Built with Security in Mind

At Optimizely, we take your trust very seriously. To that end, we have many processes in place designed to help protect your data.

Trusted by Thousands Every Day

Every day, thousands of companies use Optimizely on their website, including companies like Microsoft, ABC, and the New York Times. These companies collectively deliver billions of experiences every month through Optimizely, so we build our services with security in mind.

Security Features

Security Basics

  • Your code snippet is unique to your account
  • Your code snippet only updates whenever you save an experiment or change project settings
  • We use Selenium and JavaScript unit tests to catch regressions
  • Your code snippet is fetched over https if your page is https, and over http otherwise

Authentication

Optimizely requires authentication for all application pages and resources, except for those specifically intended to be public. All authentication controls must be enforced on a trusted system, and all authentication controls fail securely. Optimizely uses TLS-encrypted POST requests to transmit authentication credentials.

We enforce the following password requirements and security standards:

  • Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
  • Passwords are hashed with a random salt using HMAC-SHA256 and run through 86000 rounds of PBKDF2. No plaintext passwords are stored.
  • Multiple logins with the wrong username or password will result in a locked account, which will be disabled for a period of time to prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application.
  • Email-based password reset links are sent only to a user's pre-registered email address with a temporary link.
  • Optimizely rate limits multiple login attempts from the same email address.

2-Step Verification

2-Step Verification increases the security of your Optimizely account by adding a second level of authentication when signing in. Instead of relying only on a password, 2-Step Verification will also require you to enter a temporary code that you access from your mobile phone. With 2-Step Verification enabled, you can:

  • Protect your website and mobile application when your Optimizely password is stolen.
  • Add an additional layer of security against password phishing attacks.
  • Adhere to guidelines set by your enterprise security policy.

To learn more about how to enable this feature, refer to the Optiverse knowledgebase article. A detailed explanation of 2-Step Verification is available in our blog.

Single Sign-On

Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments. More information on SSO can be found here

Session Management

Each time a user signs into optimizely.com, they receive a new, unique session identifier. Each session identifier is 64 bytes of random data to protect against brute forcing.

Sign Out

When signing out, the session cookie is deleted from the client and the session identifier is invalidated on Optimizely servers.

Encrypted Communication

All communication with optimizely.com is encrypted using Transport Layer Security (TLS) and is regularly updated to use the strongest ciphersuites and TLS configuration.

User Permissions

Optimizely is designed for use cases ranging from single account holders to large teams. You can invite users to your account without giving all team members the same levels of access.

User roles are available for Enterprise accounts and specify different levels of permissions that you can use to manage collaborators on an Optimizely project. They are especially useful when there are multiple people working on the same project or experiment. The following list describes how to implement the user roles and the access given to each role.

  • Administrators have full access to all projects and account billing information. They can also add or remove other administrators. If you make someone an Administrator, they have that role for every project belonging to that Account. If you demote an Administrator to any other role, they lose all privileges on other projects.
  • Project Owners can create, edit, start, and stop experiments, preview variations, and view results. A project can have more than one Project Owner. Project Owners can also create new projects and invite editors and viewers to the project(s) they are owners of.
  • Editors can create and edit non-running experiments, preview variations, and view results.
  • Viewers can preview variations and view results.

More information on roles and permissions here

These user permission levels limit exposure to risk by ensuring that Optimizely users see exactly what they need to run impactful experiments.

Audit Logging

Logs are kept at all account levels for changes made to user accounts for both Optimizely administrators and end users. Optimizely maintains records of the following information:

  • Account
  • Sign-in
  • Sign-out
  • Automated e-mails sent
  • Experiments
  • Archiving
  • Creating
  • Deleting
  • Start/Pause
  • Updating
  • Update Project Settings

Detailed logs are detailed in the Change History tab from your account home page. Detailed Change History shows you what was changed in your variation code, experiment JavaScript, and/or experiment CSS, by whom, and when the changes were made. You have a clear and complete audit trail of these code changes on your experiments and you can quickly isolate any accidental edits. More information on the Change History feature can be found here

IP Anonymization

Optimizely provides you with the option to anonymize IP addresses before we store results data. If enabled,

  • The last octet of IPv4 addresses are replaced with zeros
  • The last 5 octets of IPv6 addresses are replaced with zeros

This feature is available at the account and project levels. Once activated, it will apply to all future experiments.

