GDPR Compliance
GDPR Compliance is the adherence to the EU's General Data Protection Regulation, which requires organizations to protect the personal data and privacy of EU citizens, a process enabled in co-browsing by technologies like data masking and zero-storage architecture.
What you need to know about GDPR Compliance
GDPR Compliance affects any business that handles personal data from European Union residents, regardless of where the company is located. The regulation went into effect on May 25, 2018, and changed how organizations must approach data privacy. For remote collaboration tools and customer support platforms, this creates specific obligations around consent, data minimization, and user rights.
The regulation applies to all personal data—any information that could identify a living person. In the context of digital customer support and co-browsing sessions, this includes identifiers like names and email addresses, but also extends to browser fingerprints, session recordings, and even patterns that could potentially identify someone.
Data Processing Principles
GDPR establishes six key principles that guide how personal data must be handled:
- Lawfulness and transparency: Organizations need a legal basis for processing data and must clearly explain what they're doing with it
- Purpose limitation: Data can only be used for the specific purposes disclosed when it was collected
- Data minimization: Collect only the personal data you actually need for your stated purpose
- Accuracy: Keep personal data current and correct
- Storage limitation: Don't keep personal data longer than necessary
- Security: Implement appropriate technical and organizational measures to protect data
The importance of GDPR Compliance
For organizations processing personal data of EU residents, adherence to the General Data Protection Regulation (GDPR) is an operational necessity. Surfly's platform is built with architectural principles and features that directly support an organization's ability to meet its compliance obligations during collaborative customer interactions.
Mitigating Data Exposure and Ensuring Confidentiality
A primary concern under GDPR is the unintentional exposure of personal data to unauthorized parties, such as a support agent during a co-browsing session. Surfly's proxy-based system offers granular controls to protect sensitive information:
- Server-Side Data Masking: Sensitive data, such as Personally Identifiable Information (PII) or payment details, can be redacted before the webpage content is sent to an agent. Because this masking occurs on the proxy server, the data never reaches the agent's device, directly supporting the GDPR principles of data minimization and integrity.
- Zero-Storage Architecture: Surfly is architected to never persistently store session data on its servers. This design limits the scope of data processing and reduces the risk associated with a potential data breach, aligning with the principle of storage limitation.
- End-to-End Encryption: All data transmitted during a session is secured with TLS 1.3 transport security. This measure protects the confidentiality of data in transit between the user, the Surfly proxy, and the target website, which is a requirement for secure data processing under GDPR.
Upholding Data Subject Rights and Accountability
GDPR requires organizations to maintain records of processing activities and to facilitate data subject rights, such as the right to access or erasure. The Surfly platform includes features that create a detailed, auditable record of every collaborative session.
- Comprehensive Audit Logging: Every session generates a detailed log that includes timestamps, participants, actions taken, and URLs visited. This provides organizations with the necessary documentation to demonstrate accountability for processing activities conducted through the co-browsing tool.
- Granular Access Controls: Administrators can configure allowlists and blocklists to restrict co-browsing sessions to pre-approved domains. Combined with role-based permissions for agents, these controls ensure that data is only processed for its intended purpose by authorized personnel.
- Controlled Session Recording: The session recording feature is optional and can be managed to align with an organization's consent policies. The ability to enable or disable recording on a case-by-case basis allows companies to capture interactions for quality assurance while still respecting the data subject's right to privacy.
A Practical Example of GDPR Compliance
A Dutch travel agency is helping a customer from Germany book a family vacation online. The customer is confused by the passenger information form, which requires passport numbers and birthdates. The agent initiates a Surfly co-browsing session. To ensure GDPR compliance:
- The session is automatically routed through Surfly's Frankfurt (EU) data center.
- When the customer types their passport number and family's birthdates, these fields are automatically masked on the agent's screen. The agent can see that the fields are being filled but cannot see the actual personal data.
- The entire session is encrypted.
- Once the booking is complete and the session ends, no personal data from the interaction is stored on Surfly's servers.
The agent successfully helps the customer, the agency makes a sale, and the entire interaction adheres to GDPR requirements, protecting both the customer and the business.
Frequently asked questions about GDPR Compliance
We’ve compiled answers to the most frequently asked questions about
GDPR Compliance
.
Yes, if you offer goods or services to, or monitor the behaviour of, individuals in the EU, GDPR applies to you regardless of your company's location.
The "data controller" is the organization that determines the purposes and means of processing personal data (e.g., your company). The "data processor" is the organization that processes data on behalf of the controller (e.g., a SaaS provider like Surfly). Both have distinct responsibilities under GDPR.
Data masking directly supports the principles of data minimization and security. By automatically hiding personal information from an agent's view during a co-browsing session, you ensure they only see what is necessary and that sensitive data is not unnecessarily exposed or processed.
No. Compliance depends on the software's architecture. Solutions that lack features like granular data masking, audit logs, EU data residency options, and a zero-storage design may not meet GDPR requirements for secure data processing.