Search by Algolia
What is retail analytics and how can it inform your data-driven ecommerce merchandising strategy?
e-commerce

What is retail analytics and how can it inform your data-driven ecommerce merchandising strategy?

There is such tremendous activity both on and off of retailer websites today that it would be impossible to make ...

Catherine Dee

Search and Discovery writer

8 ways to use merchandising data to boost your online store ROI
e-commerce

8 ways to use merchandising data to boost your online store ROI

New year, new goals. Sounds positive, but looking at your sales data, your revenue and profit aren’t so hot ...

John Stewart

VP, Corporate Communications and Brand

Algolia DocSearch + Astro Starlight
engineering

Algolia DocSearch + Astro Starlight

What is Astro Starlight? If you're building a documentation site, your content needs to be easy to write and ...

Jaden Baptista

Technical Writer

What role does AI play in recommendation systems and engines?
ai

What role does AI play in recommendation systems and engines?

You put that in your cart. How about this cool thing to go with it? You liked that? Here are ...

Catherine Dee

Search and Discovery writer

How AI can help improve your user experience
ux

How AI can help improve your user experience

They say you get one chance to make a great first impression. With visual design on ecommerce web pages, this ...

Jon Silvers

Director, Digital Marketing

Keeping your Algolia search index up to date
product

Keeping your Algolia search index up to date

When creating your initial Algolia index, you may seed the index with an initial set of data. This is convenient ...

Jaden Baptista

Technical Writer

Merchandising in the AI era
e-commerce

Merchandising in the AI era

For merchandisers, every website visit is an opportunity to promote products to potential buyers. In the era of AI, incorporating ...

Tariq Khan

Director of Content Marketing

Debunking the most common AI myths
ai

Debunking the most common AI myths

ARTIFICIAL INTELLIGENCE CAN’T BE TRUSTED, shouts the headline on your social media newsfeed. Is that really true, or is ...

Vincent Caruana

Senior Digital Marketing Manager, SEO

How AI can benefit the retail industry
ai

How AI can benefit the retail industry

Artificial intelligence is on a roll. It’s strengthening healthcare diagnostics, taking on office grunt work, helping banks combat fraud ...

Catherine Dee

Search and Discovery writer

How ecommerce AI is reshaping business
e-commerce

How ecommerce AI is reshaping business

Like other modern phenomena such as social media, artificial intelligence has landed on the ecommerce industry scene with a giant ...

Vincent Caruana

Senior Digital Marketing Manager, SEO

AI-driven smart merchandising: what it is and why your ecommerce store needs it
ai

AI-driven smart merchandising: what it is and why your ecommerce store needs it

Do you dream of having your own personal online shopper? Someone familiar and fun who pops up every time you ...

Catherine Dee

Search and Discovery writer

NRF 2024: A cocktail of inspiration and innovation
e-commerce

NRF 2024: A cocktail of inspiration and innovation

Retail’s big show, NRF 2024, once again brought together a wide spectrum of practitioners focused on innovation and transformation ...

Reshma Iyer

Director of Product Marketing, Ecommerce

How AI-powered personalization is transforming the user and customer experience
ai

How AI-powered personalization is transforming the user and customer experience

In a world of so many overwhelming choices for consumers, how can you best engage with the shoppers who visit ...

Vincent Caruana

Senior Digital Marketing Manager, SEO

Unveiling the future: Algolia’s AI revolution at NRF Retail Big Show
algolia

Unveiling the future: Algolia’s AI revolution at NRF Retail Big Show

Get ready for an exhilarating journey into the future of retail as Algolia takes center stage at the NRF Retail ...

John Stewart

VP Corporate Marketing

How to master personalization with AI
ai

How to master personalization with AI

Picture ecommerce in its early days: businesses were just beginning to discover the power of personalized marketing. They’d divide ...

