About Acquia. Acquia Cloud Site Factory allows you to rapidly build mobile- ready brand, campaign, and franchise websites on a turnkey cloud platform.

Transcription

1 SERVICE DEFINITION

2 About Acquia Acquia is a private, fast- growth company supporting enterprises that use the free and open- source content- management system Drupal. Co- founded by Drupal's creator in 2007, Acquia provides customers with software, consultation, hosting, and services to help them launch sites faster and keep them running with more confidence. Drupal Commons is the better way to social business. It's everything your community needs collaboration, community, and more at a far lower total cost than proprietary software. Drupal Commons enables social networking to create productive interactions among employees, customers, and the web. Whether your community is public or private, Drupal Commons does it. Acquia Cloud is a Platform as a Service (PaaS) that delivers superb Drupal hosting for developers and enterprises. Used by some of the world's largest and best- known Drupal sites, Acquia's battle- tested hosting environment is configured, expertly tuned, and optimized for Drupal. Acquia Network provides expert Drupal answers, tools, and support. It's a package that stands behind you, ensuring successful site migration, launch, operation, and growth. Add cloud hosting for the most- complete Drupal solution available anywhere. Get smarter, be more productive, and sleep better knowing that we've got your back. Acquia Cloud Site Factory allows you to rapidly build mobile- ready brand, campaign, and franchise websites on a turnkey cloud platform.

3 High performance Acquia Cloud is Drupal- tuned and pre- configured with advanced performance technologies, including Varnish, Nginx, APC, and Memcached. Drupal sites hosted on Acquia Cloud perform better, at a much lower cost than custom- built alternatives, and benefit from Acquia s continuous platform improvements. Fully managed platform Acquia delivers your Drupal hosting platform as a service, simplifying site monitoring and eliminating operations headaches for your web team. Unparalleled developer experience Separate development, testing, and production environments are deployed automatically from Git or SVN. Drag and drop code, databases, and files between environments. Full Drush support lets you control Drupal functions from the command line. And if something goes wrong, easily roll back code or restore from automatic backups. Optimized for Drupal Acquia Cloud only hosts Drupal websites and is tuned specifically for Drupal performance. Your site gets a high PHP memory allotment, Drupal- specific LAMP stack tuning, opcode caching, Pressflow compatibility, and much more. The result is faster rendering of dynamic content and improved site reliability. Simplified Drupal infrastructure For sites that need high performance and scalability, Acquia Cloud offers everything you need. And because Acquia delivers this infrastructure as a service, you ll reduce costs and simplify site management efforts. Backed by the Acquia Network, Acquia Cloud subscribers gain additional knowledge, training materials, tools, and cloud services to enhance their web experiences.

4 Support Services Network Services Network Services refers to automated services delivered electronically to Acquia Network members and the Acquia Drupal installations that they manage. The network services are designed to provide information and functionality that help Acquia Drupal site administrators keep their sites trouble- free. The online documentation library is a set of Acquia Drupal documentation that includes original documentation specific to Acquia Drupal and the Acquia Network as well as useful documentation from other sources. Update Notifications The software update notifications service alerts Acquia Network subscribers to the availability of updates for their Acquia Drupal installation. This service is powered by the Acquia Network Module within Acquia Drupal. This module reports the current version of all components to the Acquia Network. Unlike the update notifications provided by Drupal.org, the update notifications provided by the Acquia Network are filtered and prioritized by a rigorous automated and human- assisted testing an review processs that assess each update in isolation and in conjunction with it's dependencies. Update notifications that pass this rigorous process are less likely to introduce troublesome regression issues or open new vulnerabilities. The Acquia Network also provides tools to help site administrators assess the importance of each update, convert notifications into work items, and assign and track these work items across teams of administrators in order to ensure effectively and transparent system maintenance procedures. Heartbeat monitoring The uptime monitoring service reports information about the availability of the subscribed site. The service regularly queries the site to determine if Acquia Drupal is fully operational. Modification detection The fork detection service gathers and reports local changes to the Acquia Drupal source code that could result in unexpected behavior. The Acquia Network Module within Acquia Drupal continuously monitors all code in the installation for modifications. This information helps site administrators avoid inadvertent changes that can lead to system instablility and helps Acquia tech support staff more quickly isolate root cause. When a fork is detected, Acquia support staff will work with the customer to assess the supportability of the environment on a case by case basis. Remote cron The remote cron service remotely activates the Cron service on subscribed sites running in environments that do not provide sufficient access to the local Cron service. This service ensures execution of regularly scheduled maintenance tasks and events that require the cron service including search indexing, content syndication, automated s, etc.

