Security

Last Updated: July 27th, 2021

Optimizely has instituted several technical and organizational measures designed to protect Optimizely Applications. This page provides a description of our current security measures.

Organizational Structure

The Trust Team facilitates security, privacy and compliance programs at Optimizely. The Trust Team includes a Manager of Compliance and a Director of Security Engineering who report to the Chief Information Security Officer. 

Governance

Our Security Program is overseen by our Security Governance Board which includes senior executives and other strategic leaders.

Risk Management 

The Security Team conducts periodic risk assessments using a methodology based on ISO 27005:2018 guidelines for information security risk management. Top risks are identified, and risk treatment plans are prepared. The risk assessment, top risk selection and risk treatment plans are reviewed, and progress is tracked by the Security Governance Board. 

Access Controls 

Authentication 

Optimizely requires authentication for access to all application entry points including Web and API, except for those intended to be public. 

Secure communication of credentials

Optimizely currently uses TLS to transmit authentication credentials to Optimizely products. 

Password management 

With processes designed to enforce minimum password requirements for Optimizely products, we utilize the following requirements and security standards for end user passwords on the Optimizely Service: 

  • Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols 
  • Multiple logins with the wrong username or password will result in a locked account, which will be disabled to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application 
  • Email-based password reset links are sent only to a user's preregistered email address with a temporary link 
  • Optimizely rate limits multiple login attempts from the same email address 
  • Optimizely prevents reuse of recently used passwords 

Password hashing 

End-user account passwords stored on Optimizely Service are hashed with a random salt using industry-standard techniques.  

2-step verification 

Increase the security of your Optimizely accounts by adding a second level of authentication when signing in. Instead of relying only on a password, two-step verification requires you to enter a temporary code that you access from your mobile phone and is intended to help you: 

  • Protect your website and mobile application when your Optimizely password is stolen 
  • Add an additional layer of security against password phishing attacks 
  • Adhere to guidelines set by your enterprise security policy 

Single sign-on 

Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is available on select packages only, so please consult your order form for eligibility. 

Session Management 

Each time a user signs into the Optimizely Service, the system assigns them a new, unique session identifier that consists of 64 bytes of random data designed for protection against a brute force attack. 

Session timeout 

Optimizely products enforce hard and inactivity session timeouts that require re-authentication for API and direct web application access. 

Sign out 

When signing out of the Optimizely Service, the system is designed to delete session cookies from the client and invalidate session identifiers on Optimizely servers.

Network & Transmission Controls 

Optimizely monitors and updates its communication technologies periodically with the goal of providing network security. 

SSL/TLS 

By default, all communications from your end-users and visitors on Optimizely products are encrypted using industry standard communication encryption technology. Optimizely currently uses Transport Layer Security (TLS) and updates to cipher suites and configurations as vulnerabilities are discovered. 

Network Security 

Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis. 

Infrastructure Security 

Optimizely uses an Intrusion Detection System (IDS), Security Incident Event Management (SIEM) system and other security monitoring tools on production servers that host Optimizely products. Notifications from these tools are sent to the Optimizely Security Team, who have an incident management plan to investigate, isolate and mitigate any identified events. 

Access Logs 

Optimizely keeps detailed access logs of our infrastructure and products which are reviewed for events impacting security and availability. Logs are retained for a minimum of six months for forensics purposes. 

Data Confidentiality & Job Controls 

Internal Access to Data 

Access to your data stored by with Optimizely is restricted to employees and contractors who have a need to know this information to perform their job function. For example, to provide customer support, maintain infrastructure, enhance product or to understand how an engineering change affects a group of customers. 

Optimizely currently requires the use of single sign-on, strong passwords and two-factor authentication for all employees to access production data. 

Job Controls 

Optimizely has implemented several employee job controls to help protect your data: 

  • All Optimizely employees and contractors are required to sign confidentiality agreements prior to accessing our production systems. 
  • All Optimizely employees are required to receive security and privacy training at time of hire as well as annual security and privacy awareness training. 
  • Employee and contractor access to production systems that contain your data is logged and audited.
  • Optimizely employees are subject to disciplinary action, including but not limited to, termination if they are found to have abused their access to customer data.
  • Optimizely employees are subject to a background check prior to employment where permitted by law. 

Security in Engineering 

Product Security Overview 

Optimizely's software security practices are measured using industry-standard security models—currently the Building Security In Maturity Model (BSIMM). The software development life cycle (SDLC) for our services includes many activities intended to foster security: 

  • Defining security requirements 
  • Design (threat modeling, threat analysis and security design review) 
  • Development controls (static analysis and manual peer code review) 
  • Testing (dynamic analysis, Bug Bounty Program and third party security vulnerability assessments) 
  • We currently use unit, integration and end-to-end tests, where applicable, to catch regressions 
  • Deployment controls (such as change management and canary release process) 

Optimizely software is designed, reviewed and tested using applicable OWASP standards. 

Code Assessments 

Optimizely developed software is continually monitored and tested using processes designed to proactively identify and remediate vulnerabilities. We regularly conduct: 

  • Automated source code analysis designed to find common defects 
  • Peer review of all code prior to being pushed to production 
  • Manual source code analysis on security-sensitive areas of code 
  • Third-party application security assessments and penetration tests performed annually 

Bug Bounty Program 

Optimizely currently offers a bug bounty program to encourage reporting of security issues with our product. Bugs can be reported via the program or via email at [email protected]

Availability Controls 

Disaster Recovery 

Optimizely Service infrastructure is designed to minimize service interruption due to hardware failure, natural disaster or other catastrophes. Features include: 

  • State of the art cloud providers: We use Azure, Google Compute Cloud and Amazon Web Services—all trusted by thousands of businesses to store and serve their data services. 
  • Data replication: To help ensure availability in the event of a disaster, we can replicate data both within and across multiple data centers depending on the resiliency requirements. 
  • Backups: We perform frequent backups of data stored through Optimizely Services. Backups are tested for integrity, regularly. 
  • Continuity plan: We continuity plan for any kind of service disruptions. Our team is global and can shift resources should regional issues disrupt our ability to provide services or support.
  • Security: We do not degrade our security during Disaster Recovery operations. 

Incident Response 

Optimizely has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis. 

Segregation Controls 

Data Segregation 

Optimizely segregates all customer data and provide strong programmatic and access controls to logically isolate your data from that of other customers. 

User Roles 

Optimizely products give you the ability to limit access to your data and configuration by defining user roles. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project. 

Physical Security 

Optimizely uses industry leading cloud platforms (Azure, Google Compute Cloud and Amazon Web Services) to host its production services. These cloud services provide high industry standard levels of physical security. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include on-premises security guards, closed circuit video monitoring and additional intrusion protection measures. We rely on their third-party attestations of physical security. Within our facilities we employ a number of industry-standard physical security controls. educate our employees and contractors to protect the physical security of their assets regardless of their location. 

Additional Terms 

If you have additional questions about implementing any of these security measures, please consult the Knowledge Base. Our security measures are constantly evolving to keep up with the changing security landscape, so we may update this page from time to time to reflect these technical and organizational changes. Please check back often to view our latest measures. As always, the use of Optimizely Service is subject to the terms, conditions and disclaimers in our Terms of Service