Acquia Inc

Acquia Cloud Site Factory

Acquia Site Factory is a multi-site management platform accessed through a browser-based interface to build and manage sites. Site Factory subscriptions allow customers to perform administrative actions such as create, duplicate and export websites through the platform management dashboard. Users can configure, customize, and publish sites through customer code theme.


  • Fully-managed Service
  • Scalable infrastructure
  • 24x7 monitoring by Acquia's cloud security team
  • Redundant hosting
  • Security monitoring and testing
  • Multi-site management and governance
  • Backups
  • Alerting and support services
  • Site monitoring tools
  • Automated development workflow


  • High availability
  • Disaster Recovery
  • IT resource and cost savings
  • Thoroughly secure hosting environment
  • Multi-site publishing and governance
  • Faster time to market for content publishing
  • Reduced cost for website development


£29,460 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

1 1 0 0 0 0 3 8 1 0 1 8 8 6 6


Acquia Inc Zachary Edge
Telephone: +44 07710240772

Service scope

Service constraints
System requirements
  • Drupal used as CMS
  • Modern Web browser
  • Multiple sites to manage
  • Must use version control processes to modify code
  • Single codebase for many sites
  • Website-specific files directory
  • Per-website theme directory
  • SSL encryption in place

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times vary based on urgency. Support is available at the same response SLAs 24x7.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Acquia provides standard technical support, technical account managers, advisory hours, a technical account manager and enablement services.

Support Levels: Starter, Basic, Business, Premium, Elite

See details at:

Customer may contact Acquia Support Services by submitting tickets or by phone. Response times to tickets are based on the level of urgency. 

"Critical" issues where the customer's production system is inoperative, production operations are several impacted, or involving a critical security issue have a 1 hour, 24x7 initial response time. 

"High" urgency issues (Customer’s production system is operating but the issue is disrupting Customer’s business operations; a workaround is not suitable for sustained operations) have a 2 hour maximum initial response time during business hours. 

"Medium" urgency issues (Customer’s system is operating and the issue’s impact on Customer’s business operations is moderate to low; a workaround or alternative is available) have a maximum 4 hour initial response time during business hours. 

"Low" urgency issues, which do not impact business operations in any significant way and have little or no time sensitivity, have a maximum initial response time of one business day.
Support available to third parties

Onboarding and offboarding

Getting started
Acquia Ready - The Acquia Ready team is a “welcome committee” including a Customer Success Manager and Customer Success Engineer aligned to you to ensure a smooth site launch. Acquia Ready Concierge begins with introducing you to our systems and tools and educating you on how to engage with us for support. We seek to understand your development lifecycle stage, timeline requirements, and testing and validation plans. We perform a complete end-to-end risk assessment of your environment, ensuring that your hardware is sized correctly and that your environment is load tested. We review the pre-launch checklist with you, proactively identifying areas you need to focus on and sharing best practices. We don’t just tell you what’s wrong; we tell you how to fix it. Online training and documentation is readily available.
Service documentation
Documentation formats
End-of-contract data extraction
When a customer cancels service with Acquia, the customer’s servers are terminated and the website data is deleted. Hard drives and other storage media are never removed from the data centers before the data has been sanitized so that the data cannot be recovered. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual“) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be degaussed or physically destroyed in accordance with industry-standard practices. Data is exported and provided to the customer via Redshift.
End-of-contract process
End of contract does not include any extra charge for Acquia customers who are not renewing.

Using the service

Web browser interface
Using the web interface
Web sites, users and other site components are monitored and managed through a centralized, Site Factory dashboard. The dashboard includes features including the following:
one-click site creation and duplication,
full site management and version control,
export sites at will, and
full visibility at your fingertips for the ultimate in brand consistency and control.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
Accessible via an online dashboard/UI.
Web interface accessibility testing
What users can and can't do using the API
Acquia provides a Cloud API that allows our customers to automate
many site management tasks and access our cloud services remotely.
More information on the Acquia Cloud API is available
API automation tools
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • PDF
Command line interface
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
Acquia Cloud has two additional interfaces that developers can use to extend, enhance, and customize Acquia Cloud:

Acquia Cloud API - The Acquia Cloud API is a RESTful web interface that allows developers to extend, enhance, and customize Acquia Cloud. It includes developer workflow, site management, and provisioning capabilities.


