Security Measures
Algolia implements and maintains Security Measures that meet or exceed the security objectives required for SOC2 audit. Algolia may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. These Security Measures are in effect on the DPA Effective Date. Capitalized terms used herein but not otherwise defined have the meaning given to them in the DPA.
Information Security Program
1) Data Center and Network Security
- Data Centers
- Infrastructure. Algolia maintains geographically distributed data centers and stores all production data in physically secure data centers.
- Redundancy. Algolia’s infrastructure has been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. This design allows Algolia to perform maintenance and improvements of the infrastructure with minimal impact on the production systems. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications.
- Power. All data centers are equipped with redundant power system with various mechanism to provide backup power, such as uninterruptible power supplies (UPS) batteries for short term blackouts, over voltage, under voltage or any power instabilities and diesel generators, for outages extending units of minutes, which allow the data centers to operate for days.
- Server Operating System. Algolia uses a Linux based operating system for the application environment with a centrally managed configuration. Algolia has established a policy to keep systems up to date with necessary security updates.
- Business Continuity. Algolia replicates data across multiple systems to help protect against accidental destruction or loss. Algolia has designed and regularly plans and tests its business continuity planning and disaster recovery programs.
- Network and Transmission
- Data Transmission. Algolia uses industry standard encryption schemes and protocols to encrypt data transmissions between the data centers. This is intended to prevent reading, copying or modification of the data.
- Intrusion Detection. Algolia employs an intrusion detection system to provide insights into ongoing attack activities and to help remediate the attack faster.
- Incident Response. Algolia’s security and operations personnel will promptly react to discovered security incidents and inform the involved parties.
- Encryption Technologies. Algolia’s servers support HTTPS encryption, ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA and for supported clients also perfect forward secrecy (PFS) methods to help protect traffic against compromised key or cryptographic breakthrough. Algolia uses only industry standard encryption technologies.
2) Access and Site Controls
- Site Controls
- Data Center Security Operations. All data centers in use by Algolia maintain 24/7 on-site security operations responsible for all the aspects of physical data center security.
- Data Center Access Procedures. Access to the datacenter follows Algolia’s Physical Security policy allowing only pre-approved authorized personnel to access the Algolia equipment.
- Data Center Security. All data centers comply with or exceed the security requirements of SOC2. All data centers are equipped with CCTV, on-site security personnel and key card access system.
- Access Control
- Access Control and Privilege Management. Subscriber’s administrators must authenticate themselves via a central authentication system or via a single sign-on system in order to administer the Services.
- Internal Data Access Processes and Policies – Access Policy. Algolia’s internal data access processes and policies are designed to prevent unauthorized persons or systems from getting access to systems used to process personal data. These processes are audited by an independent auditor. Algolia employs a centralized access management system to control access to production systems and servers, and only provides access to a limited number of authorized personnel. SSO, LDAP and SSH certificates are used to provide secure access mechanisms. Algolia requires the use of unique IDs, strong passwords and two factor authentication. Granting of access is guided by an internal policy. Access to the system is logged to provide an audit trail for accountability.
3) Data
- Data Storage, Isolation and Logging. Algolia stores data in a combination of dedicated and multi-tenant environments on Algolia-controlled servers. The data is replicated on multiple redundant systems. Algolia also logically isolates the Subscriber’s data. Subscriber may enable data sharing, should the Services functionality allow it. Subscriber may choose to make use of certain logging capability that Algolia may make available via the Services.
- Decommissioned Disks and Disk Erase Policy. Disks used in servers might experience hardware failures, performance issues or errors that lead to their decommission. All decommissioned disks are securely erased if intended for reuse, or securely destroyed due to malfunction.
4) Personnel Security
Algolia personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Algolia conducts appropriate background checks to the extent allowed by applicable law and regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Algolia’s confidentiality, privacy and acceptable use policies. All personnel are provided with security training upon employment and then regularly afterwards. Algolia’s personnel will not process Subscriber Data without authorization.
5) Sub-processor Security
Algolia conducts audits of security and privacy practices of Sub-processors prior to onboarding the Sub-processors in order to ensure adequate level of security and privacy to data and scope of services they are engaged to provide. Once the Sub-processor audit is performed and associated risk is evaluated, the Sub-processor enters into appropriate privacy, confidentiality and security contract terms.
Security Certifications and Reports
1) Service Organization Control (SOC) Reports: Currently, Algolia’s information security control environment applicable to the Services undergoes an independent evaluation in the form of SOC2 and SOC 3 audits. To demonstrate compliance with the Security Measures, Algolia will make available for review by Subscriber Algolia’s most recent (i) SOC 2 Report and (ii) SOC 3 Report as described below.
- “SOC 2 Report” means a confidential Service Organization Control (SOC) 2 report on Algolia’s systems examining logical security controls, physical security controls, and system availability, as produced by Algolia’s independent third-party auditor in relation to the Services.
- “SOC 3 Report” means a Service Organization Control (SOC) 3 report, as produced by Algolia’s independent third-party auditor in relation to the Services.
- Algolia will either update the SOC2 Report and SOC 3 Report at least once every 18 months or pursue comparable audits or certifications to evaluate and help ensure the continued effectiveness of the Security Measures.
2) ISO27001 and ISO27017 certification: In March 2020, Algolia received its ISO27001 and ISO27017 certifications which are an information security management system family of standards providing best practice recommendations on information security management, including framework of policies and procedures that include all legal, physical and technical controls involved in an organization’s information management process, and security standards particularly developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security issues, respectively.
3) TRUSTe certification: Algolia has been awarded the TRUSTe Certified Seal signifying that Algolia’s website Privacy Statement and privacy practices related to the Services have been reviewed by TRUSTe for compliance with TRUSTe’s Certification Standards.