Experimentation involves periodic website testing and requires data from first-party and third-party cookies for deeper customer segmentation.

Download Free: A/B Testing Guide

Soon ahead in time, we will no longer have third-party cookies. Advertisers and agencies that happen to be the primary and largest users of third-party cookies worldwide will need a robust strategy to pivot, adapt, and survive post the 3P cookie era. 

With third-party cookies becoming history after 2023, we look at how digital marketers, CRO practitioners, and experimentation teams can utilize this lead time to scale their conversions through A/B testing.

But before we move ahead, let’s understand what’s what. 

What is a cookie?

In general parlance, a cookie is the identity of a visitor on a website. In more technical parlance, it is a code, a piece of information that is dropped by a website on a visitor’s browser. This information is created by the website and is preserved in a web browser that can be retrieved by the website at a later time. Cookies inform a server that a visitor has returned to a specific web page. When visitors return to a website, a cookie remembers their preferences and allows the site to offer customized settings and content. It is like a virtual identification.

Companies generally use local storage and visitor-level cookies to track visitor journeys and understand their behavior across the website. Marketers primarily deal with two types of cookies:

• First-party cookies are stored directly on the app or website that you visit. This data is sent to an internal server.
• Third-party cookies are created by external domains that send them to third-party servers such as LinkedIn and Google. These cookies track pixels.

Today, browsers give users the choice to reject cookies. Google’s incognito mode automatically rejects all third-party cookies. 

For example, a visitor visits an eCommerce website, selects an item, adds it to the cart, but exits the session without purchasing it. A cookie enables the items saved in the cart to remain in the user’s basket. So when the visitor returns to the website some other time, they can resume their journey right from the place they left the last time giving them a seamless shopping experience. This is how first-party cookies can be useful for the eCommerce and retail industry.

Let’s take a quick look at the differences between first-party and third-party cookies.

What is A/B testing?

AB testing refers to powerful website tests that are run to nudge visitors further in the sales funnel. These are experiments that test different variations of a page to maximize conversions. In other words, A/B testing compares multiple variations of elements on your webpage and selects the best-performing variation. 

You can test the page headline, font, CTA color, text placements, button placements, etc., and find the variation that attracts the maximum interaction.

How VWO uses cookies

VWO, the world’s leading experimentation platform, uses cookies primarily to keep a record of three broad things:

Tag a particular user

Each user gets a unique tag called UUID, which helps VWO identify this user across the website, experiments, and products. This is like a user’s unique ID number on that website issued by VWO.

Identify which variation the user was shown before

Was this user exposed to a particular experiment before? If yes, what variation did he see? This is to ensure that every time he visits (or across pages), we can retain the experience and serve him the same interpretation. The cookie here acts as on-browser storage of information because, given that VWO runs for billions of users, it can’t store this information on its servers (and make it real-time).

Understand which goals the user has triggered

Having this information ensures we don’t trigger the same goal twice. Our backend systems have a robust check to eliminate repeat conversions.

In a cookieless world, the potential solution that will work will function as follows:

Rather than generating a UUID as a random number, the customer (website owner) can pass to VWO the visitor’s salt (unique id), and VWO will generate a UUID using that salt so the UUID is consistent every time.

Why A/B testing is like saving for a rainy day

Through the countdown to a cookieless world, businesses have the opportunity to adopt and leverage experimentation through A/B testing their website and mobile app and increase conversions ahead of an uncertain cookieless era. 

Why is it essential to A/B test, you may ask? Let’s see two scenarios viz. A/B testing in a world with cookies and A/B testing in a cookieless world.

A/B testing in a world with cookies

A/B testing relies on cookie data that tracks visitor behavior and experience on a webpage. This data enables experimentation and CRO teams to optimize web experiences for specific user segments. 

The cookie helps to identify whether a visitor should be shown variant A or B of a test whenever they visit the website. This identification saves a visitor from seeing both variants thereby avoiding experiment bias and confusion.

For example, VWO collects only a visitor ID through cookies which typically is a UUID (Unique User ID) that does not contain any personal data. A UUID looks like 4201E4DB-4C25-BA4DD31-C137C718D30E.

