Optimizely
Security & Compliance

Optimizely's Security and Compliance Foundation for Regulated Industries

June 12, 2026
by
Michael Kunzler II

Regulated organizations are putting more of their operation behind a digital front door than ever before, and the environment is increasingly testing the platform behind these channels in terms of security and privacy. Optimizely's DXP answers the challenge with ISO 27001 certification, HIPAA-ready CMS and Experimentation, SOC 2 Type 2 attestation, and a native AI layer in Opal that keeps work inside the secured environment. This appraisal covers what that foundation provides and why native AI is the safer path for heavily regulated teams.

Optimizely
Security & Compliance

A Governed Platform, Not a Collection of Tools

Optimizely's DXP security controls are built into how the platform is hosted and accessed rather than bolted on around the edges. It provides security and compliance teams a single environment to reason about, with consistent controls. That is materially easier to defend in an audit than a patchwork of tools each with its own security model.

This matters more every year, as regulated industries build more user-facing digital experiences. Each new digital initiative has to meet security-focused expectations. When those experiences run on a governed platform, the organization is extending an environment it already understands. When they run on scattered systems, every addition is a new risk to assess.

Optimizely's value here is that it gives regulated teams a place to create and optimize digital experiences while staying closer to their privacy and security requirements, rather than drifting away from them with each new initiative.

ISO 27001: Evidence, Not Just Assurance

Regulated buyers require evidence of controls and process. This is where ISO 27001 comes in to play, certifying that Optimizely operates a formal information security management program, audited by an independent third party.

Optimizely has achieved ISO 27001:2022, along with ISO 27017:2015 and ISO 27018:2019.¹ ISO 27001 governs the information security management system, ISO 27017 adds controls specific to cloud services, and ISO 27018 addresses the protection of personally identifiable information in public cloud environments. Together they speak to the management system, the cloud delivery model, and the handling of personal data.

All three certifications apply to the CMS, Commerce Connect, and Web and Feature Experimentation products.¹ Campaign carries ISO 27001:2022 along with TISAX, and other products in the suite, including Configured Commerce, the Optimizely Data Platform, Analytics, and the Content Marketing Platform, carry SOC 2 Type 2 attestation.¹ For an evaluation team this is reassuring and easy to act on: the core platform sits in the full ISO-certified tier, the rest of the suite carries independent attestation, and confirming the standard that governs a specific product is quick verification rather than a concern.

ISO 27001 is most useful understood as a framework rather than a badge. It requires the organization to identify its information assets, assess threats and vulnerabilities, implement controls proportionate to risk, and subject the whole system to periodic independent audit, with continual improvement built in rather than a fixed baseline. For a buyer who has to demonstrate to auditors that their platform vendor maintains active, evidenced security governance, that is exactly the right kind of proof, and it is the kind of documentation C2 helps clients put in front of their security and procurement teams during evaluation.

The infrastructure underneath reinforces the picture. Optimizely's DXP runs on Microsoft Azure data centers certified to more than 90 compliance standards, including ISO 27001, FedRAMP, and SSAE 18 SOC 2.² Access to customer applications is limited to a subset of employees on a least-privilege basis, through feature-limited portals over encrypted connections with multi-factor authentication, with access logged.² This is a well-constructed program, and it gives regulated buyers a solid foundation to build on.

HIPAA Readiness: A Big Step for Healthcare and Life Sciences

HIPAA does not certify technology products. There is no formal certification process under the regulation, so any vendor describing itself as HIPAA-ready is describing practices aligned to HIPAA's requirements. Setting that expectation correctly matters, and within it, Optimizely's move is a genuine advance for healthcare organizations.

