR doesn’t cover: N/A
• PCI certification: Yes
• Who accredited the PCI DSS certification: Schellman & Company, LLC
• PCI DSS accreditation date: 06/10/2021
• What the PCI DSS doesn’t cover: -
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: No
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
• Other security governance standards: - SOC 1 ; - SOC 2 ; - HIPAA; - PCI-DSS ; - FedRAMP
• Information security policies and processes: Acquia follows its Information Security Policy and Procedures.The information security policy is required to be reviewed on an annual basis and approved by either the CISO or the Senior Director of Information Security. All Acquia employees, interns, contractors, and third party contractors are required to complete a security awareness training course upon hire and annually thereafter, that educates workers about Acquia's security policies. In addition, they are required to sign off on the Acquia acceptable use policy that includes acknowledging the receipt and review of the information security policy.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Acquia utilizes an agile change management process. System changes are managed by the Acquia engineering team who use a single server in each environment which is configured as the configuration management server. Changes are grouped into sprints. System changes are tracked in a change management ticketing system and required to be tested and approved prior to being implemented into the production environment. Version control software is in place to help ensure that code changes are tracked and can be rolled back as needed. Changes are assessed for potential security impact.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: At the Operating System and LAMP stack layers, Acquia employs a third-party vulnerability assessment platform, Rapid7, to perform authenticated host-based vulnerability scans against a representative sample of Acquia server types. The vulnerability scans are run weekly and reported to Acquia's security and operations teams. Vulnerabilities are reviewed, identified, and categorised by the Acquia security team, which assigns and prioritises reported vulnerabilities and documents mitigation steps to be implemented by the Acquia operations team.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Acquia uses OSSEC, an open-source, host-based Intrusion Detection System (IDS), which performs log analysis, integrity checking, and time-based alerting. Action is taken immediately if a compromise is identified. All affected or potentially affected customers are notified immediately of the incident.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Acquia has a formally documented Incident Response Plan that describes discovery, investigation, escalation, containment, notification, and documentation processes of security incidents. Upon initial notification that a Security Incident that has occurred, or is in progress, and is customer impacting it is the responsibility of Support team to notify the customers who are likely to be affected by the incident. Regular updates will be sent depending on the nature of the incident and as determined during the incident declaration stage.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: Amazon Web Services
• How shared infrastructure is kept separate: Each customer is provisioned on separate EC2 instances for each layer of their solution. Web application firewalls are in place. Data checks also verify that assets are located in the appropriate customer environments.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: AWS manages datacentres.

Social Value

• Wellbeing:

  Wellbeing

  As a global organization with employees located in over 14 offices across the globe, Acquia prides itself on inclusion, being open to, and celebrating the cultural differences that make up or team. Here are some practices and initiatives that support diversity and inclusion:; ; - Code of Conduct policy; - Annual Affirmative Action Plan (AAP) reporting, including a targeted action plan.; - Sponsorship of annual Pride celebration throughout its global offices.; - Support of Women's initiatives through partnering with local organizations that provide educational and leadership opportunities.; ; Acquia also facilitates an internal mentoring program that connects a diverse set of employees at varying skill levels in the organization together to promote growth, development, and coaching opportunities.

Pricing

• Price: £29,460 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at zac.edge@acquia.com. Tell them what format you need. It will help if you say what assistive technology you use.