5 Mollom spam blocking The Mollom spam blocking service helps protect subscribed sites from unwanted user- generated content including link spam, abusive or innappropriate text- based content, robot- generated user registrations, etc. The Mollom service utilizes the Mollom Module within Acquia Drupal to intercept designated user- generated comment and registrations, evaluate them for spam content, and then either block the submission or challenge the user with a computer- aided Turing test (CAPTCHA). The Mollom service incorporates sophisticated algorithms and feedback mechanisms that enable the service to become more effective over time and to adapt quickly to emergent spam generation techniques. The Mollom service is available in a limited version and full version. Mollom limited has no encryption, no failover, and has a daily limit of 100 ham submissions, 100 correct captchas, and 5000 requests. Mollom full has SSL encryption, failover, and has a daily limit of 10,000 ham submissions, 10,000 correct captchas, and 500,000 requests. The Mollom service is operated by Mollom BVBA and is distributed by Acquia under license. Access Channels Acquia provides support through a variety of access channels. All Acquia Network members have access to special discussion forums where they can interact with Acquia support staff and with each other. The subscriber forums are pro- actively moderated by Acquia to keep discussions polite and on topic. The subscriber forums are designed for general information sharing and collaboration and cannot be used as a substitute for traditional ticket management. There is no specific service level agreement for Acquia support staff participation in the forums. Web tickets The Acquia Network console contains an web interface where members can open and manage support tickets. Acquia Network members with the access channel entitlement may may interact with Acquia support staff via . In order to ensure efficient capture of essential information, all tickets are opened via the web interface. Subsequent communications regarding the ticket may occur over . Chat Acquia Network members with the chat access channel entitlement may interact with Acquia support staff through a web- based chat interface within the Acquia Network console. In order to ensure efficient capture of essential information, all tickets are opened via the web interface. Subsequent communications regarding the ticket may occur over chat. Telephone Acquia Network members with the telephone access channel entitlement may interact with Acquia support staff by telephone.

6 Service Level Acquia Network subscriptions offer a full range of service levels to meet the needs of every project. Named Contacts Names contacts refers to the maximum number of individual Acquia Network member accounts that can be associated with this subscription. Every person who has at least one subscription on the Acquia Network has a unique member account. Members accounts may be associated with multiple subscriptions, which useful for individuals who are responsible for managing multiple Acquia Drupal installations. Similarly, subscriptions may have multiple named contacts to allow multiple administrators or developers to work together in managing the Acquia Drupal servers. The named contacts associated with each subscription may use the task management features of the Acquia Network to work together on processing update notifications and open technical support tickets. Hours The hours of operation are the days of the week and hours of the day during which Acquia support staff process tickets. Maximum initial response time The maximum initial response time is the interval between the submission of a ticket and the initial response by Acquia. Maximum tickets A ticket is an individual issue that focuses on one aspect of the an Acquia product or service e.g. use of a specific documented feature of the product or assistance with a specific problem or error message. A single support ticket may involve multiple interactions with Acquia support staff. Support Scope The support scope defines the kinds of tickets that are supported. Emergency escalation Emergency escalation is the automatic escalation to Level 3 support for Severity 1 emergency tickets. Installation troubleshooting Acquia provides assistance and advice for installing Acquia Drupal in supported environments. General how- to & troubleshooting Acquia provides assistance in the configuration of Acquia Drupal and the Acquia Network and general trouble shooting. Security best practices Acquia provides assistance in resolving and avoiding security vulnerabilities with Acquia Drupal.