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
The Acquia Cloud platform is tuned specifically for Drupal performance, resulting in faster rendering of dynamic content and improved site reliability. In creating the platform, Acquia's performance experts completed analysis of performance characteristics and identified the configurations at each layer of the stack that make Drupal websites fast. The core of the Acquia Cloud platform is an open source LAMP server stack, combining the Linux (Ubuntu) operating system and PHP programming language with Drupal. The Acquia platform provides burstable, elastic cloud resources that let you scale your servers on demand. Our platform continuously monitors site performance.
Usage notifications
Usage reporting
  • Email
  • SMS
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
  • Website files
  • Static Code
  • Databases
Backup controls
You can make on-demand backups of any database at any time either on the Cloud > Workflow page of your Acquia Cloud account or on the Cloud > Databases page. These backups are listed as User backups in the Acquia Cloud UI. Acquia Cloud keeps on-demand backups until the customer deletes them.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users schedule backups through a web interface
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
Other protection between networks
Acquia Cloud supports and encourages the use of SSL on it's customers' sites for protection of data in transit.
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99.95% Up-time SLA for infrastructure as well as application; 24x7x365 and 30-minute or 1-hour response time for critical application failure.
Approach to resilience
Enterprise customers achieve high availability by using multiple availability zones in one region with redundant servers serving each layer of the technology stack: extra web servers operating round-robin, including reserve capacity in the second availability zone; a fully redundant file system in the second availability zone that is constantly syncing; master-master replication for database pairs; multiple dedicated Memcache servers; and a secondary load balancer in a redundant environment. Acquia Cloud also offers automatic nightly and on-demand backups and restores.

Our Operations team will scale your resources up to meet predictable and unpredictable traffic spikes for any period of time, and then return resources back to normal levels when traffic subsides. Furthermore, when resource usage rises, our experts investigate why instead of immediately throwing more hardware at the problem. As a result, we often prevent customers from having to upsize. This allows you to pay only for the resources you need.
Outage reporting
- email alerts

Identity and authentication

User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Acquia has baseline access security requirements. Access controls can be configured by customers for increased security.
Access restriction testing frequency
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Devices users manage the service through
Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
No audit information available
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Schellman & Company, LLC
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The certification covers our Information Security Management System as it pertains to the listed product, among others.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover
PCI certification
Who accredited the PCI DSS certification
Schellman & Company, LLC
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
- SOC 1
- SOC 2
Information security policies and processes
Acquia follows its Information Security Policy and Procedures.The information security policy is required to be reviewed on an annual basis and approved by either the CISO or the Senior Director of Information Security. All Acquia employees, interns, contractors, and third party contractors are required to complete a security awareness training course upon hire and annually thereafter, that educates workers about Acquia's security policies. In addition, they are required to sign off on the Acquia acceptable use policy that includes acknowledging the receipt and review of the information security policy.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Acquia utilizes an agile change management process. System changes are managed by the Acquia engineering team who use a single server in each environment which is configured as the configuration management server. Changes are grouped into sprints. System changes are tracked in a change management ticketing system and required to be tested and approved prior to being implemented into the production environment. Version control software is in place to help ensure that code changes are tracked and can be rolled back as needed. Changes are assessed for potential security impact.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
At the Operating System and LAMP stack layers, Acquia employs a third-party vulnerability assessment platform, Rapid7, to perform authenticated host-based vulnerability scans against a representative sample of Acquia server types. The vulnerability scans are run weekly and reported to Acquia's security and operations teams. Vulnerabilities are reviewed, identified, and categorised by the Acquia security team, which assigns and prioritises reported vulnerabilities and documents mitigation steps to be implemented by the Acquia operations team.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Acquia uses OSSEC, an open-source, host-based Intrusion Detection System (IDS), which performs log analysis, integrity checking, and time-based alerting. Action is taken immediately if a compromise is identified. All affected or potentially affected customers are notified immediately of the incident.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Acquia has a formally documented Incident Response Plan that describes discovery, investigation, escalation, containment, notification, and documentation processes of security incidents. Upon initial notification that a Security Incident that has occurred, or is in progress, and is customer impacting it is the responsibility of Support team to notify the customers who are likely to be affected by the incident. Regular updates will be sent depending on the nature of the incident and as determined during the incident declaration stage.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Third-party virtualisation provider
Amazon Web Services
How shared infrastructure is kept separate
Each customer is provisioned on separate EC2 instances for each layer of their solution. Web application firewalls are in place. Data checks also verify that assets are located in the appropriate customer environments.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
AWS manages datacentres.

Social Value



As a global organization with employees located in over 14 offices across the globe, Acquia prides itself on inclusion, being open to, and celebrating the cultural differences that make up or team. Here are some practices and initiatives that support diversity and inclusion:

- Code of Conduct policy
- Annual Affirmative Action Plan (AAP) reporting, including a targeted action plan.
- Sponsorship of annual Pride celebration throughout its global offices.
- Support of Women's initiatives through partnering with local organizations that provide educational and leadership opportunities.

Acquia also facilitates an internal mentoring program that connects a diverse set of employees at varying skill levels in the organization together to promote growth, development, and coaching opportunities.


£29,460 a licence a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.