Trust & Security

Built For The Security Standards Your Enterprise Demands

SURF is designed from the ground up for organizations where security, compliance, and auditability are non-negotiable. Here is how we protect your data, your agents, and your enterprise.

AES-256
Encryption at rest
TLS 1.3
Encryption in transit
Zero
AI training on your data
100%
Agent activity audited
Data Encryption

Your Data Is Encrypted End to End

All SURF data — at rest and in transit — is protected using industry-standard encryption algorithms with enterprise key management.

AES-256 Encryption at Rest

All data stored by the SURF platform — audit logs, session recordings, policy configurations, and credential vault entries — is encrypted using AES-256-GCM with per-tenant encryption keys managed by a dedicated Key Management Service (KMS).

  • Per-tenant encryption keys
  • Hardware Security Module (HSM) key storage
  • Automatic key rotation every 90 days
  • Encryption applied before writing to disk

TLS 1.3 Encryption in Transit

All data in transit between SURF clients, agents, and platform services is protected by TLS 1.3. Older protocol versions (TLS 1.0, 1.1, 1.2) are disabled. Certificate pinning is enforced for all SURF SDK connections.

  • TLS 1.3 mandatory (1.2 disabled)
  • Perfect Forward Secrecy (PFS) on all connections
  • Certificate pinning in SURF SDK
  • HSTS enforced on all web interfaces
Compliance Frameworks

Compliance Status

SURF is actively pursuing industry-standard compliance certifications. Below is the current status of each framework.

In Progress

SOC 2 Type II

SURF is actively pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria. Audit period: Q1–Q3 2026.

Security TSCAvailability TSCConfidentiality TSC
In Progress

ISO 27001

ISO 27001 Information Security Management System (ISMS) implementation is underway. Gap analysis completed. Controls implementation: 78% complete.

ISMS establishedRisk treatment planControl implementation
Compliant

GDPR

SURF processes personal data in accordance with GDPR requirements. Data Processing Agreements (DPAs) are available for all EU customers. Data subject request handling is automated.

DPA availableData subject rightsSub-processor registry

Compliance certifications are actively in progress. Enterprise customers requiring current compliance evidence packages should contact their account team.

Data Privacy & AI

Our Data & AI Privacy Commitments

SURF makes clear, contractual commitments about how your enterprise data is handled — and how it is never used.

Zero Data Training Commitment

SURF will never use your enterprise data — including agent activity logs, session recordings, audit trails, or any content processed by agents running in your environment — to train, fine-tune, or improve AI models. This commitment is contractually enforceable in all enterprise agreements.

Data Retention

Audit logs are retained for 12 months by default, configurable up to 7 years for regulated industries. Session recordings are retained for 90 days. All data is deleted within 30 days of account termination.

Zero AI Training Policy

SURF does not use customer data — including agent activity, browser sessions, audit logs, or policy configurations — to train AI models. Your enterprise data is never used to improve AI systems operated by SURF or third parties.

Secure Sub-Processing

SURF maintains a current register of all sub-processors. All sub-processors are bound by data processing agreements consistent with GDPR Article 28 requirements. The sub-processor list is available upon request.

Data Residency

Enterprise customers can select their preferred data residency region: US (Virginia), EU (Frankfurt), or UK (London). Data is not transferred across residency boundaries without explicit customer authorization.

Questions about our security posture?

Our security team is available to answer questions, provide compliance documentation, and walk through our controls architecture.

Book a Security Reviewsecurity@surf.security