Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SiteSpect is a US based A/B testing, multivariate testing, personalisation and feature flagging platform founded in 2004 and headquartered in Boston. It is distinguished by its server-side reverse proxy architecture (Origin Mode), which removes the flicker effect of client-side tools. For European customers, the default US deployment requires Standard Contractual Clauses; EU based reverse proxies are available on request.
SiteSpect is a US based experimentation and personalisation platform founded in 2004, headquartered in Boston, Massachusetts. It supports A/B testing, multivariate testing, personalisation, feature flagging and server-side experimentation. SiteSpect is distinguished by its Origin Mode reverse proxy architecture, which delivers variants from the server to the visitor and avoids the flicker effect typical of client-side tools.
SiteSpect processes visitor IP, user agent, page URL, referrer, basket events, conversion events and any custom attributes the customer sends. It sets first party cookies (SSID, SSRT) to keep variant assignment and session state consistent. In Origin Mode the cookie is set server side; in the JavaScript SDK mode, the cookie is set client side. Conversion events can be sent to SiteSpect or to integrated analytics tools.
SiteSpect is a data processor under Art. 28 GDPR. Variant assignment cookies are non essential and require consent under Art. 5(3) ePrivacy. The reverse proxy architecture means SiteSpect can see all request and response data, which raises significant data minimisation considerations: configure it to inspect only what is needed and exclude sensitive endpoints. Personalisation that builds a profile may trigger Art. 22 GDPR safeguards if it leads to significant decisions.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Explicit consent is required for the variant cookies and for any persistent personalisation identifier. A simple AB test that does not profile individuals and uses session only cookies may rely on legitimate interest after a strict balancing, but most deployments require consent. Personalisation based on logged in user attributes still requires a lawful basis under the customer''s own framework.
Default SiteSpect deployment processes data in the United States. EU customers can request EU based reverse proxies in Frankfurt or Dublin. US transfers rely on SCCs and the EU US Data Privacy Framework where SiteSpect is certified. Document both transfer mechanisms and run a Transfer Impact Assessment for US deployments.
Sign SiteSpect''s DPA, request the EU reverse proxy if available, configure the proxy to inspect only the required URLs and parameters, exclude sensitive endpoints (account, payment, health), load AB tests after cookie consent, document SiteSpect as a sub processor and run a TIA for US deployments.
Websites using SiteSpect must obtain user consent under GDPR regulations.
DPIA considerations
SiteSpect processes visitor IP, user agent, page URLs, variant assignments and conversion events. Key DPIA considerations: (1) variant assignment cookies are typically first party and non essential, requiring consent under Art. 5(3) ePrivacy; (2) the server-side proxy can inspect personal data in real time, raising data minimisation considerations; (3) US deployment triggers SCCs and EU US Data Privacy Framework, EU deployment is available; (4) personalisation based on persistent identifiers builds a profile that should be disclosed; (5) feature flagging based on user attributes (logged in user data) requires the customer's own lawful basis; (6) integrations with analytics tools (GA4, Adobe Analytics) add their own data flows.
Sample consent text
With your consent, we use SiteSpect to run A/B tests and personalise content on our site. SiteSpect places first party cookies to keep your variant assignment consistent across pages. Data is processed in the United States under Standard Contractual Clauses, or in our EU reverse proxy if selected.
Third-party domains contacted
sitespect.comsitespect.netsitespect-cdn.comcdn.sitespect.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SSID | Marketing | 1 year | Persistent first party visitor identifier used by SiteSpect to keep variant assignment consistent across pages and sessions. |
| SSRT | Functional | Session | Stores runtime and session state used by SiteSpect Origin Mode reverse proxy to maintain experimentation context. |
| SSPV | Analytics | 30 days | Counts page views per visitor for SiteSpect goal tracking and engagement analysis. |
SiteSpect collects user analytics data — you legally need a consent banner. Try FlowConsent free.
SiteSpect typically sets first party cookies SSID (visitor identifier used for variant assignment, 1 year) and SSRT (session/runtime state). In Origin Mode the cookie is set by the reverse proxy on the customer domain; in the SDK mode it is set by JavaScript.
Yes for persistent variant cookies and any personalisation that builds a profile. A short session only test that does not link to a persistent identifier may rely on legitimate interest after a strict balancing, but most production deployments need cookie consent.
Consent (Art. 6(1)(a) GDPR) for variant cookies and persistent personalisation. Legitimate interest (Art. 6(1)(f) GDPR) only for minimal AB testing that does not profile individuals. Contract (Art. 6(1)(b) GDPR) if testing is explicitly part of a service the user signed up for.
Default deployment processes in the United States. EU customers can request EU based reverse proxies in Frankfurt or Dublin. US transfers rely on SCCs and the EU US Data Privacy Framework where SiteSpect is certified.
A DPIA is recommended for any large scale personalisation deployment, when SiteSpect inspects payment, account or health endpoints, or when feature flags affect significant decisions (pricing, access). The DPIA should cover the reverse proxy inspection scope, US transfers and Art. 22 GDPR safeguards.
Sign the DPA, choose an EU reverse proxy if available, restrict the inspected URLs and parameters to the minimum, exclude sensitive endpoints, load AB test variants only after consent, document SiteSpect in your sub processor list and run a TIA for US transfers.
EU based experimentation tools include Kameleoon (France), AB Tasty (France), Convert.com (Spain) and Webtrends Optimize (UK). Open source alternatives include GrowthBook, Wasabi and Unleash. Server side experiments via your own backend with first party identifiers can also be lower risk.
Disclose SiteSpect as a personalisation processor, name SSID and SSRT cookies with their duration, explain whether you use Origin Mode or SDK mode, describe the data inspected by the reverse proxy, mention US transfers under SCCs and the EU US Data Privacy Framework, and link SiteSpect's privacy notice and DPA.