How Optimizely helps our customers meet their data privacy obligations
In this period of rapid technological and regulatory change, it has never been more important to take a considered approach to protecting personal data. From the European General Data Protection Regulation (GDPR) to new US state laws like the California Consumer Privacy Act (CCPA), we know how much effort it takes to assess and manage privacy risks. That’s why Optimizely builds its services with an eye towards minimizing that effort for our customers.
Our digital experience optimization solutions provide industry-leading functionality with minimal collection of personal data and an emphasis on security. Privacy and security considerations are baked directly into our product development process, so customers can spend more time on experimentation and less time worrying about compliance. Here’s some of what we’re doing to help our customers.
Trust and transparency are core values of Optimizely and we are proud of our security and privacy certifications such as SOC-2 and ISO. To help you understand our approach to privacy and data protection, we created this document to answer frequently asked questions.
We understand that your customers may be concerned about how their personal data is used and managed. We are committed to helping you address these concerns and meet your compliance obligations. Here are some of the ways we build privacy directly into our services.
We are committed to providing transparency and building trust. At Optimizely, our team of privacy, security, and compliance experts are constantly working to maintain compliance with existing requirements and preparing to meet new ones.
Optimizely is backed by security controls designed to protect your data.
We are PCI certified, and have achieved ISO 27001 certification and successfully completed a Type 1 SOC 2 examination.
By default, Optimizely anonymizes IP addresses by removing the last block of your visitors’ IP addresses before storing event data.
By default, our web snippet communicates with optimizely.com using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.
In addition, all Visitor Data stored by Optimizely and its third party service providers is encrypted at rest. Please see our documentation for details.
Data Deletion and Access
Data subjects in certain jurisdictions may request access to or erasure of their personal data. We have built tools to help our customers fulfill these requests
To comply with the GDPR, companies may want to review the cookies and local storage objects set by their EU websites. Optimizely can be integrated with popular tag management and cookie banner tools to make it easier for you to customize your approach to cookie compliance. In addition, you can set a cookie expiration through our APIs.
If you are an Optimizely customer and want to learn how to make a GDPR subject access request, please consult our documentation.
Privacy and Data Protection Compliance
Optimizely’s Privacy, Security, and Compliance teams have developed and implemented a company-wide privacy program to help ensure compliance with GDPR, CCPA, and other relevant privacy and data protection laws and regulations.
Training and Privacy Awareness
As part of our employee onboarding and continuous training, all Optimizely employees receive annual privacy and security training. In addition, members of our engineering and product teams receive specialized data privacy and software security training annually. All efforts are overseen by our Privacy, Security,and Compliance teams.
To verify that our privacy practices are appropriate, Optimizely maintains a data map of our product documenting how data is collected and what systems process personal data.
Informational Security Policies
We have published information security and data protection policies governing when employees and contractors can access data stores containing your data.
The GDPR restricts the export of personal data to countries outside the EU and the European Economic Area (EEA) unless certain controls are in place. We have certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related personal data collected by Optimizely, if any. This provides customers with the option of relying on these frameworks for the transfer of data from the EU to the U.S.
We have implemented a data breach and incident response plan that leverages advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.
Our Security and Privacy teams review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.
We have conducted security and privacy reviews of our vendor contracts. As a result, we have DPAs with those vendors who may help us process personal data on your behalf.
To support your efforts to provide EU-compliant contractual protections, we have created a GDPR-ready Data Processing Agreement (DPA).
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our privacy and data protection compliance.
To see a list of our subprocessors, please consult this page.
Privacy compliance is a shared responsibility. As the data controller of your website and other digital projects, you should review your data collection practices to ensure compliance.
Review your data collection practices to ensure you have appropriate permissions, where necessary, to collect information from your visitors. Consider using a cookie banner or other just-in-time privacy notices, where needed, to obtain consent. Also consider how to communicate the value of the additional services provided, which is a great opportunity for experimentation to maximize the opt-in rate.
Create a process to address data subject access request, including how you plan to authenticate the data subject. Review your existing vendor relationships to ensure that they offer appropriate protections for your data.
Review your data collection practices and think about how to minimize the collection of personal data. Consider turning on IP anonymization or shortening your cookie expiration policies.
Optimizely is backed by security controls designed to protect your data. We are PCI certified, and have achieved ISO 27001 certification and successfully completed a Type 1 SOC 2 examination.
Get started creating digital experiences that transform your company
An error has occurred