On November 20, 2024, Optimizely announced HIPAA-ready solutions for Healthcare and Life Sciences, specifically naming PaaS CMS, SaaS CMS, and Web and Feature Experimentation as HIPAA-enabled, and committing to act as a Business Associate when partnering with these customers.⁴ As a business associate, Optimizely commits to maintaining appropriate technical and organizational measures to safeguard Protected Health Information, notifying customers of breaches without undue delay, and signing Business Associate Agreements with enterprise customers.¹

For healthcare organizations that previously had no viable path to a BAA with the platform, this opens the door to building patient-facing digital experiences on Optimizely with the contractual foundation HIPAA requires.

Healthcare organizations need vendors who can support how ePHI is handled, protected, and governed, and the HIPAA-enabled CMS is purpose-built for that. It operates within defined boundaries by design: it exchanges data only with other HIPAA-enabled integrations, and certain standard features are intentionally excluded to preserve compliance, including SendGrid SMTP, production database exports, content sync-down, edge log exports, and project migration.⁶ These are deliberate architectural choices, and knowing them in advance lets an implementation team design around compliant alternatives from the start. The documentation is also clear that integrations and additional tools the organization brings must themselves be HIPAA-compliant, which is the standard shape of a shared responsibility model.⁵ ⁶

This is precisely the layer where an experienced partner earns its keep: C2 designs and implements within those documented controls so that ePHI handling is governed in practice, not just supported on paper. As with any forward-looking product commitment, the official announcement includes a Safe Harbor disclosure noting that future HIPAA-related features remain at Optimizely's discretion.⁴ The sound practice, which we follow with clients, is to confirm current coverage and scope in writing and reflect commitments in executed agreements before deployment.

Opal: Native AI Inside the Governed Environment

Regulated teams are adopting AI quickly, and the most common way that adoption goes wrong is through sprawl. When marketers and analysts paste content, customer information, or draft communications into separate external AI apps, that data leaves the governed environment and lands in repositories the security team did not vet and cannot see. Every external tool is another place data moves, another permission model to reconcile, and another blind spot in the audit picture.

Opal, Optimizely's native AI platform, addresses that problem by keeping the work inside the DXP ecosystem. It operates across the Optimizely One suite, originated as an AI assistant, reached general availability in its current credit-based form in May 2025, and was expanded into a full agent orchestration platform announced at Opticon in September 2025.⁷ ⁸

Because Opal runs inside the platform rather than alongside it, the same governance lens the organization already uses everywhere else applies to AI work as well. That is a meaningfully better security posture than AI sprawl across disconnected external tools. This leads to fewer disconnected tools, less unnecessary data movement into unknown repositories, tighter control over where work occurs, easier alignment with existing permissions and workflows, and a clearer picture for security teams of what is being used and where data is going.

Two design details reinforce this for regulated buyers. First, the data posture: Opal uses Google Gemini through a business account, and per Optimizely's documentation, customer data is never used to train the model or shared across customers.¹⁰ ¹¹ Second, the controls: administrators must explicitly grant users access to Opal, and it can be disabled organization-wide through the Opti ID Admin Center.¹⁰ The 2025 Gartner Magic Quadrant for Content Marketing Platforms, observes that Optimizely "reduced potential AI risks by enhancing its compliance and security features with role-based access control, which is ideal for large enterprises."⁷

A scoping note for healthcare specifically, because precision here protects everyone. Opal is not itself listed among Optimizely's HIPAA-enabled products, and because a HIPAA-enabled CMS exchanges data only with HIPAA-enabled integrations, the right step is to confirm with Optimizely which Opal capabilities are available within a HIPAA-enabled configuration before building Opal into workflows that touch PHI-adjacent content.⁶ That belongs in the contracting conversation rather than post-go-live discovery, and resolving it early is part of a well-sequenced deployment. The broader native-AI advantage holds regardless: keeping AI work inside a governed environment is a stronger starting point than dispersing it across tools no one is watching.

