Every day, thousands of companies use Optimizely on their website, including companies like Microsoft, ABC, and the New York Times. These companies collectively deliver billions of experiences every month through Optimizely, so security is a top priority for us.
Optimizely requires authentication for all application pages and resources, except for those specifically intended to be public. All authentication controls must be enforced on a trusted system, and all authentication controls fail securely. Optimizely uses TLS-encrypted POST requests to transmit authentication credentials.
We enforce the following password requirements and security standards:
2-Step Verification increases the security of your Optimizely account by adding a second level of authentication when signing in. Instead of relying only on a password, 2-Step Verification will also require you to enter a temporary code that you access from your mobile phone. With 2-Step Verification enabled, you can:
Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments. More information on SSO can be found here
Each time a user signs into optimizely.com, they receive a new, unique session identifier. Each session identifier is 64 bytes of random data to protect against brute forcing.
When signing out, the session cookie is deleted from the client and the session identifier is invalidated on Optimizely servers.
All communication with optimizely.com is encrypted using Transport Layer Security (TLS) and is regularly updated to use the strongest ciphersuites and TLS configuration.
Optimizely is designed for use cases ranging from single account holders to large teams. You can invite users to your account without giving all team members the same levels of access.
User roles are available for Enterprise accounts and specify different levels of permissions that you can use to manage collaborators on an Optimizely project. They are especially useful when there are multiple people working on the same project or experiment. The following list describes how to implement the user roles and the access given to each role.
More information on roles and permissions here
These user permission levels limit exposure to risk by ensuring that Optimizely users see exactly what they need to run impactful experiments.
Logs are kept at all account levels for changes made to user accounts for both Optimizely administrators and end users. Optimizely maintains records of the following information:
Optimizely provides you with the option to anonymize IP addresses before we store results data. If enabled,
This feature is available at the account and project levels. Once activated, it will apply to all future experiments.
The Optimizely software development lifecycle (SDLC) includes many activities to foster building security into Optimizely products:
Optimizely clients (web, desktop, mobile, and API) are designed with security that, at a minimum, meets OWASP standards for software that is designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
Optimizely's Software Security Program is measured using the Building Security In Maturity Model (BSIMM).
Optimizely's security controls are measured using the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ).
To provide an optimum experience to our customers and visitors, we collect various pieces of information. Examples of types of data that Optimizely's service collects include:
Access to Customers' information is restricted within Optimizely and is only authorized for the purposes of providing direct customer support or for future product enhancements (for instance, to understand how an engineering change affects a group of customers). Optimizely subcontractors may have access to customer data when analyzing or maintaining infrastructure. Sensitive customer data is never shared with anyone outside of Optimizely and its subcontractors.
Optimizely takes the safety and security of your information seriously. We have implemented employee access controls that protect your information from unauthorized use:
Optimizely customers retain responsibility to ensure their use of our service is within compliance of applicable laws and regulations. This is described in the Optimizely Master Subscription Agreement and online terms, which can be found at https://www.optimizely.com/terms.
Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
All hosts run antivirus, are kept up to date with security patches, and have full disk encryption enabled.
Optimizely has a Security Incident Response Plan designed to quickly and systematically respond to security incidents that may arise. The incident response plan is tested and refined on a regular basis.
Optimizely's infrastructure is designed to provide the best experience and to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include: