If this error persists, please let us know at our support page.
Our engineering team has been notified.
Every day, thousands of companies use Optimizely on their website, including companies like Microsoft, ABC, and the New York Times. These companies collectively deliver billions of experiences every month through Optimizely, so we build our services with security in mind.
Optimizely requires authentication for all application pages and resources, except for those specifically intended to be public. All authentication controls must be enforced on a trusted system, and all authentication controls fail securely. Optimizely uses TLS-encrypted POST requests to transmit authentication credentials.
We enforce the following password requirements and security standards:
2-Step Verification increases the security of your Optimizely account by adding a second level of authentication when signing in. Instead of relying only on a password, 2-Step Verification will also require you to enter a temporary code that you access from your mobile phone. With 2-Step Verification enabled, you can:
To learn more about how to enable this feature, refer to the Optiverse knowledgebase article. A detailed explanation of 2-Step Verification is available in our blog.
Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments. More information on SSO can be found here
Each time a user signs into optimizely.com, they receive a new, unique session identifier. Each session identifier is 64 bytes of random data to protect against brute forcing.
When signing out, the session cookie is deleted from the client and the session identifier is invalidated on Optimizely servers.
All communication with optimizely.com is encrypted using Transport Layer Security (TLS) and is regularly updated to use the strongest ciphersuites and TLS configuration.
Optimizely is designed for use cases ranging from single account holders to large teams. You can invite users to your account without giving all team members the same levels of access.
User roles are available for Enterprise accounts and specify different levels of permissions that you can use to manage collaborators on an Optimizely project. They are especially useful when there are multiple people working on the same project or experiment. The following list describes how to implement the user roles and the access given to each role.
More information on roles and permissions here
These user permission levels limit exposure to risk by ensuring that Optimizely users see exactly what they need to run impactful experiments.
Logs are kept at all account levels for changes made to user accounts for both Optimizely administrators and end users. Optimizely maintains records of the following information:
Detailed logs are detailed in the Change History tab from your account home page. Detailed Change History shows you what was changed in your variation code, experiment JavaScript, and/or experiment CSS, by whom, and when the changes were made. You have a clear and complete audit trail of these code changes on your experiments and you can quickly isolate any accidental edits. More information on the Change History feature can be found here
Optimizely provides you with the option to anonymize IP addresses before we store results data. If enabled,
This feature is available at the account and project levels. Once activated, it will apply to all future experiments.
The Optimizely software development lifecycle (SDLC) includes many activities to foster building security into Optimizely products:
Optimizely clients (web, desktop, mobile, and API) are designed with security that, at a minimum, meets OWASP standards for software that is designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
Optimizely's Software Security Program is measured using the Building Security In Maturity Model (BSIMM).
Optimizely's security controls are measured using the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ).
We are in the process of moving our bug bounty program to a new bug bounty vendor. Until the move is complete please report all issues directly to us via our email address security@optimizely.com.
To provide an optimum experience to our customers and visitors, we collect various pieces of information. Examples of types of data that Optimizely's service collects include:
Access to Customers' information is restricted within Optimizely and is only authorized for the purposes of providing direct customer support or for future product enhancements (for instance, to understand how an engineering change affects a group of customers). Optimizely subcontractors may have access to customer data when analyzing or maintaining infrastructure. Sensitive customer data is never shared with anyone outside of Optimizely and its subcontractors.
Optimizely takes the safety and security of your information seriously. We have implemented employee access controls that protect your information from unauthorized use:
Optimizely customers retain responsibility to ensure their use of our service is within compliance of applicable laws and regulations. This is described in the Optimizely Master Subscription Agreement and online terms, which can be found at https://www.optimizely.com/terms.
Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
All hosts run antivirus, are kept up to date with security patches, and have full disk encryption enabled.
Optimizely has a Security Incident Response Plan designed to quickly and systematically respond to security incidents that may arise. The incident response plan is tested and refined on a regular basis.
Optimizely's infrastructure is designed to provide the best experience and to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
For those customers that purchased and started using an Optimizely X Product, Optimizely will work with the customer if they should request the deletion of all their account data, visitor data and submitted data (as those terms are defined in their contract).
Upon cancellation of Optimizely's service, a customer may request to have their raw data (i.e., the visitor data captured during an experiment) exported and/or deleted within 30 days of the subscription ending using the Raw Data Export feature. Optimizely may amend this policy in its sole discretion by posting an update to this policy.
Try Optimizely free for 30 days
You can get the very best of Optimizely without spending a dime.
Try it out for 30 days, on us.
Something went wrong
If this error persists, please let us know at our support page.
Our engineering team has been notified.
Contact Sales
Please tell us about yourself and your company (all fields required):
Thank you
Create a developer account
Get a free account with full access to Optimizely's APIs and SDKs.