How to go from zero to one in your server-side experimentation journey

How to run complex experiments without fearing performance or privacy issues with VWO server-side testing and solve real issues faced by your customers.

Think of your journey as a Netflix user. If you’re anything like me, you might watch a wildlife documentary on your phone while sipping your morning coffee. Dinner might be accompanied by an old-time favourite like Forrest Gump on the laptop. Weekend nights would be spent toggling between your profile and that of your kids, while trying out new Netflix shows, preferably on a larger screen.  

Now let’s say Netflix is running a country-specific discount campaign. If you are part of this experiment campaign run by Netflix, how do they ensure that you are part of the same campaign every time you log in irrespective of the device and profile you’re using, and see the same promotion everywhere? How do they ensure that your experience with the variation you’re being served is seamless each time and that how you engage with the variation is tracked consistently?

The answer lies in omnichannel experimentation, which is a typical use case of server-side testing

Should you prefer server-side testing over client-side?

The Netflix example stated above would be extremely complicated to carry out on the client-side and could hamper the user experience. On the server side, it is relatively easy to run and ensures a consistent experience for users. It also ensures minimal impact on page performance. Besides this, it eradicates any privacy-related issues because there is no activity on the browser as such. 

There are other use-cases where server-side testing is recommended for its robustness and flexibility. We will talk about these in this article. But first, what exactly is server-side testing, and more importantly, who is it for?

In server-side testing, the test variations are processed on the web server. When a visitor lands on a page being tested, a variation is fetched directly from the server and delivered to the visitor’s browser. No subsequent modifications then take place on the front end or the browser. Contrary to this, in client-side testing, the original page loads first in the visitor’s browser and your experimentation platform creates the variation on the front-end itself using JavaScript. Let’s understand the scope of these two forms of testing with an example. 

Imagine Mike and Bob are two friends who are trying to experiment with the workings of a new car. Mike is at the wheel and has access to brakes, accelerator, dashboard, and the like. Bob has a view of the internal components like the engine, radiator, battery, etc. Both can influence the car in different ways. What Bob does with his access to the car components can reflect on the outside to Mike. The changes that Mike tests are based on his visibility of the car. From the car buyer’s perspective, the outcome of experiments run by both Bob and Mike can serve equally important, but different purposes. 

Therefore, you don’t have to choose one form of testing over the other. The use-cases are different and the teams using the tools are different. Server-side testing is an experimentation avenue for developers and product managers, just like client-side testing is used more often by marketers. 

Which problems can be addressed with server-side testing?

Server-side tests run by product teams solve problems concerning a myriad of industries from eCommerce and SaaS to banking and media. Some important use-cases where server-side testing is recommended over client-side testing in different industries are described below: 

Product recommendation

Which set of recommended products entices your visitors to purchase more? Server-side testing allows you to test multiple product recommendation algorithms to determine the selection that leads to an increase in sales and revenue. For instance, you can test whether a layout that promotes similar products works better than a layout that promotes the most popular ones. You can also decide whether to upsell or cross-sell based on your server-side experiment findings. 

Shipping fee

What is the ideal cart value that should qualify orders for free shipping? You can test out various thresholds to determine the one that positively influences customers’ purchase decisions. 

Search algorithms

Experimenting with your search algorithm requires modification to your existing code and the flexibility to test deep. You want your visitors to be able to quickly find what they are looking for and you can test your search algorithm on the server-side to achieve this. 

Form length

Free trial and demo request forms are crucial to SaaS businesses. But what is the ideal form length that ensures lesser drop-offs while also capturing all the required information? You can test out the non-mandatory fields via client-side testing. If your field is obligatory, just hiding the field using JavaScript will not work as form validation using server-side logic will fail. Hence server-side testing is recommended to experiment with mandatory fields to optimize your form length and complexity. 

Deals and discounts

While the style, look and feel, and placement of deals on your home page can be tested easily on the client-side, there are other important factors like the value of the discount, its duration, or eligibility criteria to consider. You can test on the server-side to determine the optimal value and ensure that they are consistent across channels for a particular visitor. 

Sales incentives

Testing dynamic incentives like limited-period offers or stock clearances require the flexibility of server-side testing because of the granularity involved.  

Subscription flows 

How many steps should ideally be involved in a subscription process? Should social logins be provided? Experimenting with the subscription flow can help answer these questions.

subscription flow
Different steps in subscription flows


Server-side testing allows you to test various paywall configurations in a full-proof manner. As a publisher, you can run server-side tests to experiment with your gated content and monetize it. Running the same test on the client side is not recommended, because visitors can make their way around a paywall by deleting or opting out of cookies. 

Different formats of paywalls

Mobile banking 

Multiple elements can be optimized within the sign-up process for a loan or a credit card. But when it comes to mobile banking, data security becomes paramount. With client-side testing, sensitive data collected by banks or financial institutions could be at a vulnerability risk. To avoid this risk, server-side experiments are usually recommended for banking applications. 

