HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Optimizely platform security

Describes security-related aspects associated with the Optimizely platform and service delivery.

Information security management

Optimizely Digital Experience Platform (DXP) is managed with an Information Security Management System certified to ISO 27001. Best practice architecture and development, secure data centers, global support, and CDN/WAF services combine to ensure safe, secure solutions that support Optimizely customers.

Service architecture 

Optimizely DXP is deployed on Microsoft Azure security hardened systems. Antimalware is enabled for Azure services, and virtual networks isolate each customer’s service. Availability and performance monitoring are provided, and performance is supported by elastically scaling Web Apps that cater to seasonal traffic peaks and intraday spikes.

Data-in-transit is encrypted with HTTPS/TLS. The provided Content Delivery Network (CDN) protects origin servers, and together with the built-in Web Application Firewall (WAF), it provides DDoS mitigation and state-of-the-art protection against unusual and malicious traffic. See Introduction to DXP for technical details about the service architecture.

Secure and reliable datacenters 

Optimizely DXP runs on secure Microsoft Azure datacenters. Each facility is designed to run 24x7x365 with protection from power failure, physical intrusion, and network outages. Perimeter fencing, cameras, and biometric safeguards protect entry points. Azure datacenters are certified to 90+ compliance standards, including, for example, ISO 27001, FedRAMP, and SSAE 18 SOC 2.

Least privilege access 

A limited subset of employees can access customer applications based on the principle of least privilege. Access is through feature-limited portals, over encrypted connections with multi-factor authentication, and access is logged. Providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems, and detect and respond to security incidents. See the Data Processing Agreement (DPA).

Secure Development Lifecycle (SDL)

Optimizely solutions are built by established teams focused on building highly scalable, performant, and secure systems. Optimizely’s Secure Product Development Lifecycle (SDL) uses an agile methodology based on the Kanban approach, with the primary function of ensuring quality and security is a part of every product delivered.

Methodologies and standards include Test Driven Development, OWASP, NIST, and BSIMM, with mandatory coding guidelines and code reviews. Code changes require at least three approvals before integration into the main source code branch. Code is reviewed concerning best practices, including prevention techniques for SQL and XPath/XSLT injection, cross-site scripting, broken session management, and cross-site request forgery through static and dynamic vulnerability testing.

Transparent service health and continuity 

The Optimizely Digital Experience Platform provides up to 99.9% SLA at the website application level. Customers can register to receive incident updates and view information about platform-wide planned maintenance on the service dashboard. Customers are notified directly of incidents regarding their specific applications and are updated on the progress of the incident.

System updates and patching 

App Service instances run on Azure and are aligned with Microsoft’s Azure patch release cycle. The Optimizely CMS and Optimizely Commerce (PaaS) code follow a continuous release cycle with weekly releases. Releases include features and fixes, and customers can upgrade their solutions at a cadence that makes sense for their particular business.


Optimizely provides the following monitoring as part of DXP:

  • External monitoring – External monitoring of web applications where issues are handled according to the incident management process.
  • Real user monitoring – Monitoring end-user experience by inserting JavaScript to measure end-user actions on each page.
  • Application monitoring – Monitoring application resource consumption to ensure acceptable service usage and improve the platform.

Transport Layer Security (TLS/SSL) 

Services are protected with TLS version 1.2 or higher with full support for TLS 1.3. See SSL requirements.

Virtual Private Networks (VPN) 

Optimizely supports using a VPN for secure connections to internal corporate resources. VPN connections are most commonly used for application-to-application integrations with a customer’s on-premise systems, if needed or appropriate. Supported VPNs are Azure compliant, IPSEC IKE v2, and route-based.

Web Application Firewall (WAF) 

A managed WAF is provided. The WAF examines HTTP requests to a website, applying rules to filter out illegitimate traffic from legitimate website visitors. See Web Application Firewall.

Distributed Denial of Service mitigation (DDoS) 

Advanced DDoS protection is provided to mitigate attacks of forms and sizes, including those that target the UDP and ICMP protocols, SYN/ACK, DNS amplification, and Layer 7 attacks. The provided CDN is rated at over 30 Tbps throughput, more than 15x the size of the largest recorded DDoS attack.

Vulnerability testing   

Optimizely conducts weekly vulnerability testing against DXP and performs annual external audits. Microsoft also regularly tests the underlying Azure infrastructure.

Customers can run WVS and penetration tests using tools and third-party services. You should follow documented guidance for testing against Azure-based services. Customers can alternatively contract for WVS.