// Trust & Security Report

    Optimizely, Inc. logo

    Optimizely, Inc.

    Optimizely Digital Experience Platform: Content Management System (CMS, PaaS & SaaS), Commerce Connect, Configured Commerce, Web & Feature Experimentation, Content Marketing Platform (CMP), Optimizely Data Platform (ODP), Campaign, and Analytics (formerly Netspring), plus an emerging Agent Platform for AI-driven automation

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type 2 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services, Configured Commerce, Optimizely Data Platform (ODP), Content Marketing Platform (CMP), Analytics (Formerly Netspring)

    Verify on optimizely.com
    ISO/IEC 27001:2022
    HELD

    ISO 27001:2022 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services, Campaign

    Verify on optimizely.com
    ISO/IEC 27017:2015 (cloud security controls)
    HELD

    ISO 27017:2015 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services

    Verify on optimizely.com
    ISO/IEC 27018:2019 (PII protection in public clouds)
    HELD

    ISO 27018:2019 listed as held for: Content Management System (CMS), Commerce Connect, Web & Feature Experimentation Services

    Verify on optimizely.com
    PCI DSS v4.0.1
    HELD

    PCI DSS v4.0.1 listed for Commerce Connect (Self-Assessment Attestation), Web & Feature Experimentation Services (QSA Audited), Configured Commerce (Self-Assessment Attestation)

    Verify on optimizely.com
    TISAX
    HELD

    TISAX listed for Campaign, described as providing 'European automotive industry a consistent, standardized approach'

    Verify on optimizely.com
    CSA STAR (Level 1 Self-Assessment)
    HELD

    CSA STAR 'Level 1 Self-Assessment' with 'CAIQ 4.0' update listed on the compliance page

    Verify on optimizely.com
    HIPAA (Business Associate / BAA support)
    HELD

    HIPAA listed as applicable to Content Management System (CMS) (PaaS & SaaS) and Web & Feature Experimentation Services; separately, Optimizely will sign a business associate agreement for eligible customers per its HIPAA-ready CMS documentation

    Verify on optimizely.com
    GDPR (compliance posture, not a certification)
    HELD

    Optimizely's Privacy, Security, and Compliance teams have developed and implemented a company-wide privacy program to help ensure compliance with GDPR, CCPA and other relevant privacy and data protection laws and regulations.

    Verify on optimizely.com
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not listed on the Optimizely Trust Center compliance page or the AI Ethics Policy page; no vendor-domain source found confirming this certification.

    source: optimizely.com
    FedRAMP
    NOT CONFIRMED

    FedRAMP appears only in the context of the underlying Azure cloud infrastructure ('The Azure datacenters used are certified to 90+ compliance standards, including ISO 27001, FedRAMP, and SSAE 18 SOC 2') - this is the cloud host's certification, not a certification held by Optimizely as a vendor.

    source: optimizely.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Geofencing available allowing customers to choose EU or US data location; geo-fenced technical/process controls limit cross-region transfer and access. Infrastructure hosted on Azure, Google Compute Cloud, and AWS.

    Optimizely's AI Ethics Policy states 'Customers maintain control over their data and how it is used, including use of customer data in the training of models' and that 'Customers can elect to use, not use or disable AI features.' It also states customer/personal data is segregated and existing privacy controls are enforced when processed by GenAI systems, and that GenAI will not aggregate data or draw identifying inferences without adequate consent. This language acknowledges customer data CAN be used in model training with customer control/opt-out, but does not give an unambiguous yes/no on whether Optimizely trains its own models on customer data by default; graded null pending clearer default-state confirmation.