It helps differentiate one visitor from another. It also means that VWO cannot identify or track individuals.

Download Free: A/B Testing Guide

A/B testing without cookies

Without cookies, a website visitor is seen as a new user every time they visit a website. This means the visitor could be seeing variation A on one visit and variation B on another visit. This results in incorrect attribution of conversion to each variation.

It will become very difficult to identify a winning variation correctly. However, first-party cookies can still be used for A/B testing.

Impact of a cookieless world on advertisers and optimizers

Google has opted out of methods that collect PII (Personally Identifiable Information) after implementing Federated Learning of Cohorts (FLoC), also known as Privacy Sandbox. This makes individual users unidentifiable as they are grouped into cohorts based on their buying behavior. Advertisers can target their ads to these cohorts and thus safeguard the privacy of individual users on a website.

In general, cookies track visitor journeys on a web page. It includes their preferences, interests, clicks, and engagement on a website. Advertisers and marketers can rely on first-party cookies to run successful A/B tests.

Let’s take a quick look at the possible solutions in a cookieless world.

What’s the solution to a cookieless world?

There will be a large ocean of third-party cookie data out there that will become meaningless and frozen in a cookieless world. Programmatic advertising that uses automated technology for purchasing and placing ads on apps and websites is an industry powered by third-party cookies. 

Publishers and advertisers will bear the brunt as they can no longer target segments. It will result in more media buys by platforms and publishers and less cross-publisher programmatic display. Marketers will need to develop first-party data collection tactics to reduce their dependency on third-party cookies. More focus will be on customers who accept cookies. Their profile consisting of email addresses and phone numbers will not face any browser restrictions.

Amplify content to build first-party data

For content consumption, marketers can show surveys/questionnaires to users before/after they consume the content to help in personalization and experience optimization. The survey can include questions about their preferences, choices of content, interests, etc. Gathering this information will help marketers show similar types of content as recommendations and add to the user experience. 

For example, a pop-up that shows on a blog page says ‘Do you like what you’re reading? Sign up for more such content so you don’t miss any of our latest blogs.’

Another example could be that of a pop-up asking to sign-up for a free trial of a software product as shown in the image below.

Identify cohorts

With larger cohorts for targeting, a cookieless world would mean pre-segmentation and post-segmentation challenges, as re-targeting individuals would no longer be a possibility. Personalization and optimization campaigns will need inferred data for recommendations. Identifying cohorts is possible through inferred data. 

For example, a visitor fills out a form on the SaaS webpage to download a whitepaper. The form values that include email id, name, or phone number are first-party data. Inferred data will be a deep dive into this data to understand and analyze which whitepaper has been downloaded, what problem the whitepaper solves for the visitor, etc. With this inference, a cohort is created with similar other visitors who download similar whitepapers to target them as a group with more related information using their interests, and intent derived through the inference. 

These cohorts substitute the present-day individual user for targeting and re-targeting campaigns. So, the deeper the identified cohorts, the more precise the targeting using recommendations and relevant information that is useful for the cohort.

Boost marketing outcomes

First-party data would become the driving force for marketers and advertisers. Marketing will become less aggressive. So marketers will be required to find the right time to take the right content to consumers without affecting their privacy. Real-time machine learning will add value to the efforts of marketers for timely targeting. According to a study by Boston Consulting Group, marketers using first-party data generated almost double the revenue from single ad placement.

Marketers can boost their performance by making customers easily find what they are looking for quickly and efficiently. This will drive customer experience and desired outcomes for businesses. For example, in eCommerce, a user signing in is recorded as first-party data and any engagement of the user on the website will be recorded through cookies that are unique to the user. 

Conclusion

The present digital ecosystem will be very difficult without cookies or local storage. Browsers will be coming up with features to enable sharing cookies across trusted domains, strengthening first-party cookies and allowing us to move away from third-party cookies. 

Optimizers, agencies, digital marketers, and advertisers need to build robust strategies around first-party cookies to make A/B tests and marketing campaigns successful. 

