Compliance

To protect the information assets at Optimizely, we have taken the necessary steps to achieve ISO 27001:2013, ISO 27017:2015, ISO 27018:2019, SOC 2 Type 1 and 2, PCI DSS v3.2.1, and TISAX. This process included internal auditing, critical testing, inspections, assessments, and reviews of Optimizely's Information Security Management System. Independent third-party certification means you can trust that Optimizely has robust and effective security and privacy controls to protect your data.

Our compliance program ensures that you and your customers can trust Optimizely and have third-party assurance that effective and robust controls protect your data.

  • Optimizely is in the process of transitioning to ISO27001:2022 and expect to be able to provide this to prospects/customers by end of Q2 2025.
  • Optimizely is in the process of transitioning to from PCI DSS v 3.2.1 to v 4.0.1 and expect to be able to provide this to prospects/customers by end of Q1 2025.

These certifications and attestation reports are performed by independent third-party auditors and are available upon request. Existing customers can request access through their Customer Success Manager. For Prospective customers, please reach out to your Sales Representative for access.

Product Certifications

Content Management System (CMS)

Current list of active certifications
  • ISO/IEC ISO27001:2013 - Information Security Management Systems (ISMS)
  • ISO/IEC ISO27017:2015 - Information Security Controls for Cloud Services
  • ISO/IEC 27018: 2019 Protecting PII in Public Clouds
  • SOC 2 Type 2 Attestation
  • PCI DSS v 3.2.1 Self-Assessment Attestation

Commerce Connect

Current list of active certifications
  • ISO/IEC ISO27001:2013 - Information Security Management Systems (ISMS)
  • ISO/IEC ISO27017:2015 - Information Security Controls for Cloud Services
  • ISO/IEC 27018: 2019 Protecting PII in Public Clouds
  • SOC 2 Type 2 Attestation
  • PCI DSS v 3.2.1 Self-Assessment Attestation

Web & Feature Experimentation Services

Current list of active certifications
  • ISO/IEC ISO27001:2013 - Information Security Management Systems (ISMS)
  • ISO/IEC ISO27017:2015 - Information Security Controls for Cloud Services
  • ISO/IEC 27018: 2019 Protecting PII in Public Clouds
  • SOC 2 Type 2 Attestation
  • PCI DSS v 3.2.1 QSA Audited

Campaign

Current list of active certifications
  • ISO/IEC ISO27001:2013/2017 - Information Security Management Systems (ISMS)
  • TISAX - Trusted Information Security Assessment Exchange
    • This standard provides the European automotive industry a consistent, standardized approach to information security systems.

Configured Commerce

Current list of active certifications
  • SOC 2 Type 2 Attestation
  • PCI DSS v 3.2.1 Self-Assessment Attestation

Optimizely Data Platform (ODP)

Current list of active certifications
  • SOC 2 Type 1 Attestation
    • SOC 2 Type 2 Attestation expected to be obtained by end of Q1 2025

Content Marketing Platform (CMP)

Current list of active certifications
  • SOC 2 Type 2 Attestation

Analytics (Formerly Netspring)

Current list of active certifications
  • SOC 2 Type 2 Attestation

HIPAA

The Health Information Portability and Accountability Act (HIPAA) is one of the most important sectoral regulations related to privacy within the United States (US). The Secretary for the Health and Human Services (HHS) developed a set of required national standards designed to protect the confidentiality, integrity, and availability of health data. Certain businesses, covered entities and business associates, are required to comply to these regulations to ensure that health data is transmitted without compromising its security.

Optimizely supports HIPAA compliance as a business associate by committing to the following:

  • Implementing and maintaining appropriate technical and organizational security measures designed to safeguard a customer's Protected Health Information (PHI)
  • Notifying customers of any data breaches without undue delay
  • Signing Business Associate Agreements (BAAs) with enterprise customers

Optimizely now offers Optimizely HIPAA-ready Software Services:

  • Content Management System (CMS) (PaaS & SaaS)
  • Web & Feature Experimentation Services

To view our Optimizely Business Associate Agreement, current customers reach out to your Customer Success Manager. For prospective customers, please reach out to your sales representative.

