Data at Rest

Data at rest refers to inactive information stored on a physical medium. In the context of Surfly, the platform is built on a zero-storage architecture, meaning session content like webpage data and user interactions are never stored at rest.

What you need to know about
Data at Rest

Data at rest is digital information that is not actively moving between devices or networks and is stored in a static location, such as a database, hard drive or cloud storage. Securing data at rest is a major component of any information security program, as stored data is a primary target for unauthorized access and theft.

The Surfly platform's approach to data at rest is defined by its core architectural principle of zero-storage for all session content. Unlike systems that log user interactions or cache page content to disk, Surfly's Interaction Middleware processes web traffic entirely in-memory. Data flows through the proxy servers for real-time synchronization but is not written to persistent storage.

While session content is not stored, a Surfly deployment does manage some types of data at rest, which are necessary for system operation and administrative functions:

  1. Configuration Data: Information required to run the service, including user accounts (agents, managers), API keys, and company-specific settings (like whitelists or data masking rules).
  2. Audit Logs: If enabled, the system generates and stores metadata about sessions. This includes timestamps, participant information, and session duration for compliance and reporting. This does not include the visual or HTML content of the session.
  3. Session Recordings: As an optional, customer-controlled feature, full video recordings of sessions can be created and stored.

How Surfly Handles Data at Rest

Surfly's strategy is to minimize the amount of data stored and apply strong security controls to any data that must be persisted.

  • Zero-Storage by Default: The platform is engineered so that the content of a co-browsing session—the webpages, form data, and user interactions—is never written to a disk. This is the default and standard behavior of the system.
  • Secure Storage for Operational Data: All necessary configuration data, such as agent login credentials and account settings, is encrypted and stored securely in Surfly's production databases, protected by strict access controls.
  • Optional Session Recordings: As an explicit, opt-in feature, organizations can choose to record co-browsing sessions. These recordings are data at rest and are stored in a secure, designated location as chosen by the customer. This is the exception to the zero-storage rule and is fully under the customer's control.

The importance of
Data at Rest

How a technology vendor handles data at rest directly affects your organization's security, compliance, and customer trust. A zero-storage approach provides businesses a clear advantage.

Security and Risk Reduction

  • Minimize Attack Surface: If there is no stored data, there is nothing for attackers to steal from the vendor's servers. This single point is one of the most effective security measures possible.
  • Reduced Liability: Your organization isn't exposed to the risk of a third-party vendor's data breach, which could compromise your customers' sensitive information.

Compliance Simplification

  • Meeting Regulatory Demands: Regulations like GDPR, HIPAA, and PCI DSS have strict rules for protecting stored personal and financial information. A zero-storage architecture helps meet these requirements by simply not storing the data in the first place.
  • Easier Audits: Demonstrating compliance is simpler when you can show that sensitive customer data from web sessions is not held by third-party subprocessors.

A Practical Example of
Data at Rest

Frequently asked questions about
Data at Rest

We’ve compiled answers to the most frequently asked questions about

Data at Rest

.

Why is a "zero-storage" architecture particularly suitable for regulated industries?

Regulated industries like finance and healthcare face severe penalties for data breaches. A zero-storage architecture dramatically reduces risk by eliminating the vendor's servers as a point of failure for stored data. This simplifies security audits and makes it easier to comply with data protection mandates like HIPAA and GDPR.

Are session recordings considered "Data at Rest"?

Yes. When a session is recorded, the resulting file is data at rest. Surfly makes session recording an optional feature. Organizations can choose to enable it and typically configure it to save recordings directly to their own secure storage (e.g., their own cloud bucket), not Surfly's. This gives the organization full control and ownership over its data.

How does Surfly handle data if it doesn't store it "at rest"?

Surfly's Interaction Middleware acts as a pass-through proxy. It processes web content in real-time, in-memory, to synchronize the view between participants. Once the session ends, this temporary data is purged from memory. It is never permanently written to disk on Surfly's servers.

What happens to chat logs from a Surfly session?

Similar to documents, chat logs are transient and exist only for the duration of the session. They are not stored at rest by Surfly. If an organization needs to retain chat transcripts for their own records, they can use Surfly's APIs to capture the messages and save them into their own systems, such as a CRM.

Augment all your digital products with collaborative features