Surfly Security and Compliance Center

On this page, you will learn about security, compliance, and privacy considerations that go into all of our products and services.

Security is a core design principle of our technology. The entire Surfly Session has been designed to act as infrastructure, with information only passing through but never stored. And when no data is stored, no data can be lost

We constantly make sure this approach is applied to all product releases and feature updates, as well as our middleware and server configuration.

Compliance Certifications, Standards, and Regulations

Surfly Security & Compliance Center

  • Security & compliance

    Surfly employs TLS 1.3 transport security, full audit log features, and masking of sensitive data for security and compliance. We use strong SHA-256 SSL encryption for data in transit. All sessions are initiated with a secure web connection and deployed with a secure-first approach, and monitored 24/7.

  • Data & privacy

    A Surfly session only shares the browser tab in which the session started, not your entire screen or any other data on your computer.

    We don’t store any personal information or session data on disk; and when nothing is stored nothing can be lost, so your data is never at risk.

    We can also guarantee that this data stays in the geographic region you select in the Surfly dashboard.

  • Deployment

    We offer you the freedom to select the deployment model which fits your compliance and regulatory requirements.

    You can choose from public cloud, private cloud, and on-premise deployment. Read more about each model below.


Secure DOM/JS sandbox

When you open a site within Surfly, others in the same session will be able to see and (if you want) control the site as you see it in your browser. This is accomplished with our interaction middleware alone, and you don’t have to install anything or give anyone access to your computer.

In a session, all HTTP requests and responses flow through our service. Our advanced network proxy intercepts all network traffic, while our DOM/JS sandbox intercepts all communication with client-side browser APIs. The technology then rewrites the content and modifies it to work in a secure sandbox. This smart content rewriting is what makes Surfly unique and compliant by nature, unlike all other screen-sharing and co-browsing solutions.


How secure is Surfly?

Surfly’s Co-browsing is inherently more secure and compliant than alternatives, such as screen sharing.

All Surfly interactions happen in a “walled garden” of your browser tab, not the full desktop, which prevents the accidental leaking of private information.

A Surfly Session takes place within the browser sandbox and does not require any software to be installed on either side, minimizing any potential malware risks.


Field and Element Masking

Content entered within specific input fields during the session can be hidden from other participants. This can be used to enable PCI-DSS compliance on entry fields for sensitive data, such as account id, social security number, or credit card details. Just add an HTML tag to the form field and consider it done.

Entire HTML elements such as divs, images, and text can be masked from specific users. You can achieve this without modifying your website.


Detailed Audit Logs

If an agent is helping a customer fill out a form or sign a document, having a record of who performed what action is crucial for reporting and compliance.

Surfly comes with detailed audit logs, so you always have full insight into everything that happened in a session. The logs’ level of detail makes them as informative as screen recordings — each in-session event is documented and time-stamped.

Data that is hidden via field or element masking will also be masked in the audit logs.


Allow- and Blocklisting

With Surfly, you can co-browse the entire web. But sometimes you might want a little more control. Our allowlist or blocklist feature lets you restrict which sites can be accessed as part of a Surfly Session, to precisely align your online journeys.

Choose the deployment model which fits your compliance and regulatory requirements

Surfly Public Cloud

  • Multi-tenant setup.
  • Sessions will be hosted from our public cloud servers.*
  • Our public cloud is hosted using multiple ISO27001 certified DCs globally.
  • Your users will always connect to the nearest server thanks to our enterprise grade CDN**
  • Surfly’s update cycle applies. You always use the latest version.***

Private Cloud

  • Single-tenant setup.
  • Sessions will be hosted from your private cloud setup we host and manage for you.
  • Your private cloud can be hosted from your preferred cloud provider in a region or your choice. (AWS/Azure)
  • You decide your update cycle.***


  • Sessions will be hosted from your infrastructure.
  • You can set up your server within your infra. (on-premise/cloud) wherever you want. Surfly has no access or control over this server.
  • You manage your server updates yourself.***

System requirements for on-premise option

*We use single tenant servers only. Session data is logically separated for all sessions, from all users.

**By default, a session is started from the closest available location to you. List of all available regions. However, if you want to set a preference for location or even fix the location(s) where the session should start from, you can.

***We update our servers often (almost daily) to keep up with ever-changing web (browsers, protocols, security, infra.) and advise our customers to update their servers at least once every two weeks. These regular updates do not involve any server downtime and only take some minutes to run. Only the active co-browsing session may get disconnected during a momentary refresh that takes place. We update our Surfly cloud servers in late evening CET timings.

At Surfly, security is in our DNA. We embrace responsible disclosure and work with hackers both on private and public bug bounty programs – as per the industry best practices. To participate, click here ›

Any questions?

Do you have questions about our plans or pricing? Feel free to contact us via our live chat, schedule a demo, or email us at You can also access our full documentation by clicking the link below.

See full documentation ›

  • 1. What is Surfly?
  • 2. Why should my team use Surfly's co-browsing?
  • 3. How is co-browsing different from screen sharing?