Optimizely AB

Optimizely - Customized Commerce

Optimizely’s platform for digital commerce forms part of Optimizely's "Digital Experience Cloud" platform which enables you to provide outstanding customer experiences that help you drive sales across all channels and markets.

Features

• Elastic scaling to support traffic peaks and bursts
• Based on the latest Microsoft cloud technology, Azure Web Apps
• Optimal performance via a content delivery network (CDN)
• Separated environments for integration/test, preproduction and production
• Best-of-breed services from vendors via connectors and add-ons
• 24x7x365 global operations, maintenance and support
• Detailed online reports show you website and transaction performance
• Proactive application and end-user experience monitoring
• Data backup and retention
• DDOS mitigation

Benefits

• SLA guarantee on your web site being up and running
• Unlimited number of Optimizely web sites
• Unlimited number of web site users
• Includes Optimizely Find enterprise search product
• Lower TCO with a fully managed service

£120,100 a unit

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Joe.duffell@optimizley.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

751809643934941

Contact

Joe Duffell
+1 603 594 0249
Joe.duffell@optimizley.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Deployment is on public cloud.
• System requirements:
  • Content editing: IE11, Firefox latest, Google Chrome, latest
  • Optimizely provides all needed PaaS and SaaS services
  • Visual Studio. Optional Azure Dev Ops, Octopus Deploy, GitHub

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 24/7/365 support with 30 minute response on Priority 1
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: All Optimizely Digital Experience Cloud Service contracts include 24/7/365 support and is not charged separately.; ; Each client gets an account manager and dedicated service level manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The Optimizely Digital Experience Cloud Platform (DXP) is provided as PaaS and SaaS services. Once implemented by an Optimizely implementation partner or customer the final solution is deployed to DXP. Once deployed (or before deployment) Optimizely can provide classroom and on-site training and also provides online documentation for using Optimizely.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: A request is made to the Optimizely Managed service desk for a full back up of the Optimizely database and accompanying binary assets. These are supplied within the defined SLA period for the managed service desk.
• End-of-contract process: If termination has been requested then there are no additional costs for ending the contract after the original contract period. If a contract termination requested is received before the end of the period then remaining period must be paid for in order to terminate.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: End user applications are designed to support both desktop & mobile. The content creation / admin interfaces are usually used on desktop browsers, but can be used on tablets. A smartphone is generally too small of an interface for the purpose of easily creating / managing web content.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: Browser based user interface
• Accessibility standards: None or don’t know
• Description of accessibility: Accessible through a browser.
• Accessibility testing: None that I am aware of.
• API: Yes
• What users can and can't do using the API: Anything is possible using Optimizely's API. Primary APIs are provided for Content Creation / Management, Content Delivery, Search and Deployment
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: - Nearly the entire Optimizely suite can be extended including all HTML presentation templates, authentication providers, site functionality and Optimizely editor functionality.; - Customisation takes place using .net languages such as C# or VB.net and also in Javascript. This work is done Visual Studio. ; Anyone with access to the solution source code can customised. This is normally Optimizely implementation partners or clients with appropriate development skills who own the overall solution.

Scaling

• Independence of resources: Each customer's Optimizely DXP implementation runs as a single tenant solution with its own dedicated set of resources that scale using public cloud infrastructure.

Analytics

• Service usage metrics: Yes
• Metrics types: Optimizely DXP provides a reporting portal which provides the following KPI information: Average Page Load Time, Page Views, Total Page Views (YTD), Availability, Events and Response Time. Additional KPI's may evolve and be added to the service reporting over time.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported directly from the database or an export can be run that downloads content as a .zip in XML
• Data export formats: Other
• Other data export formats: XML as part of a standard Optimizely Export
• Data import formats: Other
• Other data import formats: XML