Let us now understand how you can run Feature tests on the server side and the advantages of doing so with VWO. 

How VWO makes server-side tests easier

For the server-side use-cases described above, VWO gives you the flexibility to structure your campaign either as A/B tests or Feature tests. Feature tests are used to validate values of feature parameters and give you the control to quickly configure a feature, without writing code. In some use-cases like testing which search algorithm is better, it is possible to structure the campaign both as an A/B test or Feature test. 

For instance, say you want to evaluate three vendors for the search algorithm they have built for your website.

Feature testing enables a product manager like you to quickly test and conclude with minimum dependency on engineering and maximum control of the configuration. With VWO’s Feature testing capabilities, you get a set framework where you need to write less code because the platform does most of the heavy lifting for you. In Feature testing, the algorithm can be defined as a feature variable and be configured in control and variation of an experiment from the platform setup flow itself to test which search algorithm is more efficient.

This experiment can be done via server-side A/B testing also. VWO facilitates the traffic distribution and experimentation statistics model capability via its server-side SDKs. Engineering teams can use the same to insert the code of the search algorithms and test which is more impactful.

Here are some other scenarios where Feature testing comes in handy. Say that a third-party vendor handling mobile recharges wants to charge a nominal amount to users per recharge. They want to test the appropriate amount for the same. Or a company like Airbnb, where the property charges are handled by the owner, wants to add in a cleaning fee and see if that impacts the number of bookings. This is a typical experimentation use-case for various companies to find the sweet spot where a service charge can be inserted without impacting the north star metric. It could be in the form of a convenience fee, facility fee, covid fee, packaging fee, or something similar. 

Complex use-cases like the one described above are super easy to test in VWO. Here’s an explainer video that shows you how you can quickly create a convenience fee feature and assign a value to it (in this case the amount of the fee). You can link your hypothesis of identifying the fee that adds to revenue without impacting the number of bookings, choose the environment you’re running the test on, and enable your variations. Once you do that, you’re provided with a campaign code that goes on your server. All that remains is for you to define the goals you want to track and segment your audiences if you wish to – that’s it, your campaign is ready.

If you are a product manager and you see on the dashboard that variation 3 is not working for the users; it is negatively impacting revenue, you can kill it right there by simply disabling the variation in VWO. As shown in the screenshot below, this does not impact the code and doesn’t require your engineering team to make any changes. You need to turn it off, click ‘save’, and the variation stops receiving traffic.

Screenshot of VWO app

Screenshot of a Feature test campaign in VWO

Essentially, the code needs to be implemented only once per campaign.

Should you build or buy a platform to run server-side tests?

Let’s put an end to the build vs. buy debate. VWO is not just a random number generator that shows different variations to different audiences and captures conversion events. VWO is a complete experimentation platform with a robust statistical model. To weigh in on whether to build a server-side testing mechanism in-house or invest in a platform like VWO, you need to consider three primary factors:

  1. Cost of ownership 

Even when companies manage to build the required infrastructure in-house, they still need to manage and scale it. Paying your development teams to build and maintain an experimentation engine like VWO instead of focusing on their core jobs is likely to end up being more time-consuming and costly for you than investing in VWO.

  1. Ease of use

You could build a solution that shows a certain variation to a certain audience – but would you have an easy-to-use interface that can be controlled not only by the engineering teams but also by product managers? If not, that’s another blocker for you to run server-side tests. 

  1. Intuitive reporting

Typically an in-house solution would give you basic things like the number of visitors and the conversions that are coming from a particular variation. But what you need is a statistically significant result. You need your reports to be powered by a Bayesian statistics engine like VWO SmartStats. That’s where the gap lies – you can build a basic solution that’s hard to maintain and you can spend time and resources on deciphering the p-values. Or you can choose a solution like VWO where there’s a team dedicated to maintaining and scaling it and has spent years on the Bayesian algorithm to give you easily interpretable results. The in-app dashboard in VWO enables even your non-technical team members to understand results; they don’t need to rely on the Analytics team to keep track of experiments or create result dashboards – thus saving time and reducing the cost of experimentation.

  1. Error-free mechanism

Building a server-side testing solution in-house can be prone to errors, and on that scale, the errors might not be easily discoverable. Compare that to the quality of a platform that is used by global brands and you’re ensured that the chances of errors creeping in are minuscule. Any errors, if at all, are flagged and rectified at the earliest by a capable support team available to you. 

Besides, when you invest in a managed platform like VWO, important best practices are built into the product. You don’t have to worry about removing the outliers from your results, visualizing your data, or about issues arising due to version updates.

