Your business data and your customers' information are in safe hands. Here's exactly how.
All of your Surfaced customer data — bookings, customer records, staff details, payments, waivers, and contracts — is stored on servers inside the European Union. The only data not located in the EU is your login information (usernames, passwords, and session data), which is managed by our authentication partner Clerk. Clerk is a US company, but operates under a formal EU-approved data transfer agreement that meets GDPR requirements. You can see the full list of our data partners at the bottom of this page.
Surfaced is built for European operators, and GDPR compliance is built into the platform — not bolted on afterwards.
When you use Surfaced, you remain the data controller for your customers' personal information. Surfaced processes that data on your behalf, as your data processor. If you need a Data Processing Agreement (DPA) for your own records or for a customer who asks, just get in touch and we'll provide one.
Here's what Surfaced does to help you meet your GDPR obligations:
If a customer asks to be forgotten, Surfaced can erase their personal details — name, email, phone number — within 30 days. Their booking history is kept in anonymised form so your records stay intact.
If a customer asks what data you hold on them, you can request a full export from Surfaced to help you respond.
Waivers and service agreements generated by Surfaced meet eIDAS electronic signature standards — the EU framework for legally valid digital documents. Signed copies are stored securely and available to download at any time.
Surfaced never sees your customers' card details. All payments are handled by Stripe — certified to the highest level of payment security (PCI DSS Level 1). Card data goes directly to Stripe and never passes through Surfaced servers.
For most operators, this means your own payment compliance obligations are minimal. If you have questions about your specific setup, get in touch.
We've chosen infrastructure partners who take security seriously, so you don't have to think about it.
Staff logins are handled by Clerk, a dedicated authentication service. All sessions use secure, short-lived tokens. Multi-factor authentication is available for all staff accounts and we recommend enabling it.
Stored in Neon, a managed EU-hosted database. Every connection is encrypted. Your data is logically separated from other Surfaced tenants — another operator cannot access your records.
Waivers, contracts, and exports are stored in Cloudflare R2 on EU-based servers, encrypted at rest.
All communication between the Surfaced app and our servers is encrypted. We validate all data coming in, and access is rate-limited to protect against automated attacks.
Booking confirmations and notifications are sent via Resend, a dedicated transactional email provider. No marketing data is stored there.
Your data is backed up continuously. Neon maintains a full change history that allows us to restore your data to any point in time if something goes wrong — whether that's an accidental deletion or a technical issue. Automated daily snapshots provide an additional recovery point on top of that.
Waivers, contracts, and uploaded files are stored with versioning enabled, so earlier versions can be recovered if needed.
Surfaced uses a role-based permission system. You control exactly which staff members can access which parts of the platform — from full admin access down to team member or instructor level. Surfaced staff do not access your tenant data without a specific reason, and all such access is logged.
The following companies process data on behalf of Surfaced. We've listed what each one does and where your data is held.
| Partner | What they do | Where your data is held |
|---|---|---|
| Neon | Database — stores your bookings, customers, and staff data | EU (Ireland) |
| Cloudflare R2 | File storage — waivers, contracts, exports | EU |
| Clerk | Staff logins and authentication | US — under EU-approved data transfer agreement |
| Stripe | Payment processing | EU |
| Resend | Booking confirmation and notification emails | EU |
| Railway | API infrastructure | EU |
| Netlify | Website and app hosting | EU |
If you think you've found a security problem with Surfaced, please email security@surfacedhub.com. We'll acknowledge your report within 2 business days and aim to resolve confirmed issues within 30 days. We won't take legal action against anyone reporting in good faith.
For anything related to security, data, or a DPA request: security@surfacedhub.com
Last updated: 25 April 2026