// Trust & Security Report
Optimizely, Inc.
Optimizely Digital Experience Platform: Content Management System (CMS, PaaS & SaaS), Commerce Connect, Configured Commerce, Web & Feature Experimentation, Content Marketing Platform (CMP), Optimizely Data Platform (ODP), Campaign, and Analytics (formerly Netspring), plus an emerging Agent Platform for AI-driven automation
Certifications held
9
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on optimizely.com“SOC 2 Type 2 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services, Configured Commerce, Optimizely Data Platform (ODP), Content Marketing Platform (CMP), Analytics (Formerly Netspring)”
Verify on optimizely.com“ISO 27001:2022 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services, Campaign”
Verify on optimizely.com“ISO 27017:2015 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services”
Verify on optimizely.com“ISO 27018:2019 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services”
Verify on optimizely.com“PCI DSS v4.0.1 listed for Commerce Connect (Self-Assessment Attestation), Web & Feature Experimentation Services (QSA Audited), Configured Commerce (Self-Assessment Attestation)”
Verify on optimizely.com“TISAX listed for Campaign, described as providing 'European automotive industry a consistent, standardized approach'”
Verify on optimizely.com“CSA STAR 'Level 1 Self-Assessment' with 'CAIQ 4.0' update listed on the compliance page”
Verify on optimizely.com“HIPAA listed as applicable to Content Management System (CMS) (PaaS & SaaS) and Web & Feature Experimentation Services; separately, Optimizely will sign a business associate agreement for eligible customers per its HIPAA-ready CMS documentation”
Verify on optimizely.com“Optimizely's Privacy, Security, and Compliance teams have developed and implemented a company-wide privacy program to help ensure compliance with GDPR, CCPA and other relevant privacy and data protection laws and regulations.”
> Show 2 unconfirmed / not-held certifications
source: optimizely.comNo public evidence. Not listed on the Optimizely Trust Center compliance page or the AI Ethics Policy page; no vendor-domain source found confirming this certification.
source: optimizely.comFedRAMP appears only in the context of the underlying Azure cloud infrastructure ('The Azure datacenters used are certified to 90+ compliance standards, including ISO 27001, FedRAMP, and SSAE 18 SOC 2') - this is the cloud host's certification, not a certification held by Optimizely as a vendor.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Geofencing available allowing customers to choose EU or US data location; geo-fenced technical/process controls limit cross-region transfer and access. Infrastructure hosted on Azure, Google Compute Cloud, and AWS.
Optimizely's AI Ethics Policy states 'Customers maintain control over their data and how it is used, including use of customer data in the training of models' and that 'Customers can elect to use, not use or disable AI features.' It also states customer/personal data is segregated and existing privacy controls are enforced when processed by GenAI systems, and that GenAI will not aggregate data or draw identifying inferences without adequate consent. This language acknowledges customer data CAN be used in model training with customer control/opt-out, but does not give an unambiguous yes/no on whether Optimizely trains its own models on customer data by default; graded null pending clearer default-state confirmation.
// Security controls
Encryption in transit
"All communications from your end-users and visitors on Optimizely products are encrypted using industry standard communication encryption technology." TLS used for authentication credentials with regularly updated cipher suites.
optimizely.comCloud infrastructure
Hosted across Azure, Google Compute Cloud, and Amazon Web Services
optimizely.comAccess controls
Authentication required at all application entry points; 2-step verification; Single Sign-On via SAML 2.0; minimum 8-character passwords with mixed case, numbers, and symbols
optimizely.comIncident response
Maintains "an Incident Response Plan designed to promptly and systematically respond to security and availability incidents"
optimizely.comPenetration testing
"Third-party application security assessments and penetration tests performed annually"
optimizely.comAI/LLM data handling disclosure
Not addressed on the Security page; covered separately (partially) on the AI Ethics Policy page - see privacy.ai_training_note
optimizely.com// Products & data scope
data: Customer website content and data; broadest certification coverage (SOC 2 Type II, ISO 27001/27017/27018, HIPAA)
Most heavily certified product in the portfolio.
data: Transaction and payment-adjacent data; PCI DSS v4.0.1 attestation in scope
Configured Commerce and Web & Feature Experimentation differ in PCI attestation depth (self-assessment vs QSA-audited).
data: Site visitor behavioral/experiment data; the only product line with QSA-audited PCI DSS status
Covered by SOC 2 Type II, ISO 27001/27017/27018, PCI DSS (QSA audited), and HIPAA.
data: Consolidated customer/behavioral profile data across channels
SOC 2 Type II in scope; ISO 27001 scope not confirmed for this product specifically on the compliance page.
data: Internal marketing team workflow and content assets
SOC 2 Type II in scope.
data: Campaign and customer contact data, notably for automotive-sector customers
Only product line carrying TISAX in addition to ISO 27001:2022; not listed for SOC 2 Type II on the compliance page.
data: Aggregated usage and behavioral analytics data
SOC 2 Type II in scope.
data: Operates across customer content and experimentation data; governed by the separate AI Ethics Policy rather than the core compliance certifications
New product direction per homepage marketing ('Agentic CMS', 'Agentic Experimentation', 'Agent Platform'); no dedicated certification listed for this line yet.
// What to watch
- Certification coverage varies significantly BY PRODUCT LINE - SOC 2 Type II and full ISO coverage apply to CMS, Commerce Connect, and Web & Feature Experimentation, but Campaign carries only ISO 27001 + TISAX (no SOC 2 listed), and ODP/CMP/Analytics carry SOC 2 only (ISO scope not confirmed for those three on the public compliance page). Do not represent one blanket cert set for the whole company.
- FedRAMP appears on the Trust Center only in reference to the underlying Azure datacenter infrastructure, not as an Optimizely-held certification - flagged as a host-vs-vendor distinction, graded held=false.
- AI training posture is ambiguous: the AI Ethics Policy acknowledges customer data may be used 'in the training of models' with customer control/opt-out language, but does not clearly state Optimizely's default behavior for its own agentic AI features (Agentic CMS, Agentic Experimentation, Agent Platform) recently pushed in 2026 marketing. Recommend direct vendor confirmation before making an affirmative or negative claim to buyers.
- Full attestation reports (SOC 2, ISO certificates) are gated behind a customer/prospect request process (Customer Success Manager or Sales Rep), not publicly downloadable - consistent with normal enterprise practice but means AIFOXX cannot independently verify report dates/scope beyond the vendor's own summary page.
// At a glance
Pricing model
Enterprise quote-based licensing across CMS, Commerce, Experimentation, CMP, ODP, Campaign, and Analytics products; no public self-serve pricing observed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Optimizely, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
optimizely.com