Skip to content
Optimizely Logo

Privacy

Optimizely respects the importance of the confidentiality, privacy and security of information processed by any Optimizely Software Service. In this period of rapid technological and regulatory change, it has never been more important to take a considered approach to protecting personal data. At Optimizely we understand how much effort it takes to assess and manage privacy risks. That’s why Optimizely builds its services with an eye towards minimizing that effort for our customers.

Our digital experience optimization solutions provide industry-leading functionality to help you quickly manage data, identify and label data types that are actionable under a access or delete request, and execute requests through multiple paths. Privacy and security considerations are baked directly into our product development process so customers can spend more time on unlocking their digital potential and less time worrying about compliance. 

We help safeguard your personal data

Privacy

Data privacy is important to all customers especially those operating in industries like financial services, healthcare and the public sector. We understand what's at stake and always operate in a highly secure and consistent manner while handling your information.

See Optimizely Privacy Notice for more information.

Product readiness

We understand that your customers may be concerned about how their personal data is managed. We are committed to help you address these concerns and meet your compliance obligations. Here are some of the ways we build privacy into our services.

Security

Optimizely is backed by security controls designed to protect your data. Our controls are constantly under third party review with certifications from PCI, ISO27001 and SOC2.

Organizational readiness

We are committed to providing transparency and building trust. At Optimizely, our team of privacy, security and compliance experts are constantly working to maintain compliance with existing requirements and preparing to meet new ones.

Product Privacy Features

  • Assist Customers in compliance with data security obligations.
  • Supports Customers preference gathering consent for marketing communications.
  • Make relevant information available to customers to allow due diligence.
  • Use sub-processors that flow down our own processing obligations.
  • Respect individual rights via API and in-app data requests.
  • Enhanced support for data transfer and data security obligations.
  • Respect user rights via admin level data requests.
  • Geofencing enabling Customers to choose to have their data in EU or US.
  • Cookies that support a variety of customer legal basis options.

Product Readiness

Data Deletion & Access

Data subjects in certain jurisdictions may request access to or erasure of their personal data. We have built tools to help our customers fulfill these requests.

Encryption

By default, our web snippet communicates with optimizely.com using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.

In addition, all Visitor Data stored by Optimizely and its third party service providers is encrypted at rest. Please see our documentation for details.

Cookie compliance

To comply with the GDPR, companies may want to review the cookies and local storage objects set by their EU websites. Optimizely can be integrated with popular tag management and cookie banner tools to make it easier for you to customize your approach to cookie compliance. 

Organizational Readiness

Privacy & Data Protection Compliance

Optimizely’s Privacy, Security, and Compliance teams have developed and implemented a company-wide privacy program to help ensure compliance with GDPR, CCPA and other relevant privacy and data protection laws and regulations.

Training & Privacy Awareness

As part of our employee onboarding and continuous training, all Optimizely employees receive annual privacy and security training. In addition, members of our engineering and product teams receive specialized data privacy and software security training annually. All efforts are overseen by our Privacy, Security and Compliance teams.

Data Mapping

To verify that our privacy practices are appropriate, Optimizely maintains a data map of our product documenting how data is collected and what systems process personal data.

Informational Security Policies

We have published information security and data protection policies governing when employees and contractors can access data stores containing your data.

Data Transfer

The GDPR including the Schrems II ruling, restricts the export or use of personal data to countries the EU and European Economic Area (EEA). We have implemented geo-fenced process and technical controls to limit transfer and access of personal data to allowed regions. We also support inquiry, correction and deletion for both your direct and indirect personal data.

Data Privacy Framework (DPF)  

Optimizely complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, the Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Frameworks” or “DPFs”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to the U.S. from the European Union (EU), United Kingdom (UK) and /or Switzerland respectively. 

Optimizely is certified under the EU-U.S. Data Privacy Framework. To view our public listing, visit the Data Privacy Framework website 

Incident Response

We have implemented a data breach and incident response plan that leverages advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.

Product Reviews

Our Security and Privacy teams review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.

AI Ethics Policy

Optimizely leverages AI technologies while always protecting customer data and limiting risks.

Learn more at AI Ethics policy - Optimizely.

Vendor Reviews

We have conducted security and privacy reviews of our vendor contracts. As a result, we have DPAs with those vendors who may help us process personal data on your behalf.

Contractual Protections

To support your efforts to provide EU-compliant contractual protections, we have created a GDPR-ready Data Processing Agreement (DPA).

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our privacy and data protection compliance.