In this period of rapid technological and regulatory change, it has never been more important to take a considered approach to protecting personal data. From the European General Data Protection Regulation (GDPR) to new US state laws like the California Consumer Privacy Act (CCPA), we know how much effort it takes to assess and manage privacy risks. That’s why Optimizely builds its services with an eye towards minimizing that effort for our customers.
Our digital experience optimization solutions provide industry-leading functionality with minimal collection of personal data and an emphasis on security. Privacy and security considerations are baked directly into our product development process so customers can spend more time on unlocking their digital potential and less time worrying about compliance.
Data subjects in certain jurisdictions may request access to or erasure of their personal data. We have built tools to help our customers fulfill these requests.
By default, our web snippet communicates with optimizely.com using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.
In addition, all Visitor Data stored by Optimizely and its third party service providers is encrypted at rest. Please see our documentation for details.
To comply with the GDPR, companies may want to review the cookies and local storage objects set by their EU websites. Optimizely can be integrated with popular tag management and cookie banner tools to make it easier for you to customize your approach to cookie compliance.
If you are an Optimizely customer and want to learn how to make a GDPR subject access request, please consult our documentation.
Optimizely’s Privacy, Security, and Compliance teams have developed and implemented a company-wide privacy program to help ensure compliance with GDPR, CCPA and other relevant privacy and data protection laws and regulations.
As part of our employee onboarding and continuous training, all Optimizely employees receive annual privacy and security training. In addition, members of our engineering and product teams receive specialized data privacy and software security training annually. All efforts are overseen by our Privacy, Security and Compliance teams.
To verify that our privacy practices are appropriate, Optimizely maintains a data map of our product documenting how data is collected and what systems process personal data.
We have published information security and data protection policies governing when employees and contractors can access data stores containing your data.
The GDPR including the Schrems II ruling, restricts the export or use of personal data to countries the EU and European Economic Area (EEA). We have implemented geo-fenced process and technical controls to limit transfer and access of personal data to allowed regions. We also support inquiry, correction and deletion for both your direct and indirect personal data.
We have implemented a data breach and incident response plan that leverages advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.
Our Security and Privacy teams review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.
We have conducted security and privacy reviews of our vendor contracts. As a result, we have DPAs with those vendors who may help us process personal data on your behalf.
To support your efforts to provide EU-compliant contractual protections, we have created a GDPR-ready Data Processing Agreement (DPA).
We have appointed a Data Protection Officer (DPO) to oversee our privacy and data protection compliance.