Last Updated: July 27th, 2021
Optimizely has instituted several technical and organizational measures designed to protect Optimizely Applications. This page provides a description of our current security measures.
The Trust Team facilitates Security, Privacy and Compliance programs at Optimizely. The Trust Team includes a Manager of Compliance and a Director of Security Engineer who report to the Chief Information Security Officer.
Comprised of executives and other department leaders from across the organization, governance of these programs is performed by the Security Governance Board.
The Security Team conducts periodic risk assessments using a methodology based on ISO 27005:2018 guidelines for information security risk management. Top risks are identified, and risk treatment plans are prepared. The risk assessment, top risk selection and risk treatment plans are reviewed, and progress is tracked by the Security Governance Board.
Optimizely requires authentication for access to all application entry points including Web and API, except for those intended to be public.
Secure Communication of Credentials
Optimizely currently uses TLS 1.2 to transmit authentication credentials to Optimizely Applications.
With processes designed to enforce minimum password requirements for Optimizely Applications, we utilize the following requirements and security standards for end user passwords on the Optimizely Service:
- Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols
- Multiple logins with the wrong username or password will result in a locked account, which will be disabled to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
- Email-based password reset links are sent only to a user's preregistered email address with a temporary link
- Optimizely rate limits multiple login attempts from the same email address
- Optimizely prevents reuse of recently used passwords
End-user account passwords stored on Optimizely Service are hashed with a random salt using industry-standard techniques.
Increase the security of your Optimizely accounts by adding a second level of authentication when signing in. Instead of relying only on a password, two-step verification requires you to enter a temporary code that you access from your mobile phone and is intended to help you:
- Protect your website and mobile application when your Optimizely password is stolen
- Add an additional layer of security against password phishing attacks
- Adhere to guidelines set by your enterprise security policy
Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is available on select packages only, so please consult your order form for eligibility.
Each time a user signs into Optimizely Service, the system assigns them a new, unique session identifier that consists of 64 bytes of random data designed for protection against a brute force attack.
Optimizely products enforce hard and inactivity session timeouts that require re-authentication for API and direct web application access.
When signing out of the Optimizely Service, the system is designed to delete session cookies from the client and invalidate session identifiers on Optimizely servers.
Network and Transmission Controls
Optimizely monitors and updates its communication technologies periodically with the goal of providing network security.
By default, all communications from your end-users and visitors on Optimizely Applications are encrypted using industry standard communication encryption technology. Optimizely currently uses Transport Layer Security (TLS) and updates to cipher suites and configurations as vulnerabilities are discovered.
Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Optimizely uses an Intrusion Detection System (IDS), Security Incident Event Management (SIEM) system and other security monitoring tools on production servers that host Optimizely Applications. Notifications from these tools are sent to the Optimizely Security Team, who have an incident management plan to investigate, isolate and mitigate any identified events.
Optimizely keeps detailed access logs of our infrastructure and products which are reviewed for security events. Logs are retained for a minimum of six months for forensics purposes.
Data Confidentiality and Job Controls
Internal Access to Data
Access to your data stored by with Optimizely is restricted to employees and contractors who have a need to know this information to perform their job function. For example, to provide customer support, maintain infrastructure, enhance product or to understand how an engineering change affects a group of customers.
Optimizely currently requires the use of single sign-on, strong passwords and two-factor authentication for all employees to access production data.
Optimizely has implemented several employee job controls to help protect your data:
- All Optimizely employees and contractors are required to sign confidentiality agreements prior to accessing our production systems.
- All Optimizely employees are required to receive security and privacy training at time of hire as well as annual security and privacy awareness training.
- Employee and contractor access to production systems that contain your data is logged and audited.
- Optimizely employees are subject to disciplinary action, including but not limited to, termination if they are found to have abused their access to customer data.
- Optimizely employees are subject to a background check prior to employment where permitted by law.
Security in Engineering
Product Security Overview
Optimizely's software security practices are measured using industry-standard security models—currently the Building Security In Maturity Model (BSIMM). The software development life cycle (SDLC) for our services includes many activities intended to foster security:
- Defining security requirements
- Design (threat modeling, threat analysis and security design review)
- Development controls (static analysis and manual peer code review)
- Testing (dynamic analysis, Bug Bounty Program and third party security vulnerability assessments)
- We currently use unit, integration and end-to-end tests, where applicable, to catch regressions
- Deployment controls (such as change management and canary release process)
Optimizely software is designed, reviewed and tested using applicable OWASP standards.
Optimizely developed software is continually monitored and tested using processes designed to proactively identify and remediate vulnerabilities. We regularly conduct:
- Automated source code analysis designed to find common defects
- Peer review of all code prior to being pushed to production
- Manual source code analysis on security-sensitive areas of code
- Third-party application security assessments and penetration tests performed annually
Bug Bounty Program
Optimizely currently offers a bug bounty program to encourage reporting of security issues with our product. Bugs can be reported via the program or via email at firstname.lastname@example.org.
Optimizely Service infrastructure is designed to minimize service interruption due to hardware failure, natural disaster or other catastrophes. Features include:
- State of the art cloud providers: We use Azure, Google Compute Cloud and Amazon Web Services—all trusted by thousands of businesses to store and serve their data services.
- Data replication: To help ensure availability in the event of a disaster, we can replicate data both within and across multiple data centers depending on the resiliency requirements.
- Backups: We perform frequent backups of data stored through Optimizely Services. Backups are tested for integrity, regularly.
- Continuity plan: We continuity plan for any kind of service disruptions. Our team is global and can shift resources should regional issues disrupt our ability to provide services or support to you.
- Security: We do not degrade our security during Disaster Recovery operations.
Optimizely has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
Optimizely segregates all customer data and provide strong programmatic and access controls to logically isolate your data from that of other customers.
Optimizely products give you the ability to limit access to your data and configuration by defining user roles. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project.
Optimizely Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage users on your Optimizely Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project or experiment.
Optimizely uses industry leading cloud platforms (Azure, Google Compute Cloud and Amazon Web Services) to host its production services. These cloud services provide high industry standard levels of physical security. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include on-premises security guards, closed circuit video monitoring and additional intrusion protection measures. We rely on their third-party attestations of physical security. Within our facilities we employ a number of industry-standard physical security controls. educate our employees and contractors to protect the physical security of their assets regardless of their location.
If you have additional questions about implementing any of these security measures, please consult the knowledge base. Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check back often to view our latest measures. As always, the use of Optimizely Service is subject to the terms, conditions and disclaimers in our Terms of Service.