7 Module selection advice Acquia suggests Drupal modules that may be useful in addressing customer requirements. Comprehensive requirements definition and module selection is offered separately as a professional services engagement through Acquia Professional Services and Acquia partners. Migration best practices Acquia offers general advice and best practices for migrating existing web sites to Acquia Drupal. Detailed, site specific migration assessment, recommendations, and implementation is available separately as a professional services engagement through Acquia Professional Services and Acquia partners. Performance best practices Acquia provides generalized guidelines and suggestions for optimizing performance of Acquia Drupal. Detailed site- specific performance assessment, recommendation and implementation is available separately as a professional services engagement through Acquia Professional Services and Acquia partners. Architecture best practices Acquia provides generalized architectural guidelines and suggestions for structuring Acquia Drupal implementations. Detailed site- specific architecture assessment, recommendation and implementation is available separately as a professional services engagement through Acquia Professional Services and Acquia partners. Module dev. best practices Acquia provides generalized guidelines and suggestions for developing custom modules for Acquia Drupal. Requirements definition, code review, debugging, and custom development is available separately as a professional services engagement through Acquia Professional Services and Acquia partners. Long Term Support Scope For each major release of Acquia Drupal designated as a Long Term Support release, Acquia provides active maintenance for three years and extended maintenance for an additional year. During the active maintenance period, Acquia will proactively attempt to resolve product defects and incompatibilities that arise in supported environments. During the extended maintenance period, Acquia will attempt to resolve Severity 1 defects only. Optional Add- ons Optional add- on services are available to enhance Acquia Network subscriptions. Technical account management A technical account manager is a senior Acquia support engineer who is dedicated to a small number of Enterprise level Acquia Network customers. Your technical account manager can take the time to learn the details of your environment, proactively provide guidance and support, and function as an extended member of your team. Access to a technical account manager is an optional service available to Production Enterprise level Acquia Network customers.

8 Additional named contacts You may purchase additional named contacts to expand the number of individuals associated with your subscription who are allowed to open tickets associated with your subscription. Additional tickets If your subscription includes a limit on the number of tickets, you may purchase additional tickets as needed. 7X24 response coverage Available as an optional add- on for Enterprise level Acquia Network subscribers, 7X24 response coverage gives you the assurance of knowing you can contact Acquia support staff at any hour of day. Call Acquia sales for additional details and pricing. Custom software engineering Custom software engineering is available as an optional add- on service for Enterprise level Acquia Network subscribers. Call Acquia sales for additional details and pricing. Support Options Developer Pro Pro Plus Enterprise on Dev Cloud Managed Cloud Infrastructure support 24x7 w/ 1 hr response for critical infra failures 24x7 w/ 1 hr response for critical infra failures 24x7 w/ 1 hr response for critical infra failures 24x7 w/ 1 hr response for critical infra failures Highly available, proactive monitoring and resizing. Infrastructure failure Proactive recovery of infrastructure only. Proactive recovery of infrastructure only. Proactive recovery of infrastructure only. Proactive recovery of infrastructure only. Highly available, fully managed will recover site for any reason. Drupal Support None 1- business day response for non- critical issues 1- business day response for non- critical issues 1- business day response for non- critical issues 24/7 Critical 1 hour response, Site/App failure Support will advise how to bring site back on line for critical tickets filed by customers. Diagnosis only. Support will advise how to bring site back on line for critical tickets filed by customers. Diagnosis only. Support will advise how to bring site back on line for critical tickets filed by customers. Diagnosis only. RA provides access to logs, code, and Drupal admin accounts to bring the site back up. Will recover site for any reason proactively. Security breach, DDOS,? Will recover site, secure site and help with diagnosis. Will manage DDOS with services. Traffic spike impacting site infrastructure Ops will proactively file a ticket suggesting DIY resizing. Site may go off- line. Resizing or reboots will cause Ops will proactively file a ticket suggesting DIY resizing. Site may go off- line. Resizing or reboots will cause downtime. Ops will proactively file a ticket suggesting DIY resizing. Site may go off- line. Resizing or reboots will cause Ops will proactively file a ticket suggesting DIY resizing. Site may go off- line. Resizing or reboots will cause downtime. Ops will diagnose resizing necessary and proactively resize in a highly available manner.

9 downtime. downtime. Resize infrastructure DIY with downtime. DIY with downtime. DIY with downtime. DIY with downtime. Proactive, highly available, 99.95% SLA Caching strategies File support ticket File support ticket Unlimited Drupal support, Advisory hours e.g. Performance, Scaling. Unlimited Drupal support, diagnose caching infrastructure, tune custom infrastructure systems and implement recommendations. e.g. Varnish, Memcache, APC Customize infrastructure DIY: SSL, PHP Memory size, Concurrent PHP process count, Memcache size, Resize, Reboot DIY: SSL, PHP Memory size, Concurrent PHP process count, Memcache size, Resize, Reboot DIY: SSL, PHP Memory size, Concurrent PHP process count, Memcache size, Resize, Reboot DIY: SSL, PHP Memory size, Concurrent PHP process count, Memcache size, Resize, Reboot Customization, and tuning of infrastructure fully managed by operations Cloud onboarding DIY. Customers must be able to debug PHP error messages, review logs, use Drush for debugging. Server resizing with downtime may be necessary. DIY. Customers must be able to debug PHP error messages, review logs, use Drush for debugging. Server resizing with downtime may be necessary. Support will advise how to diagnose site migration failures and identify common pitfalls in migrations. DIY. Customers must be able to debug PHP error messages, review logs, use Drush for debugging. Server resizing with downtime may be necessary. Support will advise how to diagnose site migration failures and identify common pitfalls in migrations. DIY. Customers must be able to debug PHP error messages, review logs, use Drush for debugging. Server resizing with downtime may be necessary. Unlimited support may be used to help with onboarding advice. A rigorous sizing, migration, load testing, onboarding audit process greatly reduces the risk profile of a cloud migration. Acquia s expertise, auditing, hands on remote administration help to not let you fail.

