// Trust & Security Report

    Surfer Sp. z o.o. (acquired by Positive Group, France) logo

    Surfer Sp. z o.o. (acquired by Positive Group, France)

    AI-powered SEO visibility platform with content optimization, AI search ranking analysis, and AI-generated content tools for marketers and agencies. Sub-products include Content Editor, AI Tracker, Keyword Surfer, and Surfy Agent (coming soon).

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    "ISO 27001 certified" appears in the footer of Surfer's legal pages under Positive group branding. This is a self-attested statement on the vendor's own domain; no certificate number, registrar, or IAF CertSearch registration is published, so the scope (Surfer Sp. z o.o. vs. group-wide) could not be independently verified.

    Verify on surferseo.com
    GDPR Compliance
    HELD

    We are committed to ensuring that the Data is processed in accordance with the law, including Regulation (EU) 2016/679. Surfer uses Data Processing Agreements (DPA) with customers.

    Verify on surferseo.com
    > Show 3 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence. Not mentioned on Surfer website, privacy policies, or regulations page.

    source: surferseo.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Not mentioned in any Surfer documentation.

    source: surferseo.com
    Cyber Essentials
    NOT CONFIRMED

    No public evidence on Surfer's own domain or documentation. (An earlier draft cited a Cyber Essentials certification from positivegroup.org; that domain belongs to an unrelated UK organizational-psychology firm, not Surfer's parent, so the claim was withdrawn.)

    source: surferseo.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Vendor markets '100% made and hosted in Europe' with 'local, sovereign infrastructure.' However, the customer privacy policy's sub-processor list shows Google Cloud Platform processing in 'EU / United States' and Cloudflare 'Global', so processing is not exclusively within the EU (HubSpot and Oracle NetSuite are listed as EU). Legal entity: Surfer Sp. z o.o., Wroclaw, Poland.

    Privacy policy (last modified January 23, 2026) does not state whether Surfer trains AI models on customer data, and no opt-out is documented. The product includes AI content generation (Content Editor) and AI Tracker, but customer-data usage for model training is not addressed. Contact vendor for clarification.

    // Security controls

    Data hosting

    Vendor markets 'local, sovereign infrastructure, 100% made and hosted in Europe.' Sub-processors named in the customer privacy policy include Google Cloud Platform (EU / United States) and Cloudflare (Global), indicating some processing occurs outside the EU.

    surferseo.com

    Published technical controls

    No specific security controls (encryption standards, monitoring, penetration-testing cadence) are published on the vendor's own domain, and there is no trust center or security whitepaper. Not verified.

    surferseo.com

    // Products & data scope

    Surfer Platform (Core)SEO & Content Optimization

    data: Customer content, website data, competitor analysis data, user account information

    Main product for content analysis, AI score generation, and SEO optimization. Processes customer's website content and AI visibility metrics.

    Content EditorAI Content Generation

    data: Customer content drafts, generated content, brand voice data

    AI-powered writing assistant for SEO-optimized content creation. Uses brand voice training.

    AI TrackerAI Visibility Monitoring

    data: Website content, AI engine responses, competitor data

    Monitors how AI systems (ChatGPT, Claude) cite customer content and competitor visibility.

    Keyword Surfer Chrome ExtensionSEO Research Tool

    data: Search queries, keyword data, browsing behavior

    Separate privacy policy available at https://surferseo.com/legal/keyword-surfer-privacy-policy/

    Surfy Agent (Coming Soon)AI Automation

    data: Workflow data, automated task inputs

    Upcoming product for automated SEO workflows. Limited details available.

    // What to watch

    • ISO 27001 stated as 'certified' in the site footer/legal pages under Positive group branding, but no certificate number, registrar, or IAF CertSearch registration is published, so the scope (Surfer Sp. z o.o. vs. group-wide) cannot be independently verified.
    • '100% hosted in Europe' marketing is contradicted by the sub-processor list: Google Cloud Platform processes in 'EU / United States' and Cloudflare is 'Global'. EU-only data residency should not be assumed.
    • AI model training policy not explicit in the privacy policy (last modified January 23, 2026). Product uses AI generation (Content Editor) and AI Tracker, but customer-data usage for model improvement is not documented.
    • Acquired by Positive Group (France, formerly Sarbacane Group) in October 2025; combined-entity security posture is not yet reflected in standalone documentation. Note: the correct parent is at positivegroup.com; positivegroup.org is an unrelated same-name company and must not be used as a source.
    • No SOC 2 certification, which is standard for US enterprise buyers. Enterprise customers (Bolt, ClickUp) may have compliance requirements not explicitly addressed.

    // At a glance

    Pricing model

    Subscription (SaaS) - freemium tier, Scale/Plus/Advanced/Enterprise tiers. Pricing based on features and content analysis limits.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Surfer Sp. z o.o. (acquired by Positive Group, France)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    surferseo.com

    > Browse all vendor trust reports