With more organizations adopting experimentation, in the long-run, A/B testing will add more value and build a powerful testing engine that drives results for businesses even in a cookieless world. Take an all-inclusive free trial with VWO to explore its A/B testing capabilities.

What does privacy mean for an Experimentation Platform?

As data powers experiments, upholding the confidentiality and security of this data becomes essential. If you’re a company that runs experiments, you are governed by data privacy, security, and compliance laws applicable in your region. Therefore, it becomes essential for you to choose a privacy-first experimentation tool.

Download Free: A/B Testing Guide

The question then arises – How do you know if you can trust an experimentation platform to meet the necessary privacy-related criteria? To ascertain this, you need to evaluate what kind of data is collected by the platform, where it is stored, how it is used, and if there are any security, privacy, and compliance risks. 

In this article, we’ve answered these crucial questions in the purview of VWO. 

At VWO, we believe that privacy is a fundamental human right. We are committed to providing you with products, information, controls, and transparency that allow you to choose how your information, and that of your users, visitors, and customers, is processed. We owe our growth to our customers, and winning their trust is our top priority. Therefore, keeping customer data confidential and compliant is paramount to us. 

Security is at the heart of how we build our products, policies, and processes to provide high resiliency. We follow security-by-design principles to protect information systems and customer information so that you can experiment and build the best customer experience using the platform you truly trust.

Which data is collected by VWO?

The entirety of the data gathered by VWO is classified into the following two categories:

• Customer Account Data: This is the customer’s data of VWO, associated with their purchase and use of the VWO Experimentation platform and services. This data includes customers’ login and contact information, campaign configurations, account configurations, billing configurations, and other similar data necessary to use and run the VWO application.
• User Data: This is the data of the visitors or end-users (who arrive at the customers’ websites/applications) collected as part of the campaigns executed via VWO. This data powers all the features in the VWO application viz session recordings, heatmaps, surveys, A/B tests, MVTs, etc.

VWO servers collect and store UUID (Unique User Identifier) information in the pseudonymized format. A UUID is a 128-bit number used to identify information in computer systems. As VWO pseudonymizes the UUID before storing it using a one-way hashing function, the information that can point to the identity of a visitor is replaced by “pseudonyms,” and the identity is protected.  

VWO servers store user agent data, including the following information for customers using the report segmentation in VWO’s Experimentation Platform:

• IP Address of the visitor in an anonymized format.
• Referring URL to know from where the visitor came to your website.
• Type of visitor – new or returning.
• A location such as country, city, and region. You can select what level of location information you want to store here.
• Information on the device used to access the website, including the OS, user agent, mobile/tablet/desktop, and browser.
• Time of the visitor action or goals data includes clicks, scrolls, revenue, etc.

This data is collected as the end-user or visitor interacts with your website.

For one of our products – ‘VWO Insights’, VWO servers process additional data types for heatmaps, session recordings, surveys, and other features that provide visitor behavior insights:

• Recordings of visitors’ actions on the website to analyze visitor behavior in a video format. 
• Scroll data to understand the depth of user interaction on your website content.
• Mouse movements to analyze visitor behavior on a page.
• Mutations.
• Device orientation and change behavior for mobile devices.
• HTML content of the webpage.

For lawful grounds for the processing of data, data subject rights, and purposes of processing of personal data, please refer to our privacy policy. 

Where does VWO store data?

VWO has always been fully compliant with GDPR. Both VWO customers’ and their users’ data has historically been stored and processed in the US-based data center, complying with GDPR law. This data center serves over 2500 satisfied customers globally, with more than a thousand in the European Union.

We took the next natural step with a continued commitment to privacy and security. We recently launched a European Union(EU) data center to ensure that user data doesn’t leave the international EU borders. Hosted in Belgium (Europe-west1 of GCP), this data center caters to those who prefer to store and manage their end-user data within the EU. The data of the visitors as processed by VWO is as per the Data Protection Agreement (DPA) for the entities that choose to configure their accounts with this data center.