10 Acquia Hosting Acquia Hosting is delivered by means of Acquia operations and support personnel, Acquia- developed systems to monitor and provision cloud servers, and network services to ensure clients operate reliable trouble- free websites. Acquia Hosting is a services layer built atop Amazon Web Services, the largest and most sophisticated Cloud Computing Platform in the world. Amazon Web Services (AWS) provides a suite of network services which offer a reliable infrastructure for hosting Drupal sites. This security document outlines the policies and procedures Acquia upholds in its commitment to customer service, security, and risk mitigation. Security Accreditations HIPAA SOC 1/SSAE 16/ISAE 3402 (formerly SAS70) SOC 2 SOC 3 PCI DSS Level 1 ISO FedRAMP SM DIACAP and FISMA ITAR FIPS CSA MPAA In order to maintain the level of security we provide to our customers, not all specific details about network topology, physical locations, and security procedures are available to the public. Keeping this information private afford us a higher degree of security from would- be hackers. Acquia is committed to maintaining a high degree of transparency and trust with its customers, so we will make as much information available to our customers that we can legally and safely disclose surrounding these network specifics. Acquia will share with its customers, under NDA, a reasonable level of transparency in the processes Acquia maintains. Links to Acquia Hosting Documentation Acquia Hosting Documentation can be found here: hosting/ This resource section describes how Customers interact with Acquia Hosting, SVN code management, file and database storage locations, SSL policies, directory structure and additional helpful information.

11 Acquia Hosting Architecture Overview Acquia Hosting utilizes AWS services, including Elastic Compute Cloud (EC2), Elastic Block Storage (EBS) and Simple Storage Service (S3) to provide dedicated hosting resources to it's customers. Acquia Hosting customers are provisioned with multiple EC2 instances configured in a load balanced arrangement behind a primary and hot- spare EC2 instance acting as a software load balancer. On each EC2 server node, Linux (currently Ubuntu Server), Apache, MySQL, and PHP are installed and configured in a manner suitable for high- traffic Drupal sites. For customers with larger hosting needs, MySQL is delegated to it's own tier of EC2 instances (2 or more nodes) and configured in an Active- Active replication configuration. Each customer's cluster is provisioned with an EBS and files are replicated using Gluster File System. Load balancers are provisioned with nginx software load balancer, and varnish reverse- proxy caching server to maintain high- availability and performance by using memory- based data caching. Provisioning tools Acquia uses custom API tools to provision new hosting clusters, attach file stores, install the software and dependencies, and provide uniformity in each customer's environment. Puppet is used to manage configurations, and apply security updates and configuration changes across all clusters.

12 Redundancy, High- Availability (HA) and Failover Acquia Hosting was developed to be a high- availability hosting environment. If individual EC2 instances are degraded, a new one can be configured automatically in order to prevent downtime. Each cluster is designed to remain performant in the event of a single node removed from service. Load balancers are provisioned with hot- spares to provide HA at the topmost tier. The database tier was also designed with HA in mind using MySQL replication. Physical Network Hardware, Firewalls AWS provides its users with a complete firewall solution, configured in a deny- all mode until ports are explicitly opened by Acquia. Acquia configures additional firewall rules based on protocol, service port, and/or source IP address filtering. Systems Access Controls (Acquia and Amazon) Acquia limits access to AWS servers under its management, as well as all the information the servers contain, strictly to our operations team. Access to servers is only done through password protected SSH keys. Each Acquia employees SSH key is password protected and stored on an encrypted volume. Customers only have access to a non- privileged account. Database backups are only available through authenticated URLs. Acquia's access to customer hosted web site data is restricted to Acquia's hosting engineers, support engineers, and network operations. These staff members are all full- time employees of Acquia. Full text of Acquia s policy regarding user access (Policy #AC166) is available to Customers upon request. Acquia employees and customers have no physical access to AWS datacenters. AWS datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Access attempts via SSH are logged and retained for retrieval and audit purposes. Operating Systems and Patch Management Acquia utilizes Puppet to synchronize, document, and deploy security patches to EC2 instances. Acquia currently has standardized on Ubuntu Server as the supported Linux distribution. DDOS, Network Vulnerability Assessments, IDS Systems AWS Network Security provides significant security against traditional security issues including integrated DDOS protection, Man In the Middle (MITM) Attacks, IP Spoofing, Port Scanning, Packet Sniffing, etc. Additional security is provided by AWS via authentication and security of the host and guest operating system within the virtualized environment. Isolation of each guest operating system from within the Xen hypervisor provides an additional level of security.

