// Trust & Security Report

    Algolia, Inc. logo

    Algolia, Inc.

    AI search and retrieval platform — includes AI Search (keyword + vector hybrid), NeuralSearch, Agent Studio (AI agent builder), Algolia Crawler, and Algolia Vault (security add-on)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Algolia SOC 2 Type 2 Final Report 2026.05.12.pdf listed in trust center; update note states 'The report covers the period from January 1, 2025, to January 31, 2026. We are pleased to share that this year's report contains no exceptions.'

    Verify on trust.algolia.com
    SOC 3
    HELD

    Algolia SOC 3 Final Report 2026.05.12.pdf listed in trust center resources

    Verify on trust.algolia.com
    ISO 27001:2022
    HELD

    Algolia ISO 27001 27017 Certificate Award - 2.23.2026 and Algolia ISO 27001 27017 Recertification Audit Report - 2.23.2026.pdf listed in trust center; trust center compliance section shows 'ISO 27001:2022'

    Verify on trust.algolia.com
    ISO 27017
    HELD

    ISO 27017 recertification audit report dated 2.23.2026 listed alongside ISO 27001 in trust center resources; trust center compliance section shows 'ISO 27017'

    Verify on trust.algolia.com
    BSI C5 Type 2
    HELD

    Algolia C5 Type 2 Final Report 2026.05.12.pdf listed in trust center; trust center compliance section lists 'BSI Cloud Computing Compliance Criteria Catalogue'

    Verify on trust.algolia.com
    GDPR (compliance posture)
    HELD

    Trust center lists GDPR under compliance; DPA available incorporating SCCs for EEA data transfers; DPA commits 'End User Data...will not be sent outside of the EEA, Switzerland, or the United Kingdom' for EEA/UK/Swiss subscribers

    Verify on trust.algolia.com
    CCPA
    HELD

    Trust center explicitly lists 'CCPA COMPLIANT'; DPA covers CCPA alongside GDPR, UK GDPR, Swiss FADP, LGPD, and Australian Privacy Act

    Verify on trust.algolia.com
    TRUSTe Enterprise Certification
    HELD

    TRUSTe Enterprise Certification - Letter of Attestation - Algolia listed in trust center resources

    Verify on trust.algolia.com
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA or BAA mentions exist in the DPA or Terms of Service. DPA covers GDPR/CCPA/LGPD but not HIPAA. No Business Associate Agreement framework offered.

    source: algolia.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification or compliance posture found on vendor domain or trust center

    source: trust.algolia.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on vendor domain or trust center

    source: trust.algolia.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on vendor domain or trust center; AI FAQ available at trust center but does not mention 42001

    source: trust.algolia.com
    CSA STAR Level 2
    NOT CONFIRMED

    Algolia has only a CSA STAR Level 1 self-assessment (CAIQ Self-assessment v4.0.2, last updated November 7, 2022, status: Deprecated). No third-party CSA STAR Level 2 audit certification held.

    source: cloudsecurityalliance.org

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    70+ data centers in 17 regions globally (EU, US, UK, Canada, Brazil, UAE, South Africa, India, Singapore, Hong Kong, Japan, Australia). DPA guarantees EEA/UK/Swiss subscriber End User Data remains within the EEA, Switzerland, or UK with limited security-incident exceptions. Encryption at rest (AES-256) available via Algolia Vault paid add-on.

    NeuralSearch models train on anonymized, aggregated usage patterns from participating applications. All applications are opted IN to model training by default. Organizations can opt out per-application or organization-wide in the Algolia dashboard (Settings > Organization Settings > Model Training). Opting out excludes data from future training cycles but search continues to function normally. No AI training opt-out tier restriction documented; opt-out is available to all customers.

    // Security controls

    Encryption in transit

    TLS/HTTPS with ephemeral elliptic curve Diffie-Hellman key exchange and Perfect Forward Secrecy (PFS) for supported clients

    algolia.com

    Encryption at rest

    AES-256 with per-server keys via Algolia Vault (paid add-on, not enabled by default); standard plan does not include at-rest encryption

    algolia.com

    Penetration testing

    Annual; attestation report available in trust center (Penetration Test Result - Main Apps - attestation only - 202510)

    trust.algolia.com

    Bug bounty

    Public bug bounty program operated

    algolia.com

    Access controls

    SSO, two-factor authentication required, LDAP/SSH certificate-based access, centralized access management with audit logging

    algolia.com

    Data center security

    24/7 SOC at all data centers; CCTV, key card access, on-site security personnel; redundant power (UPS + diesel generators)

    algolia.com

    Personnel security

    Employee background checks, confidentiality agreements; regular security training for all staff

    trust.algolia.com

    Vulnerability management

    Centrally managed configuration with regular security updates; vulnerability and system monitoring procedures established per trust center controls

    trust.algolia.com

    Incident response and DR

    Continuity and Disaster Recovery plans established and tested; configuration management system established

    trust.algolia.com

    Sub-processor management

    Sub-processor list published at algolia.com/policies/infrastructure-and-sub-processors; 10 business days advance notice for new sub-processors; audits conducted before onboarding

    algolia.com

    // Products & data scope

    AI SearchSearch and Discovery (SaaS API)

    data: Search query logs, index data (product catalog, content), End User behavioral data (click events, conversions)

    Core product; indexes live in customer-selected regions; EEA End User data stays in EEA per DPA

    NeuralSearchAI / Vector Search (SaaS API)

    data: Same as AI Search plus anonymized, aggregated usage patterns used for model training

    Model training opt-in by default; customers must actively opt out in dashboard

    Agent StudioAI Agent Builder (SaaS)

    data: Agent configurations, query data, tool call logs

    Newer product; build and deploy AI agents using Algolia's retrieval backend

    Algolia CrawlerWeb Crawler (SaaS)

    data: Publicly accessible web content crawled for indexing

    Crawls customer-specified domains and ingests content into Algolia search indices

    Algolia VaultSecurity Add-on

    data: Applies AES-256 encryption to all data on the associated cluster

    Paid add-on; provides encryption at rest and IP allowlist firewall (up to 1,000 IPs); must be enabled before indexing; cannot be disabled once activated

    // What to watch

    • Encryption at rest is NOT default: AES-256 encryption requires Algolia Vault paid add-on; customers on standard plans do not get at-rest encryption unless they purchase Vault
    • NeuralSearch model training is opt-IN by default: all applications are enrolled in model training (using anonymized, aggregated data) unless the organization actively opts out in the dashboard
    • CSA STAR self-assessment is deprecated: Algolia's CAIQ Level 1 self-assessment was last updated November 2022 and is marked as deprecated on the CSA registry; no Level 2 third-party audit certification held
    • HIPAA not supported: no BAA available; not addressed in DPA or Terms of Service; Algolia is not suitable for PHI processing without independent legal review

    // At a glance

    Pricing model

    Usage-based SaaS (search requests + records indexed); Algolia Vault is a paid add-on

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Algolia, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.algolia.com

    > Browse all vendor trust reports