Platform Updates: Server-Side Experiments, OpenAI Ads, and a Deeper Compliance Center

A few weeks ago we put experiments and heatmaps inside your AI assistant, and on-page content tests next to redirects. That covered everything you can do in the browser. The piece engineers kept asking for was the one that happens before the browser ever loads: pick the variant on the server, render it, and never show a flash of the wrong page.

That shipped this week, and it's the big one. Server-side experiment assignment is live, and with it we're at parity with the top-of-the-line testing tools on how experiments get delivered. The difference is that this is HIPAA-compliant experimentation integrated with your CDP, under the same BAA you already signed. Alongside it, we went deeper on the compliance center and made web analytics answer the question we kept hearing: where did this traffic actually come from.

Here's what's new:

Server-Side Experiments

Your experimentation suite already ran on-page content tests, redirect tests, and AI-driven setup through Claude or ChatGPT. All of that happens in the browser, after the page loads. Server-side assignment closes the last gap. Your backend asks Ours Privacy which variant a visitor belongs in, gets the answer, and renders that variant before anything reaches the browser.

The key design decision: the browser SDK and the assignment endpoint bucket on the same visitor id with the same algorithm. Server picks, browser confirms, and it's the same experiment. No double-counting, no drift between runtimes.

What it does:

• Render the variant on the server: Call the assignment endpoint from Next.js, a Cloudflare Worker, an edge function, Rails, Go, or any backend, and serve the assigned variant with the page. No hydration flicker, no flash of the control before the treatment swaps in.

• Experiment on non-browser traffic: Mobile apps, partner systems, and other clients that never run your web SDK can still participate in the same experiment.

• Gate behavior beyond the UI: Branch pricing, feature paths, or routing in a headless service on the same experiment that drives your front end. One source of truth for who is in which variant.

• Read personalizations without side effects: A separate read-only endpoint hydrates a visitor's active personalizations and never records an impression, so diagnostics and shadow flows stay clean.

Here's why this matters for a regulated marketing team. Until now, the cheapest way to get HIPAA-compliant A/B testing was a separate vendor at roughly $30,000 to $40,000 a year, with its own BAA and its own security review. We built experimentation into the CDP so it travels under the agreement you already have. And because assignment sticks to a server-set cookie on your own custom domain, the bucket survives the browser privacy restrictions that quietly break client-side testing tools. You get the delivery model the enterprise tools sell, on infrastructure designed to be compliant first.

Read the server-side experimentation guide for the assignment recipe and worked examples.

A Deeper Compliance Center

Compliance is the reason teams choose us, so we keep going deeper where other vendors stop. The last few weeks went into making the consent layer more configurable and the audit trail more complete, because when scrutiny comes, the record is what matters.

What's new:

• GPC and region data in the audit export: Your consent audit export now captures Global Privacy Control signals and the visitor's region alongside each consent decision. When legal or a regulator asks who consented to what, where they were, and whether they sent a Do-Not-Sell signal, it's a single export. You can pull it as Excel.

• Designable regional overrides: Tailor the consent experience by jurisdiction, now including Canadian provinces and territories. Show the right banner, the right categories, and the right language to each region without shipping a different site to each one.

• A more flexible preferences modal: A Reject All button on the preferences window, a collapsible additional-information section to keep the modal clean, and a function your site can call to open the preferences modal on demand. Reject-category controls give visitors finer-grained choices.

• Richer consent copy: Your consent descriptions now render line breaks, hyperlinks, and variables, so disclosures read exactly the way your legal team wrote them instead of collapsing into a wall of text.

The throughline is control and proof. You decide what each visitor sees based on where they are, and you can show exactly what happened after the fact. That combination is what survives an audit, and it's the part most consent tools treat as an afterthought.

Source-Level Web Analytics

As teams route more sources into one platform, a basic question gets harder to answer: is this number my website, or is it everything flowing through the system. We rebuilt the filtering so you can scope an answer to exactly the slice you mean.

What's new:

• Filter web analytics by source: Scope reports to web traffic specifically, or slice by the source that produced the event. The "All" view now means web sources, not a blur of every channel feeding the platform.

• Filter event analytics by source and destination: See which source created an event and which destination it dispatched to, in the same view.

• An "All Pages" option in web analytics: Look across your whole site in one report instead of page by page.

For a team running paid, organic, and server-side traffic through one pipeline, this is the difference between trusting a number and exporting to a spreadsheet to figure out what it actually counts.

New Destination: OpenAI Ads

We added a destination for the OpenAI Ads Conversions API. Send conversions to OpenAI's ad platform with the same consent rules, field mapping, and hashing every other destination uses. Event names are normalized on the way out so they land the way the platform expects, and anything that could be PHI drops according to the rules you set. It's another channel you can light up without adding a vendor or a BAA.

The Tag Manager Is Now Generally Available

The tag manager is out of gating and available to every account. You manage tags, triggers, and variables in the app, install on your own verified custom domain, and now reach the whole surface through the REST API and through your AI assistant. Ask your assistant to audit which tags are firing, or have it create an asset folder and wire up a tag, the same way it already configures destinations and consent rules. One more part of the platform that meets your team where the work happens.

What's Next

The web scanner already crawls your site, finds the trackers and pixels running on it, and flags where patient data could leak. The next step is putting intelligence on top of that. We're building AI-driven compliance inspection into the scanner: it reads the scan results, explains what each finding means for your HIPAA exposure in plain language, and tells you what to fix and why, instead of handing you a raw list to interpret yourself.

This is where the configuration audit story from the last post and the scanning story converge. Ask where an identifier is going, and ask what's leaking on the page, in the same place, with an assistant that understands both. More on that soon.

If you'd like a walkthrough of server-side experiments or the compliance center, book a demo.