13 Encryption Encryption is supported of EBS volumes. Backup Policies and Disaster Recovery Procedures Acquia maintains a comprehensive backup solution which includes website code, static assets/files, and databases. The backup policy is listed below. Customers are provided the ability to download nightly database dumps of which the last three days are retained. The other backups listed are not accessible by customers but are available simply by requesting assistance from Acquia Support. Acquia s Disaster Recovery efforts are aided by the fact that there are no single points of failure of the system as a whole, and we utilize AWS infrastructure physically remote from our office facilities. In practice, a disaster affecting one or more of our offices would not impact the security of Customer data. It is Acquia s policy to employ restoration of Customer services in the event of a major disaster through the best reasonable timeframes. AWS Availability Zones are separate yet interconnected nodes on the overall worldwide AWS network. Best attempts would be made to restore services in an alternate availability zone in the event service in the current zone was severely impacted. Hosting Access (SSH, MySQL ports, FTP, SVN) All access to the hosting environment s root directory is done through version control, there is no write- access to this directory. For that reason FTP is not permissible. SSH is available upon request, but through an un- privileged user account to enhance security and stability of the configuration. If required, customer s can elect to open a port for remote MySQL database access. SSL / HTTPS It is supported, and strongly suggested, to configure SSL certificates on the primary domain name in order to provide SSL security for administrative functions on the site, as well as any secure transactions taking place. Acquia can set up customers with SSL certificates but cannot allow transfers of existing certificates into Acquia hosting. Security Policy Regarding Confidential Information Handling of Sensitive Data by Employees, Data Destruction Policies It is Acquia s policy to adhere to standard best practices regarding security of information while at rest and while in use within systems we maintain. Access to sensitive data is only available to the full- time employee who needs it in order to perform their job function. Destruction of data policies Sensitive Data is never stored for extended periods of time outside of the AWS infrastructure and on physical media such as CD or external hard drives. Access to client s databases would only ever be transferred outside of the AWS environment in the event it was needed to help solve a customer s problem, and local problem resolution steps were required. After this problem was rectified, the files would be purged. In practice, Customer sensitive information is never stored on company laptops, mobile devices or physical media outside of the protections AWS allows. Information is uploaded directly to servers or copied between servers via SSH.

14 Paper media is not used at our offices for printing sensitive information, as there is never a need to transfer database information to paper. Incident Response Process and Monitoring Acquia s Incident Response Policy is to notify customers within 24 hours of a Sev- 0 issue, which would impacts multiple customers. A security breach would be automatically classified as a Sev- 0 issue. Our goal is to make this notification to customers within one hour. This policy is shared with all new operations team members and listed on Acquia s intranet and other shared resources. Most of Acquia s infrastructure/operations as well as engineering teams are based in the same co- located office space in order to be centrally located. Acquia uses Nagios monitoring to provide instant access to vital metrics of the servers we provision in the AWS infrastructure. Over 25 metrics are monitored and linked to alerts via , SMS, and pager. Metrics include but are not limited to disk utilization, CPU utilization, memory usage and swap activity, processes running, DB size and storage space available, as well as many Drupal- specific metrics important to monitor. Acquia s Support team is available on a 24x7 notice in the event of a critical (site impacting) issue and will respond within 30 minutes to assist. Acquia Support is available via the Acquia Support Subscription for problems and assistance for issues related to hosting, as well as any Drupal- related problem. Included with the Acquia Enterprise Support Subscription is a minimum of two site monitoring solutions which can be employed to monitor the Drupal site itself. Heartbeat monitoring is available via a Drupal module which communicates with the Acquia Network on ever cron run. If the heartbeat is not received, the Customer s authorized contacts could be notified via alerts. Acquia also employs external site monitoring via Pingdom (or similar service) to measure page load time as well as overall uptime, using 60 second intervals. If a series of five or more pings show the site off- line, Acquia Support is notified and a critical ticket is typically filed on behalf of the customer. Acquia will typically make best efforts to reach out to the customer to see put steps in place to assist with meeting a resolution. AWS provides their own monitoring on all of the included systems as an additional measure of security and awareness. Certifications / Audits by Acquia and AWS Acquia seeks certifications as needed to provide the level of security required by specific customers. We are always looking for 3 rd party assessments and validation that our security policies are greater than what is required in the market today. Acquia recently provided a hosting system compliant with the Federal Information Security Management Act (FISMA) or a Federal Agency, in order to host one of their websites. We also retain consultants on staff with high levels of federal clearance required to work on specific government projects including Department of Defense, Defense Systems Cooperative Alliance, The Executive Office of the President and many others. Acquia maintains an annual security audit conducted internally to address the overall security of its practices. As ongoing awareness and attention towards security is very important, Acquia s engineering team is made up of experienced information security professionals who regularly review and test our infrastructure. A well- defined development process addresses and highlights vulnerabilities and prioritizes them for implementation. AWS maintains PCI / DSS Level 1, ISO 27001, SAS 70 Type II compliance.