How safe is your data with VWO? Can it be leaked, distributed, or accessed?

VWO’s enterprise-grade platform has been designed keeping in mind the high level of security expected by world-class businesses. With VWO, you can rest assured that any data stored by us remains safe, confidential, and accessible. By ‘safe,’ we mean that the data will be protected against any type of loss or corruption.  ‘Confidential’ means access to the data is granted only to authorized personnel, and by ‘accessible,’ we mean that the data is available only to authorized users whenever required.

This data protection guarantee comes from a combination of physical and code security, configurable application access, regular vulnerability scans, and consistent data availability. You can read more about this in our knowledge base article. 

How does VWO manage data deletion and access?

By default, VWO identifies and anonymizes any Personally Identifiable Information (PII) or users’ sensitive data before storing it on its servers. PII includes passwords, social security numbers, phone, card information, and other personal data. 

For deleted or expired accounts, the data is deleted within 45 to 90 days from the date of expiry. As a VWO customer, you can write to VWO support requesting immediate deletion of accounts or specific user data if you want to prioritize this. 
VWO has established policies and procedures to dispose of electronic and physical media containing PII, account data, and sensitive and confidential information to ensure its servers’ data security. You can read more about it in our knowledge base article.

How is VWO’s product strategy aligned to our privacy-first approach?

At VWO, we back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and development. These principles have a robust framework for building secure systems that address all threat vectors by default and by design.

Keeping in line with this, the below settings are a part of our product suite:

1. You can opt your visitors out of VWO tracking without hampering their experience on your website.

Even though VWO never tracks the end user’s personal data, your visitors have the choice to opt out of getting tracked by VWO. 

As a website owner, you can make your visitors opt out of VWO by either generating an opt-out link and sharing it with your website visitors or using VWO’s opt-out API. 

The opt-out API has two versions. When you fire this API in the first version, all VWO cookies are deleted, and VWO stops visitor tracking immediately. If the visitor in question returns to the page, they will still not be considered for VWO tracking. Therefore, they won’t see any campaign changes on return visits.

In the second version, you can opt a visitor out of VWO tracking but still show the experience (campaign changes) that they have seen earlier. For example, say a visitor has seen variation A of a specific campaign, and you now want to opt them out of VWO tracking while showing the same variation to the visitor on his return visits. When you fire this API, VWO stops visitor tracking immediately. However, the visitors continue to see the same variation they were previously a part of.

2. You can easily seek consent before collecting visitor data, and you can do so more responsibly than before.

In view of applicable data protection laws, it is necessary to display a cookie banner informing visitors about cookies or obtain consent before tracking their data. This ensures that you can only do so with their permission if you use tools/scripts on your website to identify individuals and their personal information.

VWO gives you the option to configure triggers for VWO Insights so that you can track visitor data more carefully, responsibly, and with consent. Any visitor action can be used to trigger the collection of Insights data. You can write custom JavaScript code that can listen for visitor actions, and decide based on the kind of pages visited or any scenario you want to validate before collecting Insights data. This knowledge base article describes the process of setting up a custom trigger in VWO.

How do we ensure cookie compliance?

VWO uses cookies and local storage to understand visitors’ behavior and track visitor journeys on your website to deliver the best experiences. The cookies identify the variation in an experiment that the visitor views and help serve the same variation to the visitor consistently. These cookies also track visitor actions, determine whether they are part of a campaign, etc. However, the only information that VWO collects about a cookie is a visitor ID, i.e., a UUID explained previously above that does not contain any personal data. This UUID helps distinguish one visitor from another, but no individual or consumer can be tracked or identified by VWO. 

As part of compliance requirements under applicable data protection laws and regulations like GDPR, PECR, CCPA, etc., it is necessary to obtain informed consent from visitors before deploying any cookies or trackers to process their data. VWO does not collect any sensitive information. However, as a user, the decision to implement VWO with cookie consent or not is entirely up to you. Always consult your legal counsel to determine which implementation is appropriate for you. They can help you make an informed decision considering the data privacy rules of the countries you operate.

