// Trust & Security Report
Algolia, Inc.
AI search and retrieval platform — includes AI Search (keyword + vector hybrid), NeuralSearch, Agent Studio (AI agent builder), Algolia Crawler, and Algolia Vault (security add-on)
Certifications held
8
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.algolia.com“Algolia SOC 2 Type 2 Final Report 2026.05.12.pdf listed in trust center; update note states 'The report covers the period from January 1, 2025, to January 31, 2026. We are pleased to share that this year's report contains no exceptions.'”
Verify on trust.algolia.com“Algolia SOC 3 Final Report 2026.05.12.pdf listed in trust center resources”
Verify on trust.algolia.com“Algolia ISO 27001 27017 Certificate Award - 2.23.2026 and Algolia ISO 27001 27017 Recertification Audit Report - 2.23.2026.pdf listed in trust center; trust center compliance section shows 'ISO 27001:2022'”
Verify on trust.algolia.com“ISO 27017 recertification audit report dated 2.23.2026 listed alongside ISO 27001 in trust center resources; trust center compliance section shows 'ISO 27017'”
Verify on trust.algolia.com“Algolia C5 Type 2 Final Report 2026.05.12.pdf listed in trust center; trust center compliance section lists 'BSI Cloud Computing Compliance Criteria Catalogue'”
Verify on trust.algolia.com“Trust center lists GDPR under compliance; DPA available incorporating SCCs for EEA data transfers; DPA commits 'End User Data...will not be sent outside of the EEA, Switzerland, or the United Kingdom' for EEA/UK/Swiss subscribers”
Verify on trust.algolia.com“Trust center explicitly lists 'CCPA COMPLIANT'; DPA covers CCPA alongside GDPR, UK GDPR, Swiss FADP, LGPD, and Australian Privacy Act”
Verify on trust.algolia.com“TRUSTe Enterprise Certification - Letter of Attestation - Algolia listed in trust center resources”
> Show 5 unconfirmed / not-held certifications
source: algolia.comNo HIPAA or BAA mentions exist in the DPA or Terms of Service. DPA covers GDPR/CCPA/LGPD but not HIPAA. No Business Associate Agreement framework offered.
source: trust.algolia.comNo public evidence of PCI DSS certification or compliance posture found on vendor domain or trust center
source: trust.algolia.comNo public evidence of FedRAMP authorization found on vendor domain or trust center
source: trust.algolia.comNo public evidence of ISO 42001 certification found on vendor domain or trust center; AI FAQ available at trust center but does not mention 42001
source: cloudsecurityalliance.orgAlgolia has only a CSA STAR Level 1 self-assessment (CAIQ Self-assessment v4.0.2, last updated November 7, 2022, status: Deprecated). No third-party CSA STAR Level 2 audit certification held.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
70+ data centers in 17 regions globally (EU, US, UK, Canada, Brazil, UAE, South Africa, India, Singapore, Hong Kong, Japan, Australia). DPA guarantees EEA/UK/Swiss subscriber End User Data remains within the EEA, Switzerland, or UK with limited security-incident exceptions. Encryption at rest (AES-256) available via Algolia Vault paid add-on.
NeuralSearch models train on anonymized, aggregated usage patterns from participating applications. All applications are opted IN to model training by default. Organizations can opt out per-application or organization-wide in the Algolia dashboard (Settings > Organization Settings > Model Training). Opting out excludes data from future training cycles but search continues to function normally. No AI training opt-out tier restriction documented; opt-out is available to all customers.
// Security controls
Encryption in transit
TLS/HTTPS with ephemeral elliptic curve Diffie-Hellman key exchange and Perfect Forward Secrecy (PFS) for supported clients
algolia.comEncryption at rest
AES-256 with per-server keys via Algolia Vault (paid add-on, not enabled by default); standard plan does not include at-rest encryption
algolia.comPenetration testing
Annual; attestation report available in trust center (Penetration Test Result - Main Apps - attestation only - 202510)
trust.algolia.comAccess controls
SSO, two-factor authentication required, LDAP/SSH certificate-based access, centralized access management with audit logging
algolia.comData center security
24/7 SOC at all data centers; CCTV, key card access, on-site security personnel; redundant power (UPS + diesel generators)
algolia.comPersonnel security
Employee background checks, confidentiality agreements; regular security training for all staff
trust.algolia.comVulnerability management
Centrally managed configuration with regular security updates; vulnerability and system monitoring procedures established per trust center controls
trust.algolia.comIncident response and DR
Continuity and Disaster Recovery plans established and tested; configuration management system established
trust.algolia.comSub-processor management
Sub-processor list published at algolia.com/policies/infrastructure-and-sub-processors; 10 business days advance notice for new sub-processors; audits conducted before onboarding
algolia.com// Products & data scope
data: Search query logs, index data (product catalog, content), End User behavioral data (click events, conversions)
Core product; indexes live in customer-selected regions; EEA End User data stays in EEA per DPA
data: Same as AI Search plus anonymized, aggregated usage patterns used for model training
Model training opt-in by default; customers must actively opt out in dashboard
data: Agent configurations, query data, tool call logs
Newer product; build and deploy AI agents using Algolia's retrieval backend
data: Publicly accessible web content crawled for indexing
Crawls customer-specified domains and ingests content into Algolia search indices
data: Applies AES-256 encryption to all data on the associated cluster
Paid add-on; provides encryption at rest and IP allowlist firewall (up to 1,000 IPs); must be enabled before indexing; cannot be disabled once activated
// What to watch
- Encryption at rest is NOT default: AES-256 encryption requires Algolia Vault paid add-on; customers on standard plans do not get at-rest encryption unless they purchase Vault
- NeuralSearch model training is opt-IN by default: all applications are enrolled in model training (using anonymized, aggregated data) unless the organization actively opts out in the dashboard
- CSA STAR self-assessment is deprecated: Algolia's CAIQ Level 1 self-assessment was last updated November 2022 and is marked as deprecated on the CSA registry; no Level 2 third-party audit certification held
- HIPAA not supported: no BAA available; not addressed in DPA or Terms of Service; Algolia is not suitable for PHI processing without independent legal review
// At a glance
Pricing model
Usage-based SaaS (search requests + records indexed); Algolia Vault is a paid add-on
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Algolia, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.algolia.com