15 Acquia's Commitment to Security in Partnership with Our Customers Physical Inspection of Acquia and AWS Facilities, Policy Surrounding Audits or Security Meetings Acquia will cooperate with Customers to provide tours and inspections of Acquia office facilities and meet with Acquia management personnel to discuss security policy or other procedures. Considering the nature of our hosting operations and that all physical machines hosting Customer websites are based within AWS secure environments, during such review of Acquia facilities very little infrastructure or physical systems would be accessible. AWS does not permit tours or inspection of its facilities by guests, Customers, or strategic partners such as Acquia. Therefore we could not facilitate any type of physical inspection for Customer to inspect AWS hosting facilities or infrastructure. Information requested by a Customer of Acquia, which has been released to Acquia by AWS under NDA, will be protected and not released in order to adhere to these confidentiality provisions. Acquia maintains some infrastructure on its premises, for example IP phone switches and LAN equipment, but none of such equipment is used to host customer websites or store Sensitive Customer Information. Customer Initiated Security or Penetration Testing Acquia s policy is to allow and encourage network vulnerability testing, penetration testing, initiated bythe Customer and at Customer s expense. Acquia s policy is to request 24 hours of notice, or reasonable timeframe of notice, before such tests, and to complete them during normal business hours. The possibility exists that our monitoring will generate critical alerts if certain conditions are met simulating a brute- force attack, port scanning, or similar penetration testing technique, etc. Acquia also requests these tests are designed in such a way not to impact other Acquia customers in order to prevent interruptions or degradation of other customer s services. Change Management Policies and Notification Procedures Acquia s policy regarding changes to infrastructure in use by customers is to make these changes with as little customer impact as reasonably possible. Acquia is committed to delivering industry- leading, reliable hosting services. Delivering these services requires, on occasion, system maintenance. This document describes the policies that apply to each class of system maintenance. The full text of Acquia s Hosting Patch Management Process (Policy #CC086) is available for Customer s to review if requested. This document contains flowcharts, policies outlining roles and responsibilities over patch management as well as testing. Acquia High- Availability Hosting's 99.95% SLA applies to maintenance downtime as well as unscheduled downtime. Scheduled Maintenance Acquia's high availability hosting architecture enables the vast majority of system maintenance to take place without a risk of downtime. Customers will be notified at least 48 hours in advance of scheduled system maintenance with a risk of significant site downtime. This maintenance will be scheduled during non- US business hours (11PM to 7AM Eastern Time). Upon request, maintenance may be performed at a time mutually agreeable to the customer and Acquia. Emergency Maintenance From time to time, a site or infrastructure emergency may require immediate maintenance. Acquia reserves the right to perform emergency maintenance to correct site problems, address critical security issues, and to respond to critical alerts. Commercial reasonable efforts will be made to avoid site downtime.

16 Customer- Requested Maintenance Acquia support will implement customer- requested changes that carry a risk of outage at time a mutually agreeable to the customer and Acquia. Privacy policy Acquia s Privacy Policy is located here: us/legal/privacy- policy This document outlines security policies we employ by Customers and guests of our website, use of services through our website, collection of personal information, and information disclosure policies. Additional resources: services/acquia- cloud/hosting- services