Security & compliance

No data stored, no data lost: Surfly's secure-by-design infrastructure.

At Surfly, we’re extremely serious about security & compliance. Meaning you can always use our universal co-browsing technology, no matter how sensitive the data involved in your sessions.

Surfly’s compliance certifications, standards and regulations

Our security & compliance pillars

Surfly’s technology has been designed to act as infrastructure, with information only passing through, but never stored by us. And when no data is stored, no data can be lost or leaked.

Security & compliance

Surfly employs TLS 1.3 transport security, full audit log features, and masking of sensitive data for security and compliance. We use strong SHA-256 SSL encryption for data in transit.

Data & privacy

We don’t store any personal information or session data on disk, and PII data and cookies never leave the individual user’s device. We can also guarantee that this data stays in the geographic region you prefer.

Deployment

We offer you the freedom to select the deployment model which fits your compliance and regulatory requirements. You can choose from public cloud, private cloud, and on-premise deployment.

Security & compliance features

Here’s how we achieve the highest levels of security

Our transparent security layers and interactions protect every participant’s privacy and give you granular control over access and data.

Transparent security layer

Secure DOM/JS sandbox

Our DOM/JS sandbox intercepts all communication with client-side browser APIs. We then rewrite the content and modify it to work in a secure sandbox.

High level of audit log detail

The level of detail in a session’s audit logs makes them as informative as screen recordings — each interaction is documented and time-stamped.

More secure / compliant than alternatives

All Surfly interactions happen in a “walled garden” of your browser tab, not the full desktop, which prevents the accidental leaking of private information.

Granular access control

Advanced allow- and blocklisting

Our allowlist or blocklist feature lets you restrict which sites can be accessed in a co-browsing session, to precisely align your online journeys.

Protect participant’s privacy

Field and element masking

Specific fields or ntire HTML elements such as divs, images, and text can be masked from specific users.

Tab owners and interaction permissions

All participants automatically become ‘tab owners’ who have full ownership over the content in their tab(s). This means that all their data, including PII or cookies never leave their local device.

Choose the deployment model which fits your compliance and regulatory requirements

You can choose from public cloud, private cloud, and on-premise deployment. Let’s quickly show you how those deployment models differ.

Surfly public cloud

Our public cloud is hosted using multiple ISO27001 certified DCs globally. We use single tenant servers only. Session data is logically separated for all sessions, from all users.

Private cloud

Sessions will be hosted from your private cloud setup, which we host and manage for you. Your private cloud can be hosted from your preferred cloud provider in a region of your choice (AWS/Azure).

On-premise

Sessions will be hosted from your infrastructure. You can set up your server within your infrastrucutre (on-premise/cloud) wherever you want. Surfly has no access or control over this server.

Frequently asked questions

We’ve compiled answers to the most frequently asked questions about our universal co-browsing technology below.

How secure is Surfly?

Surfly uses TLS 1.3 encryption for all data in transit, which is the same standard your bank uses.

The platform is built with security in mind. Your sensitive information is visible to you alone. Surfly provides you with full control over your session data. We will never store any of it on our side. Record as much of your session — or as little — as you like.

How does the secure DOM/JS sandbox work?

Our DOM/JS sandbox intercepts all communication with client-side browser APIs. We then rewrite the content and modify it to work in a secure sandbox.

How does Surfly handle field and element masking?

With Surfly you can mask anything both from being viewed or interacted with, without changing your website.

We don't just cover things up visually — we get rid of them entirely. If something is masked then that element will never appear on the browser of another participant and is completely removed from any logging.

You can also configure Surfly to display certain page elements based on who is in control. As a simple example, a "Pay Now" button can be made to disappear when the Customer hands session control over to their Agent.

How do I access a session’s detailed audit logs?

It's entirely up to you! We don't store your audit logs. Instead, we send them directly where you tell us to, encrypted end-to-end. From there, you can access your data however you like, without our involvement.

How do I allow- or blocklist certain sites?

Blocking and allowing different sites is configured in the Admin Dashboard. You can set up specific rules for exactly which websites should be blocked, or you can default to blocking everything and only declare the websites that should be allowed.

Can I customize tab owners and interaction permissions?

Yes, within Surfly you will be able to:
1. Completely configure the tools available to participants of a session
2. Set up your flow to ensure the right people have the right roles

Rest assured, a Surfly solution architect will help you design the right flow for you.

Still have questions?

Our security and compliance team is happy to answer any questions you might still have.

Augment all your digital products with collaborative features