Security & Load-Time Report
Security controls, performance benchmarks, and threat mitigations for ClickMint A/B testing experiments.
ClickMint A/B Testing Experiments
Security & Load‑Time Evaluation Report
Executive Summary
ClickMint's A/B testing platform delivers experiment agility without compromising security, privacy, or site performance.
| Pillar | Highlights |
|---|---|
| Security | Encryption and strict PII handling |
| Performance | Near‑zero impact on page load time |
| Compliance | Designed to support global enterprise compliance including GDPR |
1. Data Protection & Privacy
Encryption
- TLS 1.2+ in transit
- AES‑256 at rest
PII Handling
- Experiment and application logs: raw PII is never stored or transmitted. Visitor identifiers are converted into one‑way cryptographic tokens before any logging occurs.
- Security infrastructure logs: WAF (Web Application Firewall) logs retain client IP addresses as required for bot detection, rate limiting, and security incident response. These logs are restricted to authorised security and operations personnel, are not used for analytics or profiling, and are retained for 90 days.
Zero Internal Tracking
- Reporting uses client analytics sources (GA4) or first‑party events
2. Secure AI Integrations
OpenAI Enterprise
- Prompts not used to train models
- Full encryption and audit logging
Amazon Bedrock
- Encryption at rest and in transit
- AWS KMS manages keys
- No prompt storage or training
3. Edge Security & Delivery
ClickMint leverages Amazon CloudFront with these security controls:
- HTTPS everywhere
- Origin Access Control
- Signed URLs and cookies
- Security headers
- Logging and monitoring
4. Threat Model & Mitigations
| Threat | Mitigation |
|---|---|
| User re‑identification | One‑way identifiers |
| TLS downgrade | TLS 1.2+ and HSTS |
| Sensitive data leakage | Field‑level encryption |
| AI prompt exfiltration | Enterprise policies |
| Bot traffic skew | AWS WAF bot control |
| DDoS | AWS Shield + CloudFront |
5. Performance Evaluation
Testing Methods
- Lighthouse
- WebPageTest
- JMeter global load testing
Results
| Metric | Value |
|---|---|
| First load | < 1.2 s globally |
| Cached load | < 100 ms |
Performance Budgets
| Budget | Limit |
|---|---|
| JS added | ≤ 10 KB |
| Main‑thread blocking | ≤ 30 ms |
| LCP delta | ≤ +50 ms |
Rollout Strategy
5 % → 25 % → 50 % → 100 %
Automatic rollback triggered by performance degradation or error spikes.
6. Governance & Operations
- IAM least‑privilege roles
- AWS KMS and Secrets Manager
- Versioned deployments with staged rollouts
- Monitoring via CloudWatch and GA4
- Defined incident response procedures
Conclusion
ClickMint experiments remain secure, privacy‑preserving, and performance‑optimized while enabling rapid experimentation at scale.
© 2026 ClickMint. All rights reserved.