Must-have capabilities to run complex server-side tests with integrity

Running server-side experiments can be very fruitful when executed correctly. To do so, you need to have the right set of feature capabilities. Some of these are laid out below:

  1. Randomization of visitors in each test – In testing, when you’re bucketing your audience into campaigns, the randomization of visitors needs to be truly random and not pseudo-random.
  2. Consistent omnichannel experience – While the bucketing of users needs to be random, you also need to ensure that one user experiences the same variation each time they log in, irrespective of the device they are using. The experiment should carry forward without any glitches. 
  3. Mutually exclusive campaigns – Let’s say you have three factors to consider while determining whether a user should be part of your test. These could be usage regularity, low likelihood of churn, and timezone. Apart from taking into consideration these variables, you also need to determine exclusivity – so how many tests can the user fulfilling these conditions be a part of? This needs to be determined in a way that doesn’t lead to skewed data and enables you to attribute the improvement in conversion rate to the right campaign without bias. 
  4. Standardized naming convention – Whether you’re setting up a new feature to test or a feature flag, you need to follow a standard naming convention to avoid mix-ups and cases of initializing the wrong features or tests. 
  5. Unique and hassle-free campaign identifiers – You should use an alphanumeric key to uniquely identify the test in your code and avoid any hassles at a later stage. 
  6. Choosing the right environment – You should specify the environment in which you’re running your test – for instance, you can deploy the test in the staging or QA environment for your QA team to validate the experiment. A sanity check of your test is crucial to its success and you should have the option to choose the right environment for it. 
  7. Logical traffic allocation – When you’re running multiple campaigns or when you have an important event announcement like a Black Week Sale, for instance, you need not include the entire set of visitors landing on your page in your test. You should choose the percentage of traffic that you want to include in your test campaign and also how you want to distribute this traffic among the variations. 
  8. Calculation of the time to reach statistical significance – Your estimated time for your test to reach statistical significance should be determined by the present conversion rate of your primary goal and the minimum improvement that you wish to achieve through your variations. It should also consider a 95% probability to beat the baseline conversion rate. 

These are some of the best practices and must-have features of server-side testing – the actual list is much longer. As mentioned earlier, you could either build these capabilities in-house, or you could use VWO where we do the job for you. 

In conclusion

Whether you’re a developer or a product manager, you don’t need to limit your test ideas. You can run complex tests without fearing performance or privacy issues with server-side testing and solve real issues faced by your customers. You can optimize every digital touchpoint so that your customers experience only the best.  

If you’re using a platform like VWO, the complexity of the test will not overwhelm you – because every input of yours in the campaign is intuitive and a good practice that powers your test. To understand more about how you can run server-side tests with ease using VWO, request a demo with our product experts

Omnichannel Marketing Guide – 5 Tactics For Effective Implementation

Strategic steps to prepare your omnichannel program, and the crucial tactics that can help implement it effectively

Omnichannel marketing is becoming an increasingly essential part of most companies’ marketing mix, as consumers are adapting to the unified communication style utilized by this approach. 

Omnisend research shows that eCommerce brands using omnichannel marketing had a 494% higher order rate than those using a single-channel campaign.

Essentially, omnichannel marketing allows all of your multiple channels to work together to talk to an existing customer or assist an indecisive shopper. For example, imagine a shopper is retargeted on Facebook with the product they abandoned in their online shopping cart. Pushing that further, if they buy the abandoned product, they get an order confirmation via SMS or notification, with a detailed receipt via email. 

For all of this to work seamlessly, the data has to be synced seamlessly and near-immediately to provide the best experience for the customer.

However, while seamlessly synced data is crucial, it’s not the only requirement: omnichannel marketing requires a strategy to be effectively implemented. In today’s omnichannel marketing guide, we’ll look at the strategic steps to take to prepare your omnichannel program, and the 5 tactics to implement it effectively.

Step 1: Identify a buyer persona

You shouldn’t blindly create an omnichannel marketing strategy without knowing who you’re creating your strategy for. 

According to ITSMA research, 39% of brands that used buyer personas reported having higher conversion rates.

Understanding who your ideal customers are will help you understand how and when they like to communicate. For example, customers from the older generation may be happier to receive emails as the main communication channel, with clearer language and slightly longer timeframes. 

Buyers from the younger Gen Z audiences would likely prefer a messaging platform like Messenger or WhatsApp, with quicker language and shorter timeframes. What would work for one of these audiences might be annoying for the other, and you may end up losing customers by confusing your buyer personas.

Step 2: Choose your communication channels

You don’t need to be everywhere at all times, but you must be where your customers would like you to be.

Depending on how your business is set up, you could have both offline and online channels that will make up your omnichannel marketing. As Aberdeen research showed, more than half of all companies are using at least 8 channels to communicate with their customers:

For most eCommerce stores, however, the most common communication channels are:

  • PPC, such as Facebook or Google Ads
  • Social media
  • Popups
  • Email 
  • SMS
  • Push notifications
  • Live chat or chatbot
  • Phone

When you understand who your customers are and how they prefer to communicate, you can choose the channels that fit the best.

Step 3: Find an appropriate omnichannel marketing software

Once the strategy is fleshed out, the next step to success is to use a service that can offer as many of the channels as possible. On the one hand, this will help ensure that data is being synced continuously, as more separate tools used to handle this data can cause problems in syncing, not to speak of security and possible data violations. 

