Privacy Policy

SURF Security Ltd. ("SURF", "we", "us", or "our") collects the following categories of information when you use the SURF Enterprise AI Platform, SURF Browser, and SURF Browser Extension (collectively, the "Services"):

1.1 Telemetry Data

We collect anonymised telemetry data relating to platform performance, feature usage, error events, and session timing. Telemetry data does not contain the content of agent sessions, browsing activity, or user-generated data. Telemetry is used exclusively for platform reliability and product improvement purposes.

1.2 Device Posture Data

For enterprise deployments, SURF may collect device posture signals including operating system version, browser version, patch status, and device compliance state. This information is used to enforce access control policies defined by your enterprise administrator. Device posture data is processed within your tenant environment and is not accessible to SURF personnel without explicit authorisation.

1.3 Account and Identity Data

We collect account registration information (name, email address, company name) and identity verification data passed through your configured identity provider (Okta, Microsoft Entra ID, or SAML 2.0 provider). We do not store identity provider credentials.

1.4 Audit and Session Logs

Enterprise deployments generate audit logs capturing agent action metadata, policy decisions, and session events. The content and retention of these logs is controlled by your enterprise administrator in accordance with your organisation's data governance requirements.

SURF uses the information we collect for the following purposes:

• Providing, operating, and maintaining the Services
• Enforcing enterprise access control policies configured by administrators
• Detecting, investigating, and preventing security incidents and policy violations
• Generating compliance reports and audit evidence for your organisation
• Improving platform reliability and performance through anonymised telemetry analysis
• Communicating with you about your account, service updates, and security notifications
• Fulfilling contractual obligations under your enterprise agreement

We do not sell, rent, or trade your personal information or enterprise data to third parties for commercial purposes.

The SURF web application and marketing website use the following categories of cookies and tracking technologies:

The SURF Browser Extension and SURF Browser do not use third-party advertising or tracking technologies within enterprise sessions.

4.1 Security Measures

SURF implements enterprise-grade technical and organisational measures to protect data against unauthorised access, disclosure, alteration, or destruction. Key controls include AES-256-GCM encryption at rest, TLS 1.3 encryption in transit, role-based access controls, multi-factor authentication for all platform access, and comprehensive audit logging.

4.2 Retention Periods

• Account data: Retained for the duration of the enterprise agreement plus 30 days following termination.
• Audit logs: Default 12-month retention, configurable up to 7 years for regulated industries.
• Session recordings: Default 90-day retention, configurable by enterprise administrators.
• Telemetry data: Retained in anonymised form for up to 24 months.
• Security incident data: Retained for up to 3 years for legal and investigation purposes.

SURF is committed to respecting and facilitating data subject rights under the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR). Individuals in the EEA, UK, and other applicable jurisdictions have the following rights:

To exercise any of these rights, contact our Data Protection team at privacy@surf.security. We will respond within 30 days.