// Trust & Security Report
Surfer Sp. z o.o. (acquired by Positive Group, France)
AI-powered SEO visibility platform with content optimization, AI search ranking analysis, and AI-generated content tools for marketers and agencies. Sub-products include Content Editor, AI Tracker, Keyword Surfer, and Surfy Agent (coming soon).
Certifications held
2
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on surferseo.com“"ISO 27001 certified" appears in the footer of Surfer's legal pages under Positive group branding. This is a self-attested statement on the vendor's own domain; no certificate number, registrar, or IAF CertSearch registration is published, so the scope (Surfer Sp. z o.o. vs. group-wide) could not be independently verified.”
Verify on surferseo.com“We are committed to ensuring that the Data is processed in accordance with the law, including Regulation (EU) 2016/679. Surfer uses Data Processing Agreements (DPA) with customers.”
> Show 3 unconfirmed / not-held certifications
source: surferseo.comNo public evidence. Not mentioned on Surfer website, privacy policies, or regulations page.
source: surferseo.comNo public evidence. Not mentioned in any Surfer documentation.
source: surferseo.comNo public evidence on Surfer's own domain or documentation. (An earlier draft cited a Cyber Essentials certification from positivegroup.org; that domain belongs to an unrelated UK organizational-psychology firm, not Surfer's parent, so the claim was withdrawn.)
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Vendor markets '100% made and hosted in Europe' with 'local, sovereign infrastructure.' However, the customer privacy policy's sub-processor list shows Google Cloud Platform processing in 'EU / United States' and Cloudflare 'Global', so processing is not exclusively within the EU (HubSpot and Oracle NetSuite are listed as EU). Legal entity: Surfer Sp. z o.o., Wroclaw, Poland.
Privacy policy (last modified January 23, 2026) does not state whether Surfer trains AI models on customer data, and no opt-out is documented. The product includes AI content generation (Content Editor) and AI Tracker, but customer-data usage for model training is not addressed. Contact vendor for clarification.
// Security controls
Data hosting
Vendor markets 'local, sovereign infrastructure, 100% made and hosted in Europe.' Sub-processors named in the customer privacy policy include Google Cloud Platform (EU / United States) and Cloudflare (Global), indicating some processing occurs outside the EU.
surferseo.comPublished technical controls
No specific security controls (encryption standards, monitoring, penetration-testing cadence) are published on the vendor's own domain, and there is no trust center or security whitepaper. Not verified.
surferseo.com// Products & data scope
data: Customer content, website data, competitor analysis data, user account information
Main product for content analysis, AI score generation, and SEO optimization. Processes customer's website content and AI visibility metrics.
data: Customer content drafts, generated content, brand voice data
AI-powered writing assistant for SEO-optimized content creation. Uses brand voice training.
data: Website content, AI engine responses, competitor data
Monitors how AI systems (ChatGPT, Claude) cite customer content and competitor visibility.
data: Search queries, keyword data, browsing behavior
Separate privacy policy available at https://surferseo.com/legal/keyword-surfer-privacy-policy/
data: Workflow data, automated task inputs
Upcoming product for automated SEO workflows. Limited details available.
// What to watch
- ISO 27001 stated as 'certified' in the site footer/legal pages under Positive group branding, but no certificate number, registrar, or IAF CertSearch registration is published, so the scope (Surfer Sp. z o.o. vs. group-wide) cannot be independently verified.
- '100% hosted in Europe' marketing is contradicted by the sub-processor list: Google Cloud Platform processes in 'EU / United States' and Cloudflare is 'Global'. EU-only data residency should not be assumed.
- AI model training policy not explicit in the privacy policy (last modified January 23, 2026). Product uses AI generation (Content Editor) and AI Tracker, but customer-data usage for model improvement is not documented.
- Acquired by Positive Group (France, formerly Sarbacane Group) in October 2025; combined-entity security posture is not yet reflected in standalone documentation. Note: the correct parent is at positivegroup.com; positivegroup.org is an unrelated same-name company and must not be used as a source.
- No SOC 2 certification, which is standard for US enterprise buyers. Enterprise customers (Bolt, ClickUp) may have compliance requirements not explicitly addressed.
// At a glance
Pricing model
Subscription (SaaS) - freemium tier, Scale/Plus/Advanced/Enterprise tiers. Pricing based on features and content analysis limits.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Surfer Sp. z o.o. (acquired by Positive Group, France)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
surferseo.com