On the other hand, the service still has to be powerful enough to do each channel well, rather than a jack-of-all-trades that is merely good at everything, but never great. 

For the most part, you’ll need about three different services: one, like Omnisend, which can handle the acquisition through retention channels, including email, SMS, popups and push notifications. 

Then work with another tool for awareness channels, such as PPC and social media, and yet another for live chat, which will most likely have further customer support capabilities.

5 practical tactics to ensure effective omnichannel marketing

Now that we’ve got the basics out of the way, let’s look at five practical tactics you can employ to make sure your omnichannel marketing is as effective as it can be. 

Collect data

Having the capabilities to seamlessly sync data is one thing. It’s also important to utilize this capability by capturing as much (important) data as possible. Data collection depends on clear communication of purpose, and you should get consent to collect and process this data as early as possible.

While a lot of marketing relies on email addresses, it’s also important to gather other data such as:

  • Phone number, for sending text messages
  • Date of birth, for birthday greetings and offers
  • Demographic data (such as gender, city or country, age, etc.) for greater segmentation and relevant messaging

If you don’t gather this data, you’ll lose the opportunity to utilize many of the channels that make up omnichannel marketing.

Don’t analyze data – gather insights

There is such a thing as too much data. However, in a marketing sense, this generally means the current inability to either filter or process the necessary data. Data analysis, as such, needs to go beyond mere analysis (”these many customers performed these actions at this time”). 

The analysis should result in insights, which will inform your next theories, tests, and steps. What does it mean that your customers do or do not click on CTAs inside your email, or visit your product page but don’t buy at all? 

These insights are important, and it’s important to not only analyze the data you have but to try to understand the story it’s telling you.

Map your customer journey

With the insights you’ve gathered, plot them against where your customers are at in their customer journey. Tools like Omnisend have built-in customer lifecycle features that help you understand which of your customers are in any particular stage—such as “high potential,” “loyalists,” and even “about to lose.” This overview is based on the data you’ve collected.

This can be done manually as well by building dynamic segmentation that takes into account the different stages of the customer journey and matches them with their abiding actions. 

Actions like abandoning a cart for non-customers places them in the “Consideration” stage (and you’ll need to get them to the purchase. Similarly, clicking on the shipping tracking link in your confirmation email places them in the post-purchase stage, and your task will be to get them to the “Loyal” stage.

Constantly test, learn and optimize

With powerful data insights in hand, the next step for you is to validate your ideas before you roll out new omnichannel experiences to your users. For this, you need an experimentation platform like VWO, that possesses two crucial capabilities:

  1. Easy integration with customer data portals without the need to import data into VWO
  2. Advanced customer targeting that enables you to run experiments on specific customer cohorts

For instance, you can test whether customizing content based on your visitors’ industry type makes a difference to your business metric before you deploy the new content through different channels. You can test different promotions to different audience segments based on their behavioral attributes to gauge impact and only deploy what works best. 

Creating custom segments of your audiences is easy and requires just a few steps in VWO. For instance, below is the configuration to target visitors from Fortune 1000 companies belonging to the communications industry. 

Creating custom segments at VWO

You can then run your experimentation campaign for the specific visitor group and measure the impact to validate your idea before you scale it. 

With VWO Personalize, you can go even one step further. You can build delightful customer-focussed journeys by prompting each experience campaign at the right time. Those triggers could be based on visitors’ persona or events like when they refresh the page when they’ve scrolled a certain depth, to the time they’ve spent on a page, among others. Take an all-inclusive free trial to explore in detail

You can even A/B test subject lines, email copy, and workflows if your email marketing provider has that feature. 

Be consistent in your messaging

Great omnichannel marketing should be understood as one team working for the same goal across different teammates, and all in constant communication. 

While all the teammates don’t have to sound and look the same, they should all be aligned on the common goals, the joint pain points to address, remember the important details, and have a similar outlook.

In essence, you should maintain your branding across all the channels that you use in your omnichannel strategy, ensuring that those channels are in constant communication so that the customer has a smooth experience. 


Omnichannel marketing is a powerful, effective strategy—if used correctly. 

By understanding your buyer personas, creating a strategy for how, where, and when to talk to your customers (and what to say), and having the infrastructure in place to seamlessly sync data through all the channels to provide the best customer experience, you’ll see strong results on your website, and happier customers.

VWO Shines in the G2 Summer 2022 Reports With 20 Badges in Five Categories

VWO, the world-leading experimentation platform emerged as the Leader in five categories, including Mobile App Optimization and Personalization Engines.

Customers love VWO! 

G2’s Summer 2022 Reports are out, and VWO has been named the Leader across five categories winning 20 badges. 

VWO found its place as the Leader in the A/B Testing, Mobile App Optimization, Personalization, Personalization Engines, and Feature Management categories. This is the first time VWO emerged as a Leader in the Mobile App Optimization and Personalization space.

VWO also ranked #1 in six Mid-Market reports apart from being named the Leader in the Momentum Grid®. 

