Privacy & Data Protection

How Optimizely helps our customers meet their data privacy obligations

In this period of rapid technological and regulatory change, it has never been more important to take a considered approach to protecting personal data. From the European General Data Protection Regulation (GDPR) to new US state laws like the California Consumer Privacy Act (CCPA), we know how much effort it takes to assess and manage privacy risks. That’s why Optimizely builds its services with an eye towards minimizing that effort for our customers.

Our digital experience optimization solutions provide industry-leading functionality with minimal collection of personal data and an emphasis on security. Privacy and security considerations are baked directly into our product development process, so customers can spend more time on experimentation and less time worrying about compliance. Here’s some of what we’re doing to help our customers.

Privacy at Optimizely FAQ

Trust and transparency are core values of Optimizely and we are proud of our security and privacy certifications such as SOC-2 and ISO. To help you understand our approach to privacy and data protection, we created this document to answer frequently asked questions.

Helping to safeguard your personal data at Optimizely

Product Readiness

We understand that your customers may be concerned about how their personal data is used and managed. We are committed to helping you address these concerns and meet your compliance obligations. Here are some of the ways we build privacy directly into our services.

Organizational Readiness

We are committed to providing transparency and building trust. At Optimizely, our team of privacy, security, and compliance experts are constantly working to maintain compliance with existing requirements and preparing to meet new ones.


Optimizely is backed by security controls designed to protect your data.

We are PCI certified, and have achieved ISO 27001 certification and successfully completed a Type 1 SOC 2 examination.

Product Readiness

IP Anonymization

By default, Optimizely anonymizes IP addresses by removing the last block of your visitors’ IP addresses before storing event data.


By default, our web snippet communicates with using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.

In addition, all Visitor Data stored by Optimizely and its third party service providers is encrypted at rest. Please see our documentation for details.

Data Deletion and Access

Data subjects in certain jurisdictions may request access to or erasure of their personal data. We have built tools to help our customers fulfill these requests

Cookie Compliance

To comply with the GDPR, companies may want to review the cookies and local storage objects set by their EU websites. Optimizely can be integrated with popular tag management and cookie banner tools to make it easier for you to customize your approach to cookie compliance. In addition, you can set a cookie expiration through our APIs.

If you are an Optimizely customer and want to learn how to make a GDPR subject access request, please consult our documentation.

Organizational Readiness

Privacy and Data Protection Compliance

Optimizely’s Privacy, Security, and Compliance teams have developed and implemented a company-wide privacy program to help ensure compliance with GDPR, CCPA, and other relevant privacy and data protection laws and regulations.

Training and Privacy Awareness

As part of our employee onboarding and continuous training, all Optimizely employees receive annual privacy and security training. In addition, members of our engineering and product teams receive specialized data privacy and software security training annually. All efforts are overseen by our Privacy, Security,and Compliance teams.

Data Mapping

To verify that our privacy practices are appropriate, Optimizely maintains a data map of our product documenting how data is collected and what systems process personal data.

Informational Security Policies

We have published information security and data protection policies governing when employees and contractors can access data stores containing your data.

Data Transfer

The GDPR restricts the export of personal data to countries outside the EU and the European Economic Area (EEA) unless certain controls are in place. We have certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related personal data collected by Optimizely, if any. This provides customers with the option of relying on these frameworks for the transfer of data from the EU to the U.S.

Incident Response

We have implemented a data breach and incident response plan that leverages advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.

Product Reviews

Our Security and Privacy teams review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.

Vendor Reviews

We have conducted security and privacy reviews of our vendor contracts. As a result, we have DPAs with those vendors who may help us process personal data on your behalf.

Contractual Protections

To support your efforts to provide EU-compliant contractual protections, we have created a GDPR-ready Data Processing Agreement (DPA).

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our privacy and data protection compliance.

To see a list of our subprocessors, please consult this page.

Privacy Best Practices for Experimentation

Privacy compliance is a shared responsibility. As the data controller of your website and other digital projects, you should review your data collection practices to ensure compliance.

Notice and Consent for Data Collection

Review your data collection practices to ensure you have appropriate permissions, where necessary, to collect information from your visitors. Consider using a cookie banner or other just-in-time privacy notices, where needed, to obtain consent. Also consider how to communicate the value of the additional services provided, which is a great opportunity for experimentation to maximize the opt-in rate.

Privacy Operations

Create a process to address data subject access request, including how you plan to authenticate the data subject. Review your existing vendor relationships to ensure that they offer appropriate protections for your data.

Data Minimization

Review your data collection practices and think about how to minimize the collection of personal data. Consider turning on IP anonymization or shortening your cookie expiration policies.


Optimizely is backed by security controls designed to protect your data. We are PCI certified, and have achieved ISO 27001 certification and successfully completed a Type 1 SOC 2 examination.