The VWO SmartCode is an automatically generated code snippet that you must add to enable VWO on your website. You can choose to execute the SmartCode without the visitor’s consent, i.e., you do not require any permission before deploying cookies or trackers to process visitors’ data. You can also choose to execute the SmartCode after obtaining the visitors’ consent (this is for VWO Insights and Engage; the Testing campaigns execute without the visitors’ permission). You can also go for conditional execution – here, the SmartCode is executed only after visitors’ consent is obtained, irrespective of the product you’re using. Furthermore, VWO communicates with cookie consent managers via callback when the visitor accepts or rejects the cookie, allowing you to run the SmartCode based on valid consent.

Depending on the data privacy rules in the countries you operate, you can make an informed decision. This knowledge base article discusses choosing the correct method for implementing the SmartCode.

Download Free: A/B Testing Guide

How does VWO ensure security?

More than 2500+ customers trust the VWO Experience Optimization Platform with their data, and this responsibility is something we take very seriously. All data reaching VWO servers from recordings, survey responses, or the custom dimension is encrypted using the industry-standard AES-256 encryption algorithm. You can read this knowledge base article for details.

We’ve also incorporated security fundamentals into the following aspects of our daily operations:

Organizational structure and governance

Wingify (makers of VWO) has established a Corporate Security and Compliance Team (CSC) consisting of key personnel whose responsibility is to identify security and compliance concerns across the company.  This team acts as the first line of defense in enhancing the appropriate security and compliance posture. This team reports to the CEO.

Risk management – ISO

ISO/IEC 27701:2019 (ISO 27701) is internationally recognized and a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). Any ISO/IEC 27701 audit requires the organization to declare applicable laws/regulations in its criteria for the audit. This means that the standard can be mapped to many of the requirements under GDPR, California Consumer Privacy Act (CCPA), and other laws. Once mapped, privacy professionals implement the ISO/IEC 27701 operational controls and audited by internal or third-party auditors, resulting in certification and comprehensive evidence of conformity.

VWO has received an accredited ISO/IEC 27701:2019 certification as a PII processor and controller after undergoing an audit by an independent third party.

ISO/IEC 27001:2013 (ISO 27001) is an internationally-recognized framework that specifies the requirements for establishing, implementing, maintaining, and improving information security management within an organization. VWO has received the ISO 27001:2013 certification from British Standards Institution (BSI), the international standards company. The ISO 27001:2013 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard validated by an independent third-party audit confirms that our security management program is comprehensive and follows industry-leading practices.

Access management

All users in a VWO account are assigned an access level that determines the actions users can perform in the VWO account. If you are an account owner or administrator, you can change the access level at any point in time.

Authentication and password management

To ensure the sanctity of your VWO account, we have added an extra layer of security in the form of two-factor authentication (2FA) that prevents bad actors from accessing your data, even if they know your password.

Two-factor authentication(2FA) relies on two security measures to prevent intruders from gaining access to your VWO account. Once 2FA is enabled, to sign in to your account, you’ll need to provide something you know, i.e., your password, and something you have, i.e., a six-digit one-time code sent to your email at the login time (or by using popular TOTP based apps to generate the code).

With 2FA, you can ensure that your account is not compromised even if a malicious virus exposes your password or hackers gain access to your password by brute force.

Session management

Every time a VWO user signs in to the VWO account, the system assigns a new session identifier for the user. The session identifier is a 64-byte random generated value to protect the account against brute force attacks. After seven days, all sessions time out, requiring the users to sign in to their account again. Also, all the active sessions are set to time out after 4 hours of inactivity.

Network and transmission security

VWO is hosted on secure servers managed by GCP. Any physical access to the GCP data centers is restricted to everyone. Firewalls are configured using industry best practices, and all unnecessary ports are blocked.

As a VWO user, you are always connected to the VWO web app via HTTPS using Transport Layer Security (TLS) version 1.2 and higher, a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery.

Access control

You can assign roles and permissions to each user you add to your account to ensure an appropriate level of access to your VWO account. You can restrict access to your VWO account to specific IP addresses. You can also enable alerts to email you whenever particular activities occur in your account.

