The safety and security of our customers’ data is our highest priority. Our API clients are using HTTPS (HTTP+TLS) to send your data to our servers, and you can choose to use TLS to query your indices as well.
By default, our JavaScript API client will use the same protocol as the page hosting it.
The backups and the transfers between servers are encrypted via AES-256.
We put a lot of effort into having the best security. For instance, it took us only a few hours after the disclosure to fix the HeartBleed vulnerability.
We’re performing regular independent penetration testing and have a public bug bounty program on HackerOne that helps us ensure ongoing security.
If you want your data to be encrypted at rest, we provide this using AES-256 encryption with Algolia-managed per-server keys with our Algolia Vault feature.
On September 30, 2020 we started a deprecation process for TLS 1.0 and 1.1 on our infrastructure, following this schedule:
- September 30, 2020 All customers receive an official deprecation notice with a timeline.
- October 14, 2020 Our Dashboard, Analytics, Insights (Click Analytics, A/B Testing, and Personalization), Query Suggestions, Usage, and Monitoring API disable TLS 1.0 and 1.1 for the day.
- October 15, 2020 Customers with a Customer Success Manager and over 5% of back-end Search API requests or 1% front-end Search API requests running over TLS 1.0 or 1.1 receive a notification from their CSM.
- October 21, 2020 Our Dashboard, Analytics, Insights (Click Analytics, A/B Testing, and Personalization), Query Suggestions, Usage, and Monitoring API disable TLS 1.0 and 1.1 permanently.
- February 17, 2021 We disable TLS 1.0 and 1.1 on one third of Search API servers. For customers who didn’t upgrade until that moment, this won’t cause any service downtime, but can potentially introduce a slowdown, or a small number of errors.
- February 24, 2021 All Algolia systems disable TLS 1.0 and 1.1. Analytics, Insights (Click Analytics, A/B Testing, and Personalization), Query Suggestions, Usage and Monitoring API disable HTTP endpoints completely, and keep HTTPS only.