With 94% of users rating the product 4 or 5, the world-leading CRO platform stands out as the winner and most loved product in the overall A/B Testing, Mobile App Optimization, and Personalization Engines categories. These results show how much VWO users appreciate and value the product.

Mid-Market reports
Image source: G2

Significance of G2 reports for software products

We live in a reviews economy. Our buying decisions are largely made after studying the experiences of users of a product. Software being a high-involvement, high-value product, the amount of time spent on analyzing user reviews of these products is quite significant. Software product reviews that can be trusted are generally found on websites built on a review model. 

G2 is a globally recognized and trusted software review website. It helps people make informed software decisions based on unbiased and authentic peer reviews. These reviews are answers to questions about what a user likes and dislikes about the product, what benefits they have achieved as a result of using the product, and what business problem it has solved for them.

Leader quadrant

Getting a place in the leader quadrant of the overall category ahead of other products in the category is no mean feat. So what exactly does a leader quadrant mean?

Products in the leader quadrant of G2 Grid® are rated 4 or 5 by users. Reviews with a high customer satisfaction score and large market presence form the basis of these ratings. 

G2’s Market Presence score takes into account 15 metrics from user reviews. 

The Satisfaction rating depends on the quality and recency of reviews. It also includes Net Promoter Score (NPS), popularity, statistical significance, and customer satisfaction.

VWO nailed the G2 Summer 2022 Reports with eight overall category Leader badges plus three badges as a Momentum Leader.

Customers reviewed VWO for its suite of products, their experience with using the product, and the support they received from the team. 

VWO Testing, for example, has been named a Leader based on receiving a high customer satisfaction score and having a large market presence. The six reports in which VWO ranked #1 are:

  • Mid-Market Grid Report for A/B Testing
  • Mid-Market Relationship Index for A/B Testing
  • Mid-Market Usability Index for A/B Testing
  • Mid-Market Implementation Index for A/B Testing
  • Mid-Market Results Index for A/B Testing
  • Mid-Market Results Index for Mobile App Optimization

Why do users love VWO?

Users love VWO for its world-leading A/B testing product, 24×7 support, intuitive visual editor, insights, heat mapping, ease of use, ability to run tests at scale, and more. 

Take a quick look at what users say about VWO on G2:

“VWO offers a very easy-to-use interface and different “modules” that you can add on top of the baseline ‘testing’ capabilities.

Most individuals come to VWO looking for a testing provider which excels, but it also offers other options such as their ‘Insights’ module that includes surveys, session recordings, funnels tracking, etc. All of which you can add on and find within the same dashboard. It can very easily become your one-stop shop for customer insights which is very valuable for experimenters who know the difficulty of obtaining supporting data from many different locations.”Mason F

“VWO is very user-friendly once you learn the basics. We have been able to set up various tests that have driven direct positive impacts to our business, allowing us to collect revenue that would have been left on the table otherwise.”Kevin J

“I like the editing system best. I have been able to create a variety of tests using detailed editing tools. Test setup has also been a very convenient characteristic of the platform.”User in Market Research

Emerging as the top-rated product feels extraordinary, and we owe this feat to our valued customers. 

VWO is grateful to its global user community for reviewing and rating the product as the best. Thank you for coming together and standing up for the product you so love. VWO is committed to growth and innovation by providing world-class products and support to its customers and helping them grow and win every day.

We take our user reviews seriously and pay attention to what our customers are saying. Find out more about what users say about VWO on G2.

What can VWO do for you?

Try VWO to run multiple tests at scale. Known widely for its robust A/B tests, Split URL tests, and Multivariate tests, VWO is helping organizations embrace experimentation and optimize conversion rates. 

Built on the statistically-powered Bayesian model, VWO can help you:

  • Make smart, data-driven decisions about rejecting or implementing changes on your website
  • Build and manage your optimization roadmap
  • Test ideas, discover insights, and improve engagement across the entire customer journey
  • Test your product and feature experiences
  • Understand user behaviour and analyze visitor data to improve your conversion rate
  • Know what your users want

Power your experimentation journey with an industry leader.

If you are new to A/B Testing or would like to try a different product for experimentation or CRO, check out VWO and its suite of products today. We offer an all-inclusive free trial for you to explore VWO’s capabilities in detail. You can also request a demo with our product experts. 

Prioritizing Data Privacy In Your Experimentation Program

VWO’s privacy-first approach: what it entails, why it is essential, and how it benefits our customers. What does privacy mean for an Experimentation Platform? As data powers experiments, upholding the confidentiality and security of this data becomes essential. If you’re a company that runs experiments, you are governed by data privacy, security, and compliance laws…

VWO’s privacy-first approach: what it entails, why it is essential, and how it benefits our customers.

What does privacy mean for an Experimentation Platform?

As data powers experiments, upholding the confidentiality and security of this data becomes essential. If you’re a company that runs experiments, you are governed by data privacy, security, and compliance laws applicable in your region. Therefore, it becomes essential for you to choose a privacy-first experimentation tool.