Internal access to data

The data stored on VWO’s production servers are accessible only to the SVP of Engineering and lead engineers. No other member of VWO has access to customer data unless specific access permission is granted by the Chief Executive Officer and SVP-Engineering for resolving technical issues.

Security in engineering as part of product development

Thorough quality checks are an integral part of our development process. No code goes live unless reviewed and approved by the QA team. The staging or test environment is fully separated from production and does not use any production data. Any new feature goes through a security review before being deployed to production. Also, external VAPT (Vulnerability Assessment and Penetration Testing) audits are carried out at the system level to assess for potential vulnerabilities. 

Data breach

In the event of a breach in data security, we notify our customers within forty-eight hours of the incident’s detection. We have incident management policies and procedures to handle such events or emergencies.

What does all this mean for the customers of VWO?

As a customer of VWO, what this means for you in a nutshell, is as below:

• VWO collects only such data necessary for security and for the purposes of product enhancement, marketing, and analytics – and with your visitors’ consent. Any personal information, if collected, is anonymized. 
• This data is stored securely and as per applicable data protection laws including GDPR, PIPEDA, CCPA, POPIA, DPDPA, etc.
• This data remains safe, confidential, and accessible to you at all times. 
• Robust and safe processes govern data deletion if your account with us is deleted or expired. 
• Privacy forms an integral part of our product strategy, and any product enhancements are designed on privacy-first principles.
• We ensure cookie compliance as part of data protection policies like GDPR.
• We ensure the security of your data with the help of our Corporate Security and Compliance Team by procuring and maintaining information security certification through robust access, password and session management, and relevant disaster management policies. 

Our Corporate Security and Compliance Team, along with members of our senior leadership, have taken the following measures:

• We have raised awareness across the organization through frequent discussions in our internal channels and trained employees to handle data appropriately.
• We have assessed all our products individually against the requirements of the GDPR. We have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.
• We have appointed internal privacy trust champions for all our teams. We have also established a Data Protection Officer (DPO).
• Our application teams have embraced the concept of privacy by design and have provided you with more control over the data you store in our systems. We constantly endeavor to provide you with more enhancements, rolled out in phases. We have implemented appropriate organizational, technical, administrative, and physical safeguards to protect our organization’s security, confidentiality, integrity, and privacy of Personal Information and customer data.

With these measures in place, as a customer of VWO, you are compliant with privacy laws, your data is safe with us, and the privacy of your website visitors is respected and protected at all times. 

As an experiment owner not using VWO, it is not sufficient if you’re simply privacy-conscious. You will need to prioritize data privacy and integrate it within your experimentation stack as well as your roadmap. You can get in touch with our product experts if you wish to understand more about how VWO can help you do so.

With progressing technology, cyber-attacks are evolving by the hour. With more than 89% of businesses using software as a service (SaaS) as their cloud computing model, security is the biggest and one of the most concerning challenges for online businesses.

Download Free: A/B Testing Guide

SaaS has been there for a while. Yes, subscription-based services like Netflix and Amazon’s video streaming vertical Prime are SaaS too, and so are your email services like Gmail and Yahoo. Given its versatility and agility to cater to a large variety of customers, SaaS is a hot-selling model that businesses are adopting to scale globally. But it’s equally challenging for businesses to protect colossal customer data from the prevailing and ever-evolving cyber attacks. If any potential vulnerability is neglected, this data could prove devastating for businesses as customers trust their data with companies and have little control over it. 

To combat such attacks, SaaS businesses need to stay at par with the international cybersecurity standards for robust gatekeeping in their security and compliance endeavours to protect customer data and privacy. In this blog post, we have discussed the security measures VWO follows to stay updated with the dynamic security landscapes, ensuring a seamless and secure customer experience.

Is VWO GDPR compliant?

VWO is not only GDPR compliant but also certified to meet a broader set of international and industry-specific compliance standards, including ISO 27001, ISO 27701, and PCI-DSS, and is also compliant with various other global data protection laws such as HIPAA, CCPA, PIPEDA, etc.