Ciprian Borodescu

AI Product Manager | On a mission to help people succeed through the use of AI

5 best practices for nailing the ecommerce virtual assistant user experience
ai

5 best practices for nailing the ecommerce virtual assistant user experience

“Hello there, how can I help you today?”, asks the virtual shopping assistant in the lower right-hand corner ...

Vincent Caruana

Senior Digital Marketing Manager, SEO

Add InstantSearch and Autocomplete to your search experience in just 5 minutes
product

Add InstantSearch and Autocomplete to your search experience in just 5 minutes

A good starting point for building a comprehensive search experience is a straightforward app template. When crafting your application’s ...

Imogen Lovera

Senior Product Manager

Best practices of conversion-focused ecommerce website design
e-commerce

Best practices of conversion-focused ecommerce website design

The inviting ecommerce website template that balances bright colors with plenty of white space. The stylized fonts for the headers ...

Catherine Dee

Search and Discovery writer

Looking for something?

facebookfacebooklinkedinlinkedintwittertwittermailmail

Back in the 1980s, American Tourister ran luggage ads with gorillas tossing around suitcases to demonstrate just how tough their products are. The product designers did a pretty good job ensuring resilience in the face of serious monkey (actually, ape…) business. I like the metaphor because it’s not too different for software. Similarly, SaaS applications are designed by engineers to handle all kinds of abuse — brute force attacks, data leakage, phishing, and more. 

Security is about protecting data, company IP, brand reputation, and more. Globally, the average cost of a data breach is $4.35 million. Many software buyers don’t have the knowledge, resources, or insights into what security best practices are in place, and so security questions often only come up near the tail-end of the buying cycle. We feel it’s a good approach to consider the acquisition of any software with security in mind from the start. 

If you’re evaluating search providers (or really any SaaS product), here are 10 questions you might want to start with to understand their security practices.

1. What considerations do you make when designing search software?

Security needs to be a part of the development planning process, not an afterthought. We are fortunate to have a dedicated security team that works with our engineers and product managers to review product architecture and related infrastructure. The team’s job is to ensure that the data flowing into the product from various possible sources and data centers — product catalogs, support-facing solutions, internal analytics, conversion events — is transported and stored securely using modern encryption technology and highest compliance standards. We also work hard to maintain transparency. For example, since 2017 we worked with the Cloud Security Alliance to continually train and certify our team on the highest standards of security, and TrustArc for ensuring data privacy. Security needs to be designed into the software from day one.

2. Where (and how) is my data stored?

Is data stored on premises or in the cloud? Who is watching over your data, and how is it secured? Algolia is a 100% hosted solution provider. We host data on bare metal servers on every continent in 70+ data centers around the world. Customers have the option to run Algolia either in EU-based or US-based data centers fully-managed on Microsoft Azure or AWS. Data is encrypted in transit (AES-256) and customers also have the option to encrypt their data ‘at rest’ using managed-per-server keys with Algolia Vault. Our data centers are continuously monitored, managed, and tested: 

  • We keep them only in PCI-DSS, ISO27001 and/or SOC2 certified data centers
  • We test them continuously with several vulnerability scanning tools
  • They’re pen-tested twice a year by a reliable, independent 3rd-party
  • We have a permanent bug bounty program running
  • All logs are sent to an SIEM solution for scanning and immediate reporting
  • All servers are running an EDR overwatched by a specialized SOC team
  • We’re developing new tools for overwatching them, with a whole specialized team
  • We’re reviewing every new feature to make sure it does not create new weaknesses

3. Is your software compliant?

All companies must comply with international and/or local laws. Or, they have customers who will only work with vendors whose services meet exacting standards. With more than 17,000 customers ranging from governments, corporations, medical enterprises and more, all with strict requirements, we have purposely designed our service to work across many public and private use cases. Today, Algolia is compliant with… 

  • ISO27001
  • ISO27017
  • BSI C5
  • HIPAA
  • GDPR
  • CPRA
  • SOC 2 Type 2
  • SOC 3 

4. How is data managed?

Your data is yours. So, you will want to work with providers who will manage your data with the utmost care so it’s not lost or leaked. Our services do not track your customers, and their identities stay under your control. We have a secure multi-tenant architecture — monitored 24/7 — to prevent leakage of data between our customers and continual monitoring of API access. We design our highly-available service with redundancy and backups, which allow us to provide 99.99% (and higher) reliability. 

