It installs a common and trusted by the browser SSL cert and acts as a man
in the middle, decrypting and re-encrypting to the destination.
We do this for most traffic from regular user laptops and desktops, but there is always the possibility that someone will try to bypass our proxy. We also have stuff that we can't monitor like that because it contains sensitive info that needs to be secure end-to-end. That isn't to say though that we can't have traffic that is routed to a locked down secure zone that users can't access and analyzed there. The platform to do that will naturally also have masking built in so that sensitive information is scrubbed before any of it is persisted anywhere.