Data at Rest

Data at rest is digital information that is not actively moving between devices or networks and is stored in a static location, such as a database, hard drive or cloud storage. Securing data at rest is a major component of any information security program, as stored data is a primary target for unauthorized access and theft.

The Surfly platform's approach to data at rest is defined by its core architectural principle of zero-storage for all session content. Unlike systems that log user interactions or cache page content to disk, Surfly's Interaction Middleware processes web traffic entirely in-memory. Data flows through the proxy servers for real-time synchronization but is not written to persistent storage.

While session content is not stored, a Surfly deployment does manage some types of data at rest, which are necessary for system operation and administrative functions:

1. Configuration Data: Information required to run the service, including user accounts (agents, managers), API keys, and company-specific settings (like whitelists or data masking rules).
2. Audit Logs: If enabled, the system generates and stores metadata about sessions. This includes timestamps, participant information, and session duration for compliance and reporting. This does not include the visual or HTML content of the session.
3. Session Recordings: As an optional, customer-controlled feature, full video recordings of sessions can be created and stored.

How Surfly Handles Data at Rest

Surfly's strategy is to minimize the amount of data stored and apply strong security controls to any data that must be persisted.

• Zero-Storage by Default: The platform is engineered so that the content of a co-browsing session—the webpages, form data, and user interactions—is never written to a disk. This is the default and standard behavior of the system.
• Secure Storage for Operational Data: All necessary configuration data, such as agent login credentials and account settings, is encrypted and stored securely in Surfly's production databases, protected by strict access controls.‍
• Optional Session Recordings: As an explicit, opt-in feature, organizations can choose to record co-browsing sessions. These recordings are data at rest and are stored in a secure, designated location as chosen by the customer. This is the exception to the zero-storage rule and is fully under the customer's control.

How a technology vendor handles data at rest directly affects your organization's security, compliance, and customer trust. A zero-storage approach provides businesses a clear advantage.

Security and Risk Reduction

• Minimize Attack Surface: If there is no stored data, there is nothing for attackers to steal from the vendor's servers. This single point is one of the most effective security measures possible.
• Reduced Liability: Your organization isn't exposed to the risk of a third-party vendor's data breach, which could compromise your customers' sensitive information.

Compliance Simplification

• Meeting Regulatory Demands: Regulations like GDPR, HIPAA, and PCI DSS have strict rules for protecting stored personal and financial information. A zero-storage architecture helps meet these requirements by simply not storing the data in the first place.
• Easier Audits: Demonstrating compliance is simpler when you can show that sensitive customer data from web sessions is not held by third-party subprocessors.