5. What happens if there’s a data breach? 

Is the provider you’re speaking with prepared for worse-case scenarios, and if so, how? Of course we do everything we can to ensure this never happens, including semi-annual independent penetration testing of our services. However, should this happen, we will quickly determine the cause, understand what data (if any) has been compromised, contact affected customers in less than 24 hours, and work to remediate the issue as soon as possible. 

6. What guarantees do you offer?

An interruption in service can happen for a lot of reasons — cloud provider disruption, a customer exceeding their own usage, local ISP issues, etc. How cloud vendors guarantee their services can vary widely. However, if the issue is with Algolia, our Algolia service level agreement (SLA) covers standard and premium plans with guaranteed remuneration. Should we fail to meet the stands we’ve set for ourselves, customers are eligible for credits. 

7. What happens when a product vulnerability is discovered?

Enterprise-scale software is built from thousands of components — open source and proprietary — usually with microservices for different capabilities. The orchestration of such complex systems is not without risk; a lot can go wrong as new vulnerabilities are discovered. We place a lot of effort into having the best security. For instance, it took us only a few hours after the disclosure of an OpenSSL HeartBleed vulnerability to fix it. We’re performing regular independent penetration testing and have a public bug bounty program on HackerOne that helps us ensure ongoing security. 

8. What happens to your company data if you decide to terminate the subscription?

As your needs change, you may need to switch providers. What happens to your data when you leave? Of course, we will do everything we can to keep you as a customer, but we know that’s not always possible. At Algolia, we retain information in accordance with our subscription agreements. We may also retain and use certain personal information for a reasonable period as necessary — to pursue our legitimate business interests, conduct audits, comply with our legal obligations, resolve disputes, and so forth. You’ll find it all spelled out transparently in our Privacy Policy

9. Who has access to data and systems? 

It’s important to know who is coming and going and when data is in transit. Security is a shared responsibility between Algolia and our customers. On one hand, we do what we can to lock down access, and on the other we ask our customers to manage access responsibly. For example, we have controlled access to infrastructure and offer features for secure API key management, 2FA, and application permission levels. We also implement the latest best practices to ensure that your data is safe, secure, and isolated from the data of other Algolia users. However, it’s equally incumbent on our customers to follow security best practices, manage access and permissions for their users, and keep their Admin API keys secret and hidden. By managing access as a team, we can be more secure together. The terms of service customers agree to spells out their expectations for managing access and information sharing. 

10. How do your employees approach security?

Security is not just managed by the security team. Everyone at an organization should be made aware of the risks and responsibilities. When everyone is made aware of the possible risks and rewards, we can provide a safer, more secure service. At Algolia, new hires are given training before accessing any systems when they’re onboarded and everyone must pass a security test each year. Our IT team also maintains administrative safeguards on company-owned equipment, ensuring the devices and applications are up-to-date. We have a shared security channel in Slack to report incidents, concerns, or just ask questions; when it comes to security, there are no stupid questions!

Of course, there’s much, much more to our security policies. Above all, as you investigate a provider’s security measures, look for transparency. For a provider to be less than transparent means, more than likely, that they’re obfuscating something important.

Here are a bunch of additional resources to learn more about security at Algolia. 

About the author
Denis Petit

Senior Manager, Security

linkedin

Recommended Articles

Powered byAlgolia Algolia Recommend

What are data privacy and data security? Why are they  critical for an organization?
product

Catherine Dee

Search and Discovery writer

Algolia is now ISO 27001 and ISO 27017 certified
product

Sanjay Gupta

Senior Manager, Technology Compliance

What to look for in a Search API
product

Benoit Perrot

Director, Engineering