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: SLA for availability starts at 99.7% and moves to 99.9% depending on package. If availability falls below the Service(s) SLA, the Customer has the right to obtain a reduction on the monthly fee for the affected Service(s). The reduction shall correspond to ten (10) percent of the monthly fee for each interval of one (1) hour that the effective availability falls below the SLA for the affected Service(s). For example, if there are thirty (30) days in the month, and the SLA is 99.5% (716 out of 720 possible hours), should actual availability be only 715 hours, the monthly fee will be reduced 10%. The reduction is limited to the actual month when the agreed availability level has fallen short. This compensation shall be Customer’s sole remedy for interruption or delay in Service(s) supplied by Optimizely.
• Approach to resilience: Optimizely Digitial Experience Cloud Services are primarily based on Microsoft Azure services and utilise other cloud services. Full details around resiliency are available on request.
• Outage reporting: Email alerts, public dashboard, phone notification.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: Access management is enforced at different levels in the DXC-S. Optimizely's PaaS portal is used to administer and manage a clients DXC-S. Only authorized Optimizely users with set permissions are allowed to manage your service, this is controlled via AzureAD, stings are also hard coded in the portal. Client developers are allowed to access the DXC-S's integration (development) environment only, users access must be requested, where they will be set up in AzureAD. Client editors can authenticate with the DXC-S via their own chosen federated security if they wish, Optimizely can also restrict access via set IP ranges if required.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA Global Assurance
• ISO/IEC 27001 accreditation date: Continuous from July 2018 to July 2021
• What the ISO/IEC 27001 doesn’t cover: Optimizely's entire ISMS is influenced by ISO 27001
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Privacy Shield

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Optimizely policies and processes on the Digital Experience Cloud Service (DXC-S) is aligned to the ISO 27001 standard (cert. planned for 2018).
• Information security policies and processes: Optimizely's ISMS on the DXC-S has management representative down commitment, with regards to the DXC-S this covers operations, Managed Services, IT, HR, Finance, Facilities, Legal, Product Management, Marketing and Sales. Annual training on Optimizely's ISMS (and new starter training for new employees and contactors) will be enforced via our LMS. All employees will receive ISMS training to ensure that their responsibilities are understood and enforced across their duties.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Optimizely development teams follow an iterative software development Lifecycle regarding code changes. Optimizely performs web vulnerability scans that look for the OWASP top 10 vulnerabilities and use the OWASP references as a guide during development. We have a review process for all changes/releases to our software (weekly), restricted to select publishers (who have have been trained against our ISMS). Microsoft Azure teams follow a formal Security Development Life-Cycle process for their services which Optimizely consume on our service. For more information, please review: https://www.microsoft.com/en-us/sdl/
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Optimizely DXP provides a WAF to stop attacks at the network edge, protecting your website from common threats and specialized attacks before they reach your service. Microsoft is also protected by an active IDS/IPS system, which uses a number of techniques to detect threats. Microsoft and their Red Team regularly pen test the underlying infrastructure of DXC Service. The Optimizely platform is also subject to regular pen tests conducted by customers and partners. If a threats are detected these will follow Optimizely's incident management process and are escalated gaining the highest priority available. Microsoft is responsible for patch management.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Optimizely DXP provides centralized monitoring and analysis for continuous visibility and timely alerts to the teams who manage the service. We have a number of set triggers and thresholds, benchmarked against typical consumption or behaviour on your website. If unanticipated performance behaviour is detected (for example repetitive behaviour, creating increased scale in the service) we have hooks to alert our service desk to look into the issue and block the traffic if necessary Security incidents receive highest priority and clients are notified without undue delay.
• Incident management type: Supplier-defined controls
• Incident management approach: Please refer to Section 10 of the SLA: https://www.optimizely.com/legal/service-level-agreement/ the defines Incident Types, Prioritization and Escalation. Use can report incidents via phone, online portal or email. Written incident reports are generated for all P1 & P2 incidents describing the issue, root cause analysis and corrective and preventative actions which were taken to resolve the issue. Client contacts will be notified once a support ticket is generated by our Managed Services Team.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Please find more information regarding this via the following web link:; https://www.optimizely.com/company/csr/

  Tackling economic inequality

  Please find more information regarding this via the following web link:; https://www.optimizely.com/company/csr/

  Equal opportunity

  Please find more information regarding this via the following web link:; https://www.optimizely.com/company/csr/

  Wellbeing

  Please find more information regarding this via the following web link:; https://www.optimizely.com/company/csr/

Pricing

• Price: £120,100 a unit
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Joe.duffell@optimizley.com. Tell them what format you need. It will help if you say what assistive technology you use.