SOC 2 Examination for Enterprise Experimentation

Optimizely has successfully completed the SOC 2 examination for the Optimizely X experimentation platform.

At Optimizely, security and data trust is paramount to what we do.

Whether implementing the Optimizely snippet or SDK, there’s a level of trust that our customers expect when using our product. That’s why it’s our responsibility to show our commitment to compliance and security. We’re proud to have completed our Type 1 SOC 2 examination for Security, Availability and Confidentiality as a testament to our security practices.

Optimizely has completed a Type 1 SOC 2 examination. The examination was performed by Schellman & Company — an independent CPA firm — for the scope of service described below.

  • Examination Scope: Optimizely X Experimentation Platform
  • Selected SOC 2 Principles: Security, Availability and Confidentiality
  • Examination Type: Type 1
  • Review Date / Period: August 2, 2017
  • Service Auditor: Schellman & Company, LLC

Optimizely is committed to performing further SOC 2 examinations in future years.

soc-seal

FAQs

What’s in the SOC 2 Report?

Optimizely was examined in three Trust Service principles as part of the SOC 2 examination:

  • Security - The system is protected against unauthorized access, use, or modification.
  • Availability - The system is available for operation and use as committed or agreed.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.

Please see above for the factors relevant to our recent SOC 2 report.

How do I request a copy of Optimizely’s SOC 2 Report?

Optimizely’s SOC 2 report is available to existing and prospective customers under a non-disclosure agreement. Contact your customer success manager or account executive to request a copy.

What’s in the SOC 2 Report?

By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance, as well as financial reporting at those user entities. To provide the framework for CPAs to examine controls and to help management understand the related risks, the AICPA has established three Service Organization Control (SOC) reporting options. The three types of SOC reports within the structure are as follows:

  • SOC 1 Reporting on Controls at a Service Organization (also known as SSAE 16)
  • SOC 2 Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
  • SOC 3 SysTrust for Service Organizations

SOC 2 reports are attestation reports that opine on controls at a service organization relevant to the security, availability, or processing integrity of a system (security, availability, and/or processing integrity principles) or the confidentiality or privacy of the information processed for the user entities (confidentiality or privacy principles). SOC 2 reports are an alternative to SOC 1 (SSAE 16) examinations which may only opine on service organization’s controls that are likely to be relevant to user entities’ internal controls over financial reporting.

There are five Trust Services principles that a service organization may opt to be evaluated against as part of theany SOC 2 examination. The service principles are: organization may select any combination of the following principles:

  • Security - The system is protected against unauthorized access, use, or modification.
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing Integrity - System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.

The specific Trust Services principles selected by Optimizely, Inc. are Security, Confidentiality, and Availability.

SOC 2 examinations may only be performed by a licensed CPA firm.

SOC 2 reports are restricted use reports, which means that the authorized users of the report are generally management of Optimizely, Inc., user entities (customers) of the services provided by Optimizely, Inc. during the time period of the examination, prospective user entities, independent auditors of these user entities, and other parties who have sufficient knowledge and understanding of Optimizely, Inc.’s services covered by the SOC 2 report.

There are two types of SOC 2 examinations. SOC 2 reports that opine on management’s description of a service organization’s system and the suitability of the design of controls are referred to as Type 1 reports. These examinations always have a review date. SOC 2 reports that opine on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls are referred to as Type 2 reports. These examinations always have a review period.