Built with Security in Mind

Every day, thousands of companies -- including Microsoft, IBM, and the New York Times -- use Optimizely on their websites and apps to collectively deliver billions of experiences per month. So we have built our services with security in mind.

Last Updated: August 10, 2018

Optimizely has instituted several technical and organizational measures designed to protect the cloud-based services we make available at app.optimizely.com (the "Optimizely Service"). This page provides a description of our current security measures.


Organizational Structure

The Security, Privacy and Compliance Team facilitates the Security, Privacy and Compliance programs across Optimizely. This team reports to the SVP of Engineering, who reports to the CEO.

Governance

Governance of these programs is performed by the Security and Privacy Steering Committee, comprised of executives and other department leaders from across the organization.

Risk Management

The Security Team conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared. The risk assessment, top risk selection, and risk treatment plans are reviewed by the Security and Privacy Steering Committee, which also monitors progress on the risk treatment plans.

Access Controls

1. Authentication

Overview. Optimizely requires authentication for access to all application pages on the Optimizely Service, except for those intended to be public.

Secure Communication of Credentials. Optimizely currently uses TLS-encrypted POST requests to transmit authentication credentials to the Optimizely Service.

Password Management. We have processes designed to enforce minimum password requirements for the Optimizely Service. We currently enforce the following requirements and security standards for end user passwords on the Optimizely Service:

  • Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols

  • Multiple logins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application

  • Email-based password reset links are sent only to a user's pre-registered email address with a temporary link

  • Optimizely rate limits multiple login attempts from the same email address

  • Optimizely prevents reuse of recently-used passwords

Password Hashing. End user account passwords stored on the Optimizely Service are hashed with a random salt using industry-standard techniques. We currently use HMAC-SHA256 and run through 86000 rounds of PBKDF2.

2-Step Verification. 2-Step Verification increases the security of your Optimizely Service account by adding a second level of authentication when signing in. Instead of relying only on a password, 2-Step Verification will also require you to enter a temporary code that you access from your mobile phone. 2-Step Verification is intended to help you:

  • Protect your website and mobile application when your Optimizely password is stolen;

  • Add an additional layer of security against password phishing attacks; and

  • Adhere to guidelines set by your enterprise security policy.

Single Sign-On. Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments. Single Sign-On is available on select packages only, so please consult your order form for eligibility.

2. Session Management

Overview. Each time a user signs into the Optimizely Service, the system assigns them a new, unique session identifier, currently consisting of 64 bytes of random data designed for protection against brute forcing.

Session Timeout. All sessions are designed to have a hard timeout (currently set to 7 days). Single Sign-On sessions are configured with an inactivity timeout as well (currently, 4 hours). There is an optional setting to terminate any sessions after 15 minutes of inactivity.

Sign Out. When signing out of the Optimizely Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Optimizely servers.


Network and Transmission Controls

Optimizely monitors and updates its communication technologies periodically with the goal of providing network security.

1. SSL/TLS

By default all communications from your end users and your visitors with the Optimizely Service are encrypted using industry-standard communication encryption technology. Optimizely currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations.

2. Network Security

Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

3. Infrastructure Security

Optimizely uses an Intrusion Detection System (IDS), a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the Optimizely Service. Notifications from these tools are sent to the Optimizely Security Team so that they can take appropriate action.


Access Logs

Logs are kept at all account levels for the following key changes that end users make to experiments:

  • Account: Sign-in / Sign-out

  • Experiments: Archiving, Creating, Deleting, Start/Pause and Updating

  • Update Project Settings

Detailed logs are available in the "Change History" tab from your account home page. This Change History provides details on changes in your Optimizely snippet code, so you can have an audit trail of these code changes on your experiments and can quickly isolate any accidental edits.


Data Confidentiality and Job Controls

1. Internal Access to Data

Access to your visitor and account data stored on the Optimizely Service is restricted within Optimizely to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).

Optimizely currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Optimizely Service.

2. Job Controls

Optimizely has implemented several employee job controls to help protect the information stored on the Optimizely Service:

  • All Optimizely employees are required to sign confidentiality agreements prior to accessing our production systems.

  • All Optimizely employees are required to receive security and privacy training at time of hire, as well as quarterly security and/or privacy awareness training.

  • Employee access to production systems that contain your data is logged and audited

  • Optimizely employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data

  • Starting on May 18, 2017, new Optimizely employees are subject to background check prior to employment, where permitted by law


Security in Engineering

1. Product Security Overview

Optimizely's software security practices are measured using industry-standard security models (currently, the Building Security In Maturity Model (BSIMM)). The Optimizely software development lifecycle (SDLC) for the Optimizely Service includes many activities intended to foster security:

  • Defining security requirements

  • Design (threat modeling and analysis, security design review)

  • Development controls (static analysis, manual peer code review)

  • Testing (dynamic analysis, Bug Bounty Program, 3rd party security vulnerability assessments)

    • We currently use unit, integration, and end-to-end tests, where applicable, to catch regressions
  • Deployment controls (such as change management and canary release process).

Optimizely designs, reviews and tests the software for the Optimizely Service using applicable OWASP standards.

2. Code Assessments

The software we develop for the Optimizely Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:

  • Automated source code analysis designed to find common defects

  • Peer review of all code prior to being pushed to production

  • Manual source code analysis on security-sensitive areas of code

  • Third-party application security assessments and penetration tests performed annually

3. Bug Bounty Program

Optimizely currently offers a bug bounty program to encourage reporting of security issues with our product. Bugs can be reported via the program, or via email at security@optimizely.com.


Availability Controls

1. Disaster Recovery

The infrastructure for the Optimizely Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

  • State of the art cloud providers: We use Google App Engine and Amazon Web Services, which are trusted by thousands of businesses to store and serve their data and services.

  • Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.

  • Backups: We perform daily, weekly, and monthly backups of data stored on the Optimizely Service, which are tested regularly.

  • Continuity plan: We have an office located in Amsterdam to assist in business continuity should regional issues at our global headquarters in San Francisco, California disrupt our ability to provide the services or support to you.

2. Incident Response

Optimizely has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.


Segregation Controls

1. Data Segregation

The code snippet for the Optimizely Service (the javascript client for the web experimentation product) is designed to be unique to your account. Optimizely's systems for the Optimizely Service are designed to logically separate your data from that of other customers. Optimizely's application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.

2. User Roles

The Optimizely Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Optimizely Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project or experiment.


Physical Security

Optimizely uses industry-leading cloud platforms (currently Google Compute Cloud and Amazon Web Services) to host its production systems for the Optimizely Service. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. We rely on their third party attestations of their physical security. Within our headquarters, we employ a number of industry-standard physical security controls.


Additional Terms

If you have additional questions about implementing any of these security measures, please consult the Optiverse Knowledgebase. Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check this page often to view our latest measures. As always, the use of the Optimizely Service is subject to the terms, conditions and disclaimers in our Terms of Service.