Surfly Security and Compliance Center

On this page, you will learn about security, compliance, and privacy considerations that go into all of our products and services.

We constantly make sure this approach is applied to all product releases and feature updates, as well as our middleware and server configuration.

Compliance Certifications, Standards, and Regulations

GDPR logo

Surfly Security & Compliance Center

Security & compliance

Surfly employs TLS 1.3 transport security, full audit log features, and masking of sensitive data for security and compliance. We use strong SHA-256 SSL encryption for data in transit. All sessions are initiated with a secure web connection and deployed with a secure-first approach, and monitored 24/7.

Data & privacy

A Space exists within a single browser tab, and only shares the content you choose to co-browse. It never shares your screen or any other data on your computer, unless you explicitly use screen sharing or file sharing.

We don’t store any personal information or session data on disk, and PII data and cookies never leave the individual user’s device.

We can also guarantee that this data stays in the geographic region you select in the Surfly dashboard.


We offer you the freedom to select the deployment model which fits your compliance and regulatory requirements.

You can choose from public cloud, private cloud, and on-premise deployment. Read more about each model below.


Secure DOM/JS sandbox

When you open a site within a Space, others participants will be able to see and (if you want) interact with the site as you see it in your browser. This is accomplished with our interaction middleware alone, and you don’t have to install anything or give anyone access to your computer.

In a Space, all HTTP requests and responses flow through our service. Our advanced network proxy intercepts all network traffic, while our DOM/JS sandbox intercepts all communication with client-side browser APIs. The technology then rewrites the content and modifies it to work in a secure sandbox. This smart content rewriting is what makes Surfly unique and compliant by nature, unlike all other screen-sharing and co-browsing solutions.


How secure is Surfly?

Spaces by Surfly is inherently more secure and compliant than alternatives, such as traditional screen sharing.

All Surfly interactions happen in a “walled garden” of your browser tab, not the full desktop, which prevents the accidental leaking of private information.

A Space exists within the browser sandbox and does not require any software to be installed on either side, minimizing any potential malware risks.


Field and Element Masking

Content entered within specific input fields in a Space can be hidden from other participants. This can be used to enable PCI-DSS compliance on entry fields for sensitive data, such as account id, social security number, or credit card details. Just add an HTML tag to the form field and consider it done.

Entire HTML elements such as divs, images, and text can be masked from specific users. You can achieve this without modifying your website.


Detailed Audit Logs

If an agent is helping a customer fill out a form or sign a document, having a record of who performed what action is crucial for reporting and compliance.

Surfly comes with detailed audit logs, so you always have full insight into everything that happened in the Space. The logs’ level of detail makes them as informative as screen recordings — each interaction is documented and time-stamped.

Data that is hidden via field or element masking will also be masked in the audit logs.


Allow- and Blocklisting

With Surfly, you can collaborate across the web. But sometimes you might want a little more control. Our allowlist or blocklist feature lets you restrict which sites can be accessed as part of a Space, to precisely align your online journeys.

ownwrship over the content shared

Tab owners and interaction permissions

All participants that share content in a Space automatically become “tab owners” who have full ownership over the content in their tab(s). This means that all their data, including PII or cookies never leave their local device. Additionally, no one can interact with their tabs unless they grant “interaction permissions” with the specific user that requests it.

Choose the deployment model which fits your compliance and regulatory requirements

Surfly Public Cloud

  • Multi-tenant setup.
  • Sessions will be hosted from our public cloud servers.*
  • Our public cloud is hosted using multiple ISO27001 certified DCs globally.
  • Your users will always connect to the nearest server thanks to our enterprise grade CDN**
  • Surfly’s update cycle applies. You always use the latest version.***

Private Cloud

  • Single-tenant setup.
  • Sessions will be hosted from your private cloud setup we host and manage for you.
  • Your private cloud can be hosted from your preferred cloud provider in a region or your choice. (AWS/Azure)
  • You decide your update cycle.***


  • Sessions will be hosted from your infrastructure.
  • You can set up your server within your infra. (on-premise/cloud) wherever you want. Surfly has no access or control over this server.
  • You manage your server updates yourself.***

*We use single tenant servers only. Session data is logically separated for all sessions, from all users.
**By default, a session is started from the closest available location to you. List of all available regions. However, if you want to set a preference for location or even fix the location(s) where the session should start from, you can.
***We update our servers often (almost daily) to keep up with ever-changing web (browsers, protocols, security, infra.) and advise our customers to update their servers at least once every two weeks. These regular updates do not involve any server downtime and only take some minutes to run. Only the active co-browsing session may get disconnected during a momentary refresh that takes place. We update our Surfly cloud servers in late evening CET timings.

red security icon with lock

At Surfly, security is in our DNA. We embrace responsible disclosure and work with hackers both on private and public bug bounty programs – as per the industry best practices. To participate, click here ›

Any questions?

Surfly is neither a screen sharing solution nor a purely Javascript co-browsing tool. What makes us exceptional is our unique combination of Javascript and a smart content rewriting proxy.

With this, we are able to overcome cross-domain policies, while having all elements on the site (including iframes) function correctly within the co-browsing session. This means that audio and video are synced as well. In addition, all visual updates can be efficiently captured. Our proxy approach also allows us to provide all users with a very smooth co-browsing experience that is much faster than other solutions.

In a global society you want to make sure that you can overcome distance and build solid relationships with your clients. To be able to assist them from afar or demo your awesome product without having to get stuck in traffic or jumping on a plane, will not only help save the planet, but it will also save you a lot of time and resources!

By adding our co-browsing to your current workflow, you can join your client (or your neighbor, or your grandma) in their browser, just by sharing a link or clicking a button. In doing so you can help them navigate the web, supporting them as they are trying to fill in a form, or advising them on picking the right subscription.

Co-browsing is browser-based, meaning that you only share the browser instead of sharing your entire screen (which is the case with screen sharing).

Both technologies come with their own approaches. Co-browsing solutions like Surfly use a Javascript approach, which means that the HTML, Javascript, and CSS of a website are synchronized between users. This allows you to extend the online experience to multiple users, and therefore add a multi-user experience on your website.

Screen-sharing solutions are pixel-based, the drawback of this approach being that screen updates are slow and of low quality. Most screen-sharing tools require external software to be installed by users. This makes it unsuitable for most web situations, as people are often unwilling to install extra software that circumvents the browser’s security measures.

If you want a full explanation, check out our Surfly vs. Screen Sharing page.

Surfly’s features

Co-Browsing Co-browsing
Video Chat Video chat
Screen sharing
FIle editing

Create better digital experiences. Without boundaries.