How Algolia keeps all your data safe but searchable on Solid

In today’s world of easily accessible data, privacy is key. But protecting data is often a manual and expensive process requiring extensive planning. Solid, an app designed to help you run easy and effective meetings, faces a unique struggle when it comes to privacy. They have access to large amounts of personal data and need it to be searchable yet secure.

Aligned with their mission to make meetings easy and effective, they needed a way to keep privacy easy and effective while not minimizing any search functionality. So, they called Algolia. 

Thibaut Davoult, Growth Manager at Solid, recently reached out to share the Solid/Algolia experience with us. Here’s what he had to say.


What does Solid do?

Solid is a meetings management app used by managers, employees and freelancers around the world. Our platform has hosted hundreds of thousands of meetings and counting, and clients such as LinkedIn, Dropbox, Deezer and Airbnb trust us with their private data. Solid, in return, places the utmost importance on privacy.

Protecting your data

In fact, privacy is one of the stepping stones for Solid’s success. Meeting invitations can contain very sensitive data. Even meeting names alone can be revealing, so we work hard to prevent any of this info from leaking. And this has been the case from the very beginningWe largely manage to keep privacy in check thanks to deep provider integration. We currently integrate with Office 365 and Google through their OAuth system and rely on ACL to keep users out of others’ meetings.

But we needed search…

The need for a search feature quickly became evident while trying to manage all these meetings. We had a large amount of data and no clear way to organize and find information. Thus, the problem to solve was quite straightforward:

How do we implement a search feature that:

1) Keeps our users’ privacy in check
2) Doesn’t hurt our app’s performance
3) Can be implemented as quickly as possible

We had a few options:

1) Develop a less-satisfying search via MySQL+Redis
2) Implement open source solutions like ElasticSearch or Solr
3) Go with a 3rd party API

The latter seemed like the way to go. Here’s why it seemed like our best option and how we chose Algolia.

Why Algolia?

Algolia is the leading hosted search API and the only one that delivers instant and relevant results from the first keystroke. Once we realized this, it didn’t take long for us to reach out to learn more. What followed, as you’ll see, cemented our decision. We knew it was a no brainer to implement them.

An easy but careless way to keep search performance up would have been to go without a backend proxy so the JavaScript code could directly send requests to the search engine from the end-user browser or device. But that’s not easy. Since JS is executed client side, it would expose all the code and access keys to users, allowing them to search through other meetings. Not very secure. We needed to find a way to secure this information without going through a backend—and secured—proxy.

We recognized that Algolia’s Secured API Keys were the appropriate solution. They allow you to securely apply filtering on the query, done via the back end for optimal security. That means the JS can directly and securely request the Algolia API without any hiccups or slowdowns.

We also needed to add a tagging system to ensure users could and would only access meetings that were meant for them. Each indexed meeting contains a tag array with a list of participants that looks like this: `[“user_xyz”, “user_abc”]`.

When users start a search, their searches are automatically filtered with their associated tags. As a result, they will only be able to search meetings that contain both their keyword AND their user ID. This way, we’re guaranteed not to show anyone else’s results.

  • Tags are associated with the meeting when they are indexed.
  • The back end fixes the tag filters and prepares a session-secured token for the search using Algolia’s php client.
  • The data for search is sent to the front end through a specific endpoint.
  • The JS client uses the token and the filters to directly request the Algolia search endpoint.

Solid also allows users to ignore events on a case-by-case basis. We know you don’t want to see meetings you’ve ignored in your search results, so we filter them out per your settings.

Performance at scale

Could we have done this using other methods such as Elasticsearch? Sure, but at what cost? To get the same performance level and still keep up with security, we would have had to pour quite a bit more resources into the project. Resources, ultimately, that we just don’t have.

While we did all of the above in only five days using Algolia, it would have taken close to three more weeks to complete on Elasticsearch. That’s not even accounting for the maintenance work we would have needed to perform as we processed our initial 500k meetings. This would have been increasingly difficult to scale quickly as we onboard new users. We usually love it when our developers tackle difficult problems (and they do too), but this is just an unnecessary problem to have. But protecting your privacy? That’s a problem that’s right up our alley! And giving you great search? That’s right up Algolia’s!