Optimizely EU Data Privacy

 

To ensure the protection, privacy, and security in the processing of personal data, Optimizely treats your data in accordance with the principles of fairness, lawfulness, transparency and data minimization, in compliance with EUI Data Protection Policy (EUI President’s Decision 10/2019), inspired by the EU General Data Protection Regulation (GDPR).

While the majority of Optimizely’s product and services are in-scope for the EU Data Boundary, subject to the continuing flows of Customer Data, pseudonymized personal data, and Managed Services Data related to operation and use of the services, some services aren't in scope for the EU Data Boundary, typically where the nature of the service and the customer value it provides can't be delivered by implementing a regionalized architecture.

Data Privacy/Data Protection at Optimizely

DPA

Optimizely maintains an EU/GDPR compliant Data Processing Agreement (DPA) with SCCs + UK & Swiss Addendums to the EU Commission, this is publicly available on our website at: Data processing agreement - Optimizely.  

BCRs

Optimizely are in the progress of working towards approved Binding Corporate Rules (BCR) with the Swedish Data Protection Authority. Optimizely continues to operate under drafted BCR controls – for more information please go to BCR - Optimizely.

Sub-processors

The sub-processors supporting the delivery of Optimizely products are listed on the Optimizely Sub-processors page. These sub-processors are selected based on rigorous security due diligence and the ability to support hosting and delivery services within the EU.

Data Hosting

Optimizely EU Data Hosting provides a solution for customers in the European Union (EU) to use Optimizely products and services in compliance with their internal privacy and residency requirements. If you choose to select the EU Data Hosting (where applicable), your data will be stored in EU data centers ensuring that you have full control over data location. This provides an added layer of assurance for customers. Optimizely remains committed to supporting your data requirements while delivering reliable and secure services across its platforms. 

Geofencing

For those customers, concerned about their data leaving the EU for support purposes, Optimizely offers the option to apply Geofencing - Optimizely which is a free service the customer can add to their account that’s set regional controls on the members of the Optimizely organization so that only EU support members can service their application. In case of an emergency the customer has the ability to overturn any geofencing controls via our ‘break the glass’ waiver, ensuring that the customer has the flexibility to choose the support levels they require.

The Digital Operational Resilience Act (DORA) and NIS2 Directive

Dora

Digital Operational Resilience Act, is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. Optimizely has produced a DORA supplement to its existing Software Service Agreements to provide its customers doing business in those financial industries and markets to support them in compliance with DORA.

NIS2

NIS2, or the Network and Information Security Directive 2, is the EU Directive (EU) 2022/2555, establishing cybersecurity requirements for essential services and critical infrastructure across the European Union, as amended, supplemented, or replaced from time to time, including any applicable national implementation laws and regulations. In light of this, Optimizely has produced some NIS2 guidelines to support our customers in complying with the requirements under this framework.

Certifications

Optimizely maintains certifications including ISO27001 for Information Security, ISO27017 for Cloud Security, ISO27018 for Cloud Privacy, PCI-DSS, SOC2 Type 2 and TISAX (EU Automotive).

Learn more about Optimizely Security, Privacy, and Compliance at Trust Center - Optimizely.

Last Updated: September 23, 2025