GDPR Compliance

GDPR Compliance affects any business that handles personal data from European Union residents, regardless of where the company is located. The regulation went into effect on May 25, 2018, and changed how organizations must approach data privacy. For remote collaboration tools and customer support platforms, this creates specific obligations around consent, data minimization, and user rights.

The regulation applies to all personal data—any information that could identify a living person. In the context of digital customer support and co-browsing sessions, this includes identifiers like names and email addresses, but also extends to browser fingerprints, session recordings, and even patterns that could potentially identify someone.

Data Processing Principles

GDPR establishes six key principles that guide how personal data must be handled:

• Lawfulness and transparency: Organizations need a legal basis for processing data and must clearly explain what they're doing with it
• Purpose limitation: Data can only be used for the specific purposes disclosed when it was collected
• Data minimization: Collect only the personal data you actually need for your stated purpose
• Accuracy: Keep personal data current and correct
• Storage limitation: Don't keep personal data longer than necessary‍
• Security: Implement appropriate technical and organizational measures to protect data

For organizations processing personal data of EU residents, adherence to the General Data Protection Regulation (GDPR) is an operational necessity. Surfly's platform is built with architectural principles and features that directly support an organization's ability to meet its compliance obligations during collaborative customer interactions.

Mitigating Data Exposure and Ensuring Confidentiality

A primary concern under GDPR is the unintentional exposure of personal data to unauthorized parties, such as a support agent during a co-browsing session. Surfly's proxy-based system offers granular controls to protect sensitive information:

• Server-Side Data Masking: Sensitive data, such as Personally Identifiable Information (PII) or payment details, can be redacted before the webpage content is sent to an agent. Because this masking occurs on the proxy server, the data never reaches the agent's device, directly supporting the GDPR principles of data minimization and integrity.
• Zero-Storage Architecture: Surfly is architected to never persistently store session data on its servers. This design limits the scope of data processing and reduces the risk associated with a potential data breach, aligning with the principle of storage limitation.
• End-to-End Encryption: All data transmitted during a session is secured with TLS 1.3 transport security. This measure protects the confidentiality of data in transit between the user, the Surfly proxy, and the target website, which is a requirement for secure data processing under GDPR.

Upholding Data Subject Rights and Accountability

GDPR requires organizations to maintain records of processing activities and to facilitate data subject rights, such as the right to access or erasure. The Surfly platform includes features that create a detailed, auditable record of every collaborative session.

• Comprehensive Audit Logging: Every session generates a detailed log that includes timestamps, participants, actions taken, and URLs visited. This provides organizations with the necessary documentation to demonstrate accountability for processing activities conducted through the co-browsing tool.
• Granular Access Controls: Administrators can configure allowlists and blocklists to restrict co-browsing sessions to pre-approved domains. Combined with role-based permissions for agents, these controls ensure that data is only processed for its intended purpose by authorized personnel.
• Controlled Session Recording: The session recording feature is optional and can be managed to align with an organization's consent policies. The ability to enable or disable recording on a case-by-case basis allows companies to capture interactions for quality assurance while still respecting the data subject's right to privacy.

A Dutch travel agency is helping a customer from Germany book a family vacation online. The customer is confused by the passenger information form, which requires passport numbers and birthdates. The agent initiates a Surfly co-browsing session. To ensure GDPR compliance:

1. The session is automatically routed through Surfly's Frankfurt (EU) data center.
2. When the customer types their passport number and family's birthdates, these fields are automatically masked on the agent's screen. The agent can see that the fields are being filled but cannot see the actual personal data.
3. The entire session is encrypted.
4. Once the booking is complete and the session ends, no personal data from the interaction is stored on Surfly's servers.

The agent successfully helps the customer, the agency makes a sale, and the entire interaction adheres to GDPR requirements, protecting both the customer and the business.