The Security Takeaways

Three points summarize the appraisal. Optimizely gives regulated customers a stronger governed platform foundation, evidenced by ISO 27001 certification across its core products and SOC 2 Type 2 attestation across the suite, rather than a loose collection of tools. Its HIPAA-ready CMS and Experimentation products help healthcare and life sciences organizations build secure, governed digital experiences with the contractual footing HIPAA requires. And Opal adds AI orchestration inside that same secured ecosystem, which is a safer path than the external AI sprawl most organizations are otherwise drifting toward.

What This Means in Practice

A capable platform becomes a confident deployment through a short sequence of questions. Confirm scope: which products and configurations are covered, including under the BAA for healthcare. Confirm architecture: how the HIPAA-enabled configuration shapes integrations and which features are excluded. Confirm shared responsibility: which controls are the organization's and which are Optimizely's, reflected in executed agreements. Confirm operating model: what governance design, content workflow, and access structure will realize the platform's security capabilities in daily operations, including where AI is allowed to run.

Optimizely answers the first three directly and well. The fourth is the organization's to own, and it is where an implementation partner adds the most value. The most useful starting point before platform selection is a governance and content audit that maps the current environment against the requirements of a HIPAA-enabled or ISO 27001-aligned deployment, so the organization arrives at implementation ready to build on Optimizely's foundation rather than discovering its own gaps afterward. A governed platform, a HIPAA-ready path, and native AI inside the same secured environment is a strong position to start from. Pairing it with deliberate governance design is how regulated teams turn that position into a deployment that holds up to scrutiny.

  1. https://www.optimizely.com/trust-center/compliance/
  2. https://docs.developers.optimizely.com/digital-experience-platform/docs/optimizely-platform-security
  3. https://www.optimizely.com/trust-center/security/
  4. https://www.optimizely.com/company/press/hipaa-readiness/
  5. https://www.valtech.com/en-us/blog/optimizely-dxp-healthcare-transformation/
  6. https://docs.developers.optimizely.com/content-management-system/v1.0.0-CMS-SaaS/docs/hipaa-enabled-cms
  7. https://www.optimizely.com/insights/the-2025-optimizely-opal-ai-benchmark-report/
  8. https://www.optimizely.com/company/press/ai-orchestration-platform/
  9. https://www.mi-3.com.au/12-05-2025/optimizely-opal-launches-integrate-ai-marketing-operations
  10. https://support.optimizely.com/hc/en-us/articles/36354416686477-Optimizely-Opal-overview
  11. https://academy.optimizely.com/student/page/2617305-introduction-to-opal

What is Optimizely One?

Optimizely One serves as a unified marketing operating system that improves content management experiences by eliminating the operational chaos of fragmented tech stacks. By consolidating planning, creation, experimentation, and commerce into a single, AI-accelerated workflow, it empowers category leaders to transition from managing disconnected tools to driving measurable ROI. Learn more about the tools that enable personalized, high-performance digital experiences at enterprise scale.

Read more ->

The Importance of SOC II

Data security has moved from an IT concern to a business-critical priority. As organizations increasingly depend on third-party service providers, cloud infrastructure, and integrated platforms, the question of how those systems protect sensitive information carries real consequences. For executives, operations leaders, and technology decision-makers, SOC 2 compliance has become one of the clearest answers to that question.

Read more ->
Get monthly insights on building smarter, more effective digital experiences—straight from the team at C2.
info@c2experience.com
(616) 538-9895
Contact us

560 5th Street NW
Suite 400
Grand Rapids, MI 49504

Who We AreWork We've DoneHow We EngageLife at C2Careers
Experiences We Offer
Digital Marketing & ConsultingUX & Visual DesignWeb & Application DevelopmentQuality, Adoption, & Business EnablementContinuous Support & OptimizationProject Management & DeliveryDigital Transformation Services
Resources
Capabilities overviewWeb Accessibility Checklists for WCAG ComplianceOn-Page SEO Website Optimization ChecklistEcommerce Comparison GuideEktron to Episerver Migration GuideDigital Maturity Research Report
FacebookLinkedInXGithub