    // Security controls

    Encryption in transit

    "All communications from your end-users and visitors on Optimizely products are encrypted using industry standard communication encryption technology." TLS used for authentication credentials with regularly updated cipher suites.

    optimizely.com

    Cloud infrastructure

    Hosted across Azure, Google Compute Cloud, and Amazon Web Services

    optimizely.com

    Access controls

    Authentication required at all application entry points; 2-step verification; Single Sign-On via SAML 2.0; minimum 8-character passwords with mixed case, numbers, and symbols

    optimizely.com

    Incident response

    Maintains "an Incident Response Plan designed to promptly and systematically respond to security and availability incidents"

    optimizely.com

    Penetration testing

    "Third-party application security assessments and penetration tests performed annually"

    optimizely.com

    AI/LLM data handling disclosure

    Not addressed on the Security page; covered separately (partially) on the AI Ethics Policy page - see privacy.ai_training_note

    optimizely.com

    // Products & data scope

    Content Management System (CMS, PaaS & SaaS)Agentic CMS / content management

    data: Customer website content and data; broadest certification coverage (SOC 2 Type II, ISO 27001/27017/27018, HIPAA)

    Most heavily certified product in the portfolio.

    Commerce Connect / Configured CommerceE-commerce platform

    data: Transaction and payment-adjacent data; PCI DSS v4.0.1 attestation in scope

    Configured Commerce and Web & Feature Experimentation differ in PCI attestation depth (self-assessment vs QSA-audited).

    Web & Feature ExperimentationA/B testing / experimentation (Agentic Experimentation)

    data: Site visitor behavioral/experiment data; the only product line with QSA-audited PCI DSS status

    Covered by SOC 2 Type II, ISO 27001/27017/27018, PCI DSS (QSA audited), and HIPAA.

    Optimizely Data Platform (ODP)Customer data platform (CDP)

    data: Consolidated customer/behavioral profile data across channels

    SOC 2 Type II in scope; ISO 27001 scope not confirmed for this product specifically on the compliance page.

    Content Marketing Platform (CMP)Marketing workflow / content operations

    data: Internal marketing team workflow and content assets

    SOC 2 Type II in scope.

    CampaignMarketing campaign management

    data: Campaign and customer contact data, notably for automotive-sector customers

    Only product line carrying TISAX in addition to ISO 27001:2022; not listed for SOC 2 Type II on the compliance page.

    Analytics (formerly Netspring)Product/behavioral analytics

    data: Aggregated usage and behavioral analytics data

    SOC 2 Type II in scope.

    Agent Platform / Agentic AI featuresAI agents and automation

    data: Operates across customer content and experimentation data; governed by the separate AI Ethics Policy rather than the core compliance certifications

    New product direction per homepage marketing ('Agentic CMS', 'Agentic Experimentation', 'Agent Platform'); no dedicated certification listed for this line yet.

    // What to watch

    • Certification coverage varies significantly BY PRODUCT LINE - SOC 2 Type II and full ISO coverage apply to CMS, Commerce Connect, and Web & Feature Experimentation, but Campaign carries only ISO 27001 + TISAX (no SOC 2 listed), and ODP/CMP/Analytics carry SOC 2 only (ISO scope not confirmed for those three on the public compliance page). Do not represent one blanket cert set for the whole company.
    • FedRAMP appears on the Trust Center only in reference to the underlying Azure datacenter infrastructure, not as an Optimizely-held certification - flagged as a host-vs-vendor distinction, graded held=false.
    • AI training posture is ambiguous: the AI Ethics Policy acknowledges customer data may be used 'in the training of models' with customer control/opt-out language, but does not clearly state Optimizely's default behavior for its own agentic AI features (Agentic CMS, Agentic Experimentation, Agent Platform) recently pushed in 2026 marketing. Recommend direct vendor confirmation before making an affirmative or negative claim to buyers.
    • Full attestation reports (SOC 2, ISO certificates) are gated behind a customer/prospect request process (Customer Success Manager or Sales Rep), not publicly downloadable - consistent with normal enterprise practice but means AIFOXX cannot independently verify report dates/scope beyond the vendor's own summary page.

    // At a glance

    Pricing model

    Enterprise quote-based licensing across CMS, Commerce, Experimentation, CMP, ODP, Campaign, and Analytics products; no public self-serve pricing observed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Optimizely, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    optimizely.com

    > Browse all vendor trust reports