What is the ISO/IEC standard?

ISO/IEC 27701:2019 (ISO 27701) is internationally recognized and built as an extension of the widely-used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. VWO follows the global privacy standard that focuses on collecting and processing personally identifiable information (PII), including passwords, card information, phone number, social security numbers, etc. VWO anonymizes such sensitive data of users before storing them on its servers. This standard focuses on three main factors:

1. Providing a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS).

2. Includes requirements and guidance for organizations acting as PII controllers and PII processors, a key distinction from General Data Protection Regulation (GDPR) compliance, and other privacy laws.

3. Providing confidence to stakeholders and customers that organizations are maintaining the highest standards in managing privacy risks related to PII.

How is it important for VWO?

Being a SaaS organization, VWO handles client data such as personal details, card numbers, visitor profiles, etc., with utmost responsibility and care. To mitigate the risk of any data breaches, VWO anonymizes the data at the point of collection at DACDN nodes, which can never be re-identified once anonymized.

In addition, VWO helps customers minimize their data protection compliance burden right from the point of data collection.

“Data minimization (ensuring that data collection and retention is restricted to only those categories of data that are absolutely necessary for a specific purpose) is a fundamental privacy principle that should form part of any sound information security and data privacy strategy. If you don’t need it, don’t collect it.”

~Maheshnarayan Sarasan, Data Protection Officer, Wingify

In pursuing compliance with the international standards for security and privacy, VWO has received an accredited ISO/IEC 27701:2019 certification as PII processor and controller after undergoing an audit by an independent third party.

This universal framework allows VWO to efficiently comply with new regulatory requirements and keep their customers’ information secure.

Download Free: A/B Testing Guide

How does VWO protect customer data from cyber-attacks?

VWO is committed to ensuring security of customer data by following robust internal data security and privacy practices: 

• VWO does not collect and has maintained strict processes to avoid collecting or receiving PII like credit card information.
• Data Encryption: VWO follows best practices for cryptographic protection controls using trusted cryptographic technologies for data at rest and data in transit. 
• Secure Software Development Life (SDL) Cycle: VWO follows a secure Software Development Life Cycle with an emphasis on security and privacy throughout the product development processes. The SDL cycle includes a set of practices that support security assurance and compliance requirements that help address data protection and privacy requirements which includes effective privacy reviews for every VWO product.

• OWASP Top 10: VWO is protected against OWASP Top 10 security threats. It internally uses OWASP to establish consensus about the most critical security risks to web applications and protect the app from potential external threats at the application level. Customers are also encouraged to conduct vulnerability scans at individual level with VWO’s permission.
• Regular update of software dependencies: VWO has an internal alerting system that flags security updates to the team, enabling them to take swift action to combat any threats. 

Know more about VWO security here.

The way forward: commitment to compliance

More than 2500+ customers trust VWO with their data, and this responsibility is something we take very seriously. With ISO 27701:2019 certification, VWO stands fast on its commitment to build a strong culture of secure systems and privacy across all aspects of the business. The ISO frameworks emphasize continuous improvement, aligning well with VWO’s passion for keeping pace with an ever-changing threat landscape to protect customer data.

One of the recent changes to the international legal landscape surrounding data protection was the July 2020 Schrems II judgment of the Court of Justice of the European Union (CJEU) that declared the European Commission’s Privacy Shield decision was invalid based on the level of government surveillance and control over data in the United States.

In June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) that specifically take into account the Schrems II judgment. These new SCCs have been made mandatory from September 2021. In anticipation of the same, we have already incorporated these new SCCs into our data protection agreements to ensure that we remain future-ready regarding GDPR compliance.

~Maheshnarayan Sarasan, Data Protection Officer, Wingify

If you are looking to build a CRO program to increase conversions for your business and want a breach-free and end-to-end protected and safe ecosystem to work with, start a 30-day free trial with VWO. You can alternatively request a demo to understand the product and get answers to all your security and compliance-related queries/concerns from VWO’s seasoned security experts.