Cyber Risk Assessments

Cloud Security Alliance (CSA)

The Cloud Security Alliance is the world’s leading organization committed to awareness, practical implementation, and certification for the future of cloud and cybersecurity. CSA's initiatives help organizations assess cloud providers and enhance cloud security standards worldwide.

Optimizely provides Level 1 Self-Assessment which demonstrates our commitment to providing secure PaaS & SaaS cloud services.

Optimizely has updated our CAIQ Self-Assessments to CAIQ 4.0.

STAR Registry | CSA (cloudsecurityalliance.org)

 

HECVAT

The Higher Education Information Security Council (HEISC), in conjunction with the Shared Assessments Working Group, EDUCAUSEInternet2, and the Research & Education Networks Information Sharing & Analysis Center (REN-ISAC) created the Higher Education Cloud Vendor Assessment Toolkit (HECVAT), a self-assessment for higher education information security and data protection requirements in the Unites States for cloud service providers. The details of the assessment helps higher education institutions (Universities and Colleges) validate that cloud services are assessed for security and privacy requirements, and allows a consistent methodology for Higher Education Institutions who want to use cloud services.

Optimizely has completed a HECVAT and HECVAT-Lite self-assessments for our core Cloud Products. The self-assessment details our alignment with industry standards and the security built into our products and infrastructure.

CyberGRX

The Optimizely CyberGRX report is available to all prospects/customers free of cost.

Prospects/Customers can request access to the Tier 2 validated CyberGRX cyber risk assessment via the CyberGRX Global Risk Exchange.

FSQS/Hellios

FSQS-UK&I covers the key areas of third-party risk in the financial services industry, with over 30 dedicated risk domains built into the supplier registration process.

Optimizely has been subject to a FSQS Stage 3 assessment.

The FSQS/Hellios assessment report is available on request.

Security and Compliance

For assistance with requesting access to security and compliance documents, existing customers can request access through their Customer Success Manager. For Prospective customers, please reach out to your Sales Representative for access.

Telecommunications and Telemedia Data Protection Act (TTDSG/TKG)

The German Federal Act on Privacy in Telecommunications and Telemedia, or Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG), governs the privacy aspects of electronic communications and telemedia in Germany. The law specifically addresses the confidentiality and secrecy of digital communications, encompassing elements like cookie usage and data storage.

Optimizely has a Security Concept report that describes our compliance with the German Telecommunications Act as the ICT provider, this is available on request.

Pen Test Reports

Optimizely conducts regular penetration testing through third-party CREST-Accredited Penetration Testing providers.

A copy of the report, along with issue disposition are available on request.

Business Continuity and Disaster Recovery (BCDR)

Optimizely’s Business Continuity and Disaster Recovery (BCDR) program maintains globally available business operations and facilitates the efficient restoration of business operations due to a large-scale disruption. The Optimizely BCDR program helps ensure business-critical and customer-facing services operate continuously and without service disruption.

Our BCDR programs includes Business Continuity Plans, Business Impact Analysis and Disaster Recovery Plans which are tested on a periodic basis.

Customer facing DR reports are available on request.

Infrastructure Compliance

After platforms undergo rigorous third-party confirmation of process and technical controls, we inherit their controls and implement our own compliance framework on top of their tools.

Risk Management

Periodic risk assessments are conducted with top risks identified and treatment plans prepared. The risk assessment, top risk selection, and risk treatment plans are reviewed and progress is tracked by the Security Governance Board.

Robust Security Framework

Optimizely implements industry-leading security measures, including advanced encryption, multi-factor authentication, regular vulnerability assessments, and intrusion detection systems to protect customer data from unauthorized access, breaches, and cyber threats.

Compliance with Global Standards

Optimizely adheres to a wide array of compliance standards ensuring that we meet the the highest expectations for data privacy, security, and governance. 

Continuous Monitoring and Auditing

Optimizely conducts continuous monitoring of our systems and processes to detect, assess, and mitigate any potential risks. Regular internal and external audits are performed to ensure compliance with applicable laws and standards and to verify effectiveness of our security protocols.

Other Resources

Cyber Insurance

Certificate of Liability Insurance with limits and coverages with respect to general and more specifically cyber insurance. 

Service-Level Agreement  

For full details of Optimizely’s Service-Level Agreement, this is available here: Service-Level Agreement - Optimizely 

Service Descriptions 

Product Service Descriptions