The question then arises – How do you know if you can trust an experimentation platform to meet the necessary privacy-related criteria? To ascertain this, you need to evaluate what kind of data is collected by the platform, where it is stored, how it is used, and if there is any data vulnerability risk. 

In this article, we’ve answered these crucial questions in the purview of VWO. 

Prioritizing Data privacy in your experimentation program

At VWO, we believe that privacy is a fundamental human right. We are committed to providing you with products, information, controls, and transparency that allow you to choose how your information, and that of your customers, is collected and used. We owe our growth to our customers, and winning their trust is our top priority. Therefore, keeping customer data confidential and compliant is paramount to us. 

Security is at the heart of how we build our products, policies, and processes to provide high resiliency. We follow security by design principles to protect information systems and customer information so that you can experiment and build the best customer experience using the platform you truly trust.

Which visitor data is collected by VWO?

The entirety of the data gathered by VWO is classified into the following two categories:

  • Customer’s Data: This is the customer’s data of VWO, associated with their purchase and use of the VWO Experimentation platform and services. This data includes customers’ login and contact information, campaign configurations, account configurations, billing configurations, and other similar data necessary to use and run the VWO application.
  • Visitor’s Data: This is the data of the visitors or end-users (who arrive at the customers’ website/applications) collected as part of the campaigns executed via VWO. This data powers all the features in the VWO application viz session recordings, heatmaps, surveys, A/B tests, MVTs, etc.

VWO servers collect and store UUID (Unique User Identifier) information in the pseudonymized format. A UUID is a 128-bit number used to identify information in computer systems. As VWO pseudonymizes the UUID before storing it using a one-way hashing function, the information that can point to the identity of a visitor is replaced by “pseudonyms,” and the identity is protected.  

VWO servers store user agent data, including the following information for customers using the report-segmentation in VWO’s Experimentation Platform:

  • IP Address of the visitor in an anonymized format.
  • Referring URL to know from where the visitor came to your website.
  • Type of visitor – new or returning.
  • A location such as country, city, and region. You can select what level of location information you want to store here.
  • Information on the device used to access the website, including the OS, user agent, mobile/tablet/desktop, and browser.
  • Time of the visitor action or goals data includes clicks, scrolls, revenue, etc.

This data is collected as the end-user or visitor interacts with your website.

VWO servers process additional data types for heatmaps, session recordings, surveys, and other features that provide visitor behavior insights:

  • Recordings of visitors’ actions on the website to analyze visitor behavior in a video format. 
  • Scroll data to understand the depth of user interaction on your website content.
  • Mouse movements to analyze visitor behavior on a page.
  • Mutations.
  • Device orientation and change behavior for mobile devices.
  • HTML content of the webpage.

VWO stores the information required for security and prosecution purposes on a legitimate interest basis and the information necessary for the product, marketing, and analytics purposes (legitimate interest or, where required, by obtaining your prior consent). You can read more on this in our privacy policy

Where does VWO store data?

VWO has always been fully compliant with GDPR. Both VWO customers’ and their visitors’ data has historically been stored and processed in the US-based data center, complying with GDPR law. This data center serves over 2500 satisfied customers globally, with more than a thousand in the European Union.

We took the next natural step with a continued commitment to privacy and security. We recently launched a European Union(EU) data center to ensure that visitor data doesn’t leave the international EU borders. Hosted in Belgium (Europe-west1 of GCP), this data center caters to those who prefer to store and manage their end users’/visitors’ data within the EU. The data of the visitors as collected by VWO is as per the Data Protection Authority (DPA) for the entities that choose to configure their accounts with this data center.

Data Center In EU
Our Europe-based data center will store your visitors’ data if you opt for the EU data residency.

How safe is your data with VWO? Can it be leaked, distributed, or accessed?

VWO’s enterprise-grade platform has been designed keeping in mind the high level of security expected by world-class businesses. With VWO, you can rest assured that any data stored by us remains safe, confidential, and accessible. By ‘safe,’ we mean that the data will be protected against any type of loss or corruption.  ‘Confidential’ means access to the data is granted only to authorized personnel, and by ‘accessible,’ we mean that the data is available only to authorized users whenever required.

This data protection guarantee comes from a combination of physical and code security, configurable application access, regular vulnerability scans, and consistent data availability. You can read more about this in our knowledge base article

Your personal data could be shared with business partners, service providers, payment gateways, professional advisors, law enforcement agencies, regulatory authorities, website users, or third parties under special circumstances as described in our privacy policy.

How does VWO manage data deletion and access?

By default, VWO identifies and anonymizes any Personally Identifiable Information (PII) or users’ sensitive data before storing it on its servers. PII includes passwords, social security numbers, phone, card information, and other personal data. 

For deleted or expired accounts, the data is deleted within 45 to 90 days from the date of expiry. As a VWO customer, you can write to VWO support requesting immediate deletion of accounts or specific user data if you want to prioritize this. 
VWO has established policies and procedures to dispose of electronic and physical media containing PII, account data, and sensitive and confidential information to ensure its servers’ data security. You can read more about it in our knowledge base article.

