Guides / Security / Security best practices

Shared Responsibility

As with any other cloud service, security is a shared concern between Algolia and its users. While we take full responsibility for the security of our infrastructure, you’re in charge of making sure you follow recommended practices to avoid exposing your data and account.

Algolia’s security responsibilities

Algolia is responsible for ensuring the security of its service. This includes securing the physical and virtual infrastructure, remaining compliant with standards and certifications, and implementing state of the art security practices such as API keys with access control lists (ACL), two-factor authentication. Algolia also provides SAML SSO and AES256 encryption for users with the Enterprise add-on.

Algolia also makes sure that its providers follow strong security guidelines as well. We continuously trains our employees on the subject. Each new Algolia team member goes through mandatory security training, which we renew yearly.

Generally speaking, Algolia is responsible for the security of the service: it’s Algolia’s responsibility to secure everything it authors and provides to you. This includes the entire ecosystem: the search engine and infrastructure, other APIs, official open source API clients, framework integrations and extensions, UI libraries, Crawler, and the Algolia dashboard.

Your security responsibilities

Algolia is responsible for defects in the service, but not for the consequences of any behavior or usage that goes against recommended practices, or doesn’t follow the documentation for a given use case. You’re responsible for how you use Algolia, and for the data you send.

For example, Algolia provides two-factor authentication. But it’s your responsibility to activate it and make sure that your team members do too. The same goes with your data: Algolia offers features to ensure you can keep sensitive data from unauthorized users, but you must use these features appropriately.

Control levels

When it comes to shared responsibility within a cloud service, you can consider three levels of control. These help you understand what falls under Algolia’s responsibility, and what’s on you.

Inherited controls

These are what you inherit from Algolia, and can’t change. For example, when you create an Algolia application, Algolia provisions it on the platform, running in one of the supported regions. This isn’t something you can control or change. For example, you can’t deploy an Algolia application on-premise). Therefore, Algolia is fully responsible for those controls.

Shared controls

These are what comes from Algolia, but you gain control over. Shared controls have shared responsibility. For example:

  • Algolia provides and stores API keys and lets you generate new ones. Algolia is responsible for storing your keys securely and for properly encrypting the virtual ones. You’re responsible for how you store and use your keys on your end.
  • Algolia offers and maintains open source API clients and UI libraries that we strongly recommend you to use. Algolia is responsible for following best practices, fixing security issues, and letting you know about potential vulnerabilities. You’re responsible for upgrading to the latest versions of clients and libraries. You should also make sure that the environment in which you run them is secure, and that it supports the features Algolia implements**, for example, by using HTTPS.
  • Algolia trains employees and raises awareness around security internally, but you’re responsible for training your teams.

User controls

These are what solely depends on your use case and application requirements. Therefore they’re your full responsibility. For example, you’re responsible for how you name your indices, for what data you index into Algolia and for how you control access to this data, or for which team members you invite to your application and with what access level.

Did you find this page helpful?