Security Program

The Optimizely software development lifecycle (SDLC) includes many activities to foster building security into Optimizely products:

  • Defining Security Requirements
  • Design (threat modeling and analysis, security design review)
  • Development controls (static analysis, manual peer code review)
  • Testing (dynamic analysis, Bug Bounty Program, 3rd party security vulnerability assessments)
  • Deployment controls (security, confidentiality, integrity, and availability code reviews, canary release process).

Optimizely clients (web, desktop, mobile, and API) are designed with security that, at a minimum, meets OWASP standards for software that is designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.

Optimizely's Software Security Program is measured using the Building Security In Maturity Model (BSIMM).

Optimizely's security controls are measured using the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ).

Code Assessments

  • Automated source code analysis is utilized to find common defects.
  • Manual source code analysis is performed on security-sensitive areas of code and new features and components.
  • Third-party reviews are performed annually by security consultants.

Bug Bounty Program

We are in the process of moving our bug bounty program to a new bug bounty vendor. Until the move is complete please report all issues directly to us via our email address security@optimizely.com.

Policies

What Data We Collect

To provide an optimum experience to our customers and visitors, we collect various pieces of information. Examples of types of data that Optimizely's service collects include:

  • Visitor interactions with Content/Tests (for reporting to customer)
  • Unique ID assigned to a visitor per project
  • ID of the experiments and variations seen by a visitor
  • Customer's account number
  • String identifying conversion goal (such as page URL)
  • Date and time of visit
  • Visitors' browser and operating system versions
  • Visitor's IP address(es)

Internal Access to Data

Access to Customers' information is restricted within Optimizely and is only authorized for the purposes of providing direct customer support or for future product enhancements (for instance, to understand how an engineering change affects a group of customers). Optimizely subcontractors may have access to customer data when analyzing or maintaining infrastructure. Sensitive customer data is never shared with anyone outside of Optimizely and its subcontractors.

Optimizely takes the safety and security of your information seriously. We have implemented employee access controls that protect your information from unauthorized use:

  • Your account data is used only to provide services to you. Optimizely does not sell, rent, or otherwise disclose the information you provide to us in setting up your account for any other purpose.
  • We limit access to your content and information to Optimizely employees who require such information to perform their jobs, or as required to provide support to you.
  • Access to systems containing your sensitive information is logged and audited.
  • Optimizely requires the use of single sign-on, strong passwords and 2-factor authentication (where available).
  • Optimizely employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer information.

Optimizely customers retain responsibility to ensure their use of our service is within compliance of applicable laws and regulations. This is described in the Optimizely Master Subscription Agreement and online terms, which can be found at https://www.optimizely.com/terms.

Network Security

Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

Host Security

All hosts run antivirus, are kept up to date with security patches, and have full disk encryption enabled.

Incident Response

Optimizely has a Security Incident Response Plan designed to quickly and systematically respond to security incidents that may arise. The incident response plan is tested and refined on a regular basis.

Disaster Recovery

Optimizely's infrastructure is designed to provide the best experience and to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

  • State of the art cloud providers. We use Google App Engine and Amazon Web Services, which are trusted by thousands of businesses to store and serve our data/services.
  • Data replication. To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
  • Continuity plan. In addition to the redundancy of data and our world class infrastructure, we have an office located in Amsterdam, the Netherlands to ensure that regional issues at our global headquarters located in San Francisco, California do not disrupt our ability to provide the services or support to you.

Data Deletion

For those customers that purchased and started using an Optimizely X Product, Optimizely will work with the customer if they should request the deletion of all their account data, visitor data and submitted data (as those terms are defined in their contract).

Upon cancellation of Optimizely's service, a customer may request to have their raw data (i.e., the visitor data captured during an experiment) exported and/or deleted within 30 days of the subscription ending using the Raw Data Export feature. Optimizely may amend this policy in its sole discretion by posting an update to this policy.