How is VWO’s product strategy aligned to our privacy-first approach?

At VWO, we back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and development. These principles have a robust framework for building secure systems that address all threat vectors by default and by design.

Keeping in line with this, the below settings are a part of our product suite:

1. You can opt your visitors out of VWO tracking without hampering their experience on your website.

Even though VWO never tracks the end user’s personal data, your visitors have the choice to opt-out of getting tracked by VWO. 

As a website owner, you can make your visitors opt-out of VWO by either generating an opt-out link and sharing it with your website visitors or using VWO’s opt-out API. 

The opt-out API has two versions. When you fire this API in the first version, all VWO cookies are deleted, and VWO stops visitor tracking immediately. If the visitor in question returns to the page, they will still not be considered for VWO tracking. Therefore, they won’t see any campaign changes on return visits.

In the second version, you can opt a visitor out of VWO tracking but still show the experience (campaign changes) that they have seen earlier. For example, say a visitor has seen variation A of a specific campaign, and you now want to opt them out of VWO tracking while showing the same variation to the visitor on his return visits. When you fire this API, VWO stops visitor tracking immediately. However, the visitors continue to see the same variation they were previously a part of.

2. You can easily seek consent before collecting visitor data, and you can do so more responsibly than before.

In view of data protection policies, it is necessary to display a cookie banner informing visitors about cookies or obtain consent before tracking their data. This ensures that you can only do so with their permission if you use tools/scripts on your website to identify individuals and their personal information.

VWO gives you the option to configure triggers for VWO Insights so that you can track visitor data more carefully, responsibly, and with consent. Any visitor action can be used to trigger the collection of Insights data. You can write custom JavaScript code that can listen for visitor actions, and decide based on the kind of pages visited or any scenario you want to validate before collecting Insights data. This knowledge base article describes the process of setting up a custom trigger in VWO.

Cookie consent
VWO makes it easier for you to let your users accept or deny consent to be tracked for behavioral data.

How do we ensure cookie compliance?

VWO uses cookies and local storage to understand visitors’ behavior and track visitor journeys on your website to deliver the best experiences. The cookies identify the variation in an experiment that the visitor views and help serve the same variation to the visitor consistently. These cookies also track visitor actions, determine whether they are part of a campaign, etc. However, the only information that VWO collects about a cookie is a visitor ID, i.e., a UUID explained previously above that does not contain any personal data. This UUID helps distinguish one visitor from another, but no individual or consumer can be tracked or identified by VWO. 

As part of data protection policies like GDPR, it is necessary to obtain informed consent from visitors before deploying any cookies or trackers to process their data. VWO does not collect any sensitive information. However, as a user, the decision to implement VWO with cookie consent or not is entirely up to you. Always consult your legal counsel to determine which implementation is appropriate for you. They can help you make an informed decision considering the data privacy rules of the countries you operate.

The VWO SmartCode is an automatically generated code snippet that you must add to enable VWO on your website. You can choose to execute the SmartCode without the visitor’s consent, i.e., you do not require any permission before deploying cookies or trackers to process visitors’ data. You can also choose to execute the SmartCode after obtaining the visitors’ consent (this is for VWO Insights and Engage; the Testing campaigns execute without the visitors’ permission). You can also go for conditional execution – here, the SmartCode is executed only after visitors’ consent is obtained, irrespective of the product you’re using. Furthermore, VWO communicates with cookie consent managers via callback when the visitor accepts or rejects the cookie, allowing you to run the SmartCode based on valid consent.

Depending on the data privacy rules in the countries you operate, you can make an informed decision. This knowledge base article discusses choosing the correct method for implementing the SmartCode.

How does VWO ensure security?

More than 2500+ customers trust the VWO Experience Optimization Platform with their data, and this responsibility is something we take very seriously. All data reaching VWO servers from recordings, survey responses, or the custom dimension is encrypted using the industry-standard AES-256 encryption algorithm. You can read this knowledge base article for details.

We’ve also incorporated security fundamentals into the following aspects of our daily operations:

Organizational structure and governance

Wingify (makers of VWO) has established a Corporate Security and Compliance Team (CSC) consisting of key personnel whose responsibility is to identify security and compliance concerns across the company.  This team acts as the first line of defense in enhancing the appropriate security and compliance posture. This team reports to the CEO.

Risk management – ISO

VWO complies with internationally recognized privacy and security certifications

ISO/IEC 27701:2019 (ISO 27701) is internationally recognized and a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). Any ISO/IEC 27701 audit requires the organization to declare applicable laws/regulations in its criteria for the audit. This means that the standard can be mapped to many of the requirements under GDPR, California Consumer Privacy Act (CCPA), and other laws. Once mapped, privacy professionals implement the ISO/IEC 27701 operational controls and audited by internal or third-party auditors, resulting in certification and comprehensive evidence of conformity.

