Compliance with the GDPR

Regulatory compliance requires a considered approach

The new ‘General Data Protection Regulation’ (GDPR) came into effect on 25 May 2018, creating a unified data protection legislation across all EU member states. The GDPR changes the way organizations collect, use, and manage personal data from the EU. Companies collecting personal data from the EU need to take a considered approach to their personal data collection and protection practices.

Prior to the GDPR, each country within the EU had different data protection laws, making it difficult for companies to comply across Europe. Because the GDPR creates single data protection regime for Europe, companies can comply at the European level rather than on a country-by-country basis.

Although the GDPR is an EU regulation, it does not only affect companies in the EU, but also companies that collect personal data from the EU. For consumers in Europe, the GDPR helps to protect their privacy and stop unwanted solicitation.

At Optimizely, we are aware of the effort it takes to meet GDPR requirements. This is what we’re doing to help our customers.

If you are an Optimizely customer and want to learn how to make a subject access request, please consult our documentation.

Trust and transparency are core values of Optimizely and we are proud of our security and privacy certifications such as SOC-2 and ISO. To help you understand our approach to privacy and data protection, we created the document above to answer frequently asked questions.
David Schwarzbach
David Schwarzbach


Helping to safeguard your personal data at Optimizely

Organizational Readiness

We are dedicated to providing transparency and building trust. A committee of representatives from various Optimizely teams has worked together to get the organization and product ready to meet new security and privacy requirements.

Product Readiness

We understand that your visitors are concerned about how their personal data is used and managed. We are committed to help you address this concern and meet your compliance obligations.


Optimizely is backed by security controls designed to protect your data.

We have achieved ISO 27001 certification and successfully completed a Type 1 SOC 2 examination.

GDPR Vendor Check

To comply with the GDPR, organizations have to ensure that their vendors and sub-contractors are GDPR-ready. Download this checklist to understand the criteria that your vendors should meet and how Optimizely does.

Product Readiness

IP Anonymization

As IP addresses could be considered personal data, Optimizely allows you to easily anonymize IP addresses by removing the last block of your visitors’ IP address before storing event data.


By default, our snippet communicates with using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.

Data Deletion and Access

Under the GDPR, data subjects may request access to or erasure of personal data stored by a company. We have built tools to help our customers fulfill these subject access requests.

Cookie Compliance

To comply with the GDPR, companies may want to review the cookies and local storage objects set by their EU websites. Optimizely can be integrated with popular tag management and cookie banner tools to make it easier for you to customize your approach to cookie compliance. In addition, you can set a custom cookie expiration through our APIs.

Organizational Readiness

GDPR Planning

Optimizely’s security, privacy, and compliance team has reviewed our product features and conducted an assessment of organizational requirements for compliance with the GDPR. It has developed and is implementing a GDPR compliance plan across our organization with buy-in from executive-level members of our organization.

Training and Privacy Awareness

As part of our employee onboarding and continuous training, members of our engineering and product teams learn about privacy. In addition, software engineers receive software security training annually. All efforts are overseen by our security, privacy and compliance team.

Data Mapping and Privacy Impact Assessment

To verify that our privacy practices are appropriate, our product and engineering teams completed a data map of our product documenting how data is collected and what systems process personal data..

Informational Security Policies

We have published informational security and data protection policies governing when employees and contractors can access data stores containing your data.

Data Transfer

The GDPR restricts the export of personal data to countries outside the EU and the European Economic Area (EEA) unless certain controls are in place. We have certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related personal data collected by Optimizely, if any. This provides customers with the option of relying on these frameworks for the transfer of data from the EU to the U.S.

Incident Response

We leverage advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. We have implemented a data breach and incident response plan. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.

Product Reviews

We review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.

Vendor Reviews

We have conducted security and privacy reviews of our vendor contracts. As a result we have DPAs with vendors who process personal data, we have collected for you, if any.

Contractual Protections

To support your efforts to provide EU-compliant contractual protections, we have created a GDPR-ready Data Processing Agreement (DPA).

Data Protection Officer

We have appointed a group Data Protection Officer (DPO) to oversee our privacy and data protection compliance.

Privacy at Optimizely FAQ

Learn more about the privacy impact of using Optimizely with this summary of frequently asked privacy questions.


Review your data collection practices to ensure you have appropriate permissions, where necessary, to collect information from your visitors. Consider using just-in-time privacy notices if needed to obtain consent. Also consider how to communicate the value of the additional services provided, which is a great opportunity for experimentation to maximize the opt-in rate.


Create a process to address data subject access request, including how you plan to authenticate the data subject. Review your existing vendor relationships to see whether they offer appropriate protections for your data.

Data Minimization

Review your data collection practices and think about how to minimize the collection of personal data. Consider turning on IP anonymization or shortening your cookie expiration policies.