VWO has received an accredited ISO/IEC 27701:2019 certification as a PII processor and controller after undergoing an audit by an independent third party.

ISO/IEC 27001:2013 (ISO 27001) is an internationally-recognized framework that specifies the requirements for establishing, implementing, maintaining, and improving information security management within an organization. VWO has received the ISO 27001:2013 certification from British Standards Institution (BSI), the international standards company. The ISO 27001:2013 certification demonstrates our commitment to information security at every level. Compliance with this internationally-recognized standard validated by an independent third-party audit confirms that our security management program is comprehensive and follows industry-leading practices.

Access management

All users in a VWO account are assigned an access level that determines the actions users can perform in the VWO account. If you are an account owner or administrator, you can change the access level at any point in time.

Authentication and password management

2 factor authentication
Two-factor authentication in VWO

To ensure the sanctity of your VWO account, we have added an extra layer of security in the form of two-factor authentication (2FA) that prevents bad actors from accessing your data, even if they know your password.

Two-factor authentication(2FA) relies on two security measures to prevent intruders from gaining access to your VWO account. Once 2FA is enabled, to sign in to your account, you’ll need to provide something you know, i.e., your password, and something you have, i.e., a six-digit one-time code sent to your email at the login time (or by using popular TOTP based apps to generate the code).

With 2FA, you can ensure that your account is not compromised even if a malicious virus exposes your password or hackers gain access to your password by brute force.

Session management

Every time a VWO user signs in to the VWO account, the system assigns a new session identifier for the user. The session identifier is a 64-byte random generated value to protect the account against brute force attacks. After seven days, all sessions time out, requiring the users to sign in to their account again. Also, all the active sessions are set to time out after 4 hours of inactivity.

Network and transmission security

VWO is hosted on secure servers managed by GCP. Any physical access to the GCP data centers is restricted to everyone. Firewalls are configured using industry best practices, and all unnecessary ports are blocked.

As a VWO user, you are always connected to the VWO web app via HTTPS using Transport Layer Security (TLS) version 1.2 and higher, a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery.

Access control

You can assign roles and permissions to each user you add to your account to ensure an appropriate level of access to your VWO account. You can restrict access to your VWO account to specific IP addresses. You can also enable alerts to email you whenever particular activities occur in your account.

Internal access to data

The data stored on VWO’s production servers are accessible only to the SVP of Engineering and lead engineers. No other member of VWO has access to customer data unless specific access permission is granted by the Chief Executive Officer and SVP-Engineering for resolving technical issues.

Security in engineering as part of product development

Thorough quality checks are an integral part of our development process. No code goes live unless reviewed and approved by the QA team. The staging or test environment is fully separated from production and does not use any production data. Any new feature goes through a security review before being deployed to production. Also, external VAPT (Vulnerability Assessment and Penetration Testing) audits are carried out at the system level to assess for potential vulnerabilities. 

Data breach

In the event of a breach in data security, we notify our customers within forty-eight hours of the incident’s detection. We have incident management policies and procedures to handle such events or emergencies.

What does all this mean for the customers of VWO?

As a customer of VWO, what this means for you in a nutshell, is as below:

  • VWO collects only such data necessary for security and for the purposes of product enhancement, marketing, and analytics – and with your visitors’ consent. Any personal information, if collected, is anonymized. 
  • This data is stored securely and as per the GDPR law.
  • This data remains safe, confidential, and accessible to you at all times. 
  • Robust and safe processes govern data deletion if your account with us is deleted or expired. 
  • Privacy forms an integral part of our product strategy, and any product enhancements are designed on privacy-first principles.
  • We ensure cookie compliance as part of data protection policies like GDPR.
  • We ensure the security of your data with the help of our Corporate Security and Compliance Team by procuring and maintaining information security certification through robust access, password and session management, and relevant disaster management policies. 

Our Corporate Security and Compliance Team, along with members of our senior leadership, have taken the following measures:

  • We have raised awareness across the organization through frequent discussions in our internal channels and trained employees to handle data appropriately.
  • We have assessed all our products individually against the requirements of the GDPR. We have implemented new features that will give you more control over your data and ease your burden of achieving GDPR compliance.
  • We have appointed internal privacy trust champions for all our teams. We have also established a Data Protection Officer (DPO).
  • Our application teams have embraced the concept of privacy by design and have provided you with more control over the data you store in our systems. We constantly endeavor to provide you with more enhancements, rolled out in phases. We have implemented appropriate organizational, technical, administrative, and physical safeguards to protect our organization’s security, confidentiality, integrity, and privacy of Personal Information and customer data.

With these measures in place, as a customer of VWO, you are compliant with privacy laws, your data is safe with us, and the privacy of your website visitors is respected and protected at all times. 

As an experiment owner not using VWO, it is not sufficient if you’re simply privacy-conscious. You will need to prioritize data privacy and integrate it within your experimentation stack as well as your roadmap. You can get in touch with our product experts if you wish to understand more about how VWO can help you do so.