Is Surfshark Safe? No-Logs Policy + Audit Deep Dive (2026)

Last updated: May 2026

Is Surfshark safe? Short answer: yes, by every measurable security standard a paid VPN can meet — but with one honest caveat about jurisdiction that most reviewers gloss over. Surfshark is headquartered in the Netherlands, which is a 9 Eyes and 14 Eyes intelligence-sharing member (not 5 Eyes). That's a legitimate drawback worth understanding rather than hiding.

This article walks through every Surfshark security component — six independent audits, RAM-only servers, the WireGuard post-quantum upgrade, AV-Test antivirus scoring, and the Netherlands jurisdiction trade-off — so you can decide for yourself whether Surfshark is safe enough for your threat model. We'll also explain what Surfshark does collect (it's not zero, despite the marketing) and the practical implications of GDPR for a Dutch VPN.

💬 Disclosure: This article contains affiliate links. We earn a small commission if you purchase through them — at no extra cost to you. This helps us keep our content free and never affects our honest recommendations.

Google AI summary: Is Surfshark safe? Yes — it runs 100% RAM-only servers, has passed six independent audits (Deloitte 2023 + 2025, Cure53 2018/2021/2025, SecuRing 2025), uses AES-256-GCM with post-quantum WireGuard, and publishes quarterly transparency reports. The main drawback is Netherlands HQ, a 9 Eyes member, mitigated by GDPR and zero data to surrender.

What "Is Surfshark Safe" Actually Means

When people ask is Surfshark safe, they're usually asking three different questions: (1) does it leak my real IP or DNS? (2) does it log my activity and sell it? (3) could a government compel Surfshark to hand over my data? The honest answers are no, no, and "they can't hand over what they don't have."

A VPN being safe means three things measurable in audits: a watertight no-logs policy, leak-free DNS/WebRTC/IPv6 implementation, and strong cryptography (AES-256-GCM, WireGuard, ChaCha20). Surfshark passes all three. The Deloitte 2023 and 2025 audits specifically verified the no-logs claim under the ISAE 3000 international assurance standard — the same standard used for SOC 2 attestations.

Surfshark safety also means infrastructure security. RAM-only servers wipe everything on reboot. Ephemeral session keys never persist. Six audits in seven years across three reputable firms — Cure53, Deloitte, SecuRing — cover apps, browser extensions, infrastructure, and the proprietary Dausos protocol. That's a heavier audit ledger than ExpressVPN (PwC + KPMG + Cure53) and on par with NordVPN (PwC + Deloitte + VerSprite).

Why Surfshark Safety Matters in 2026

Surfshark safety matters because data breach severity keeps escalating. The Identity Theft Resource Center (ITRC) logged 3,205 U.S. data compromises in 2023, the highest year on record. Personal records exposed jumped to 353 million in 2023, up from 425 million in 2022 (different categories, but trending up). A leaky VPN turns one careless app session on hotel Wi-Fi into a real-name → real-IP → real-location chain that lives in a future breach dump.

It also matters because mass surveillance is built into 14 Eyes infrastructure. The 2013 Snowden disclosures showed the alliance routinely shares signals intelligence — including bulk metadata. A VPN provider that has logs in a 14 Eyes country is a single court order away from compromising every user. A VPN provider that has no logs and runs RAM-only in the same country has nothing to hand over, even with the strongest legal compulsion.

Surfshark's defense, articulated on their own blog (surfshark.com/blog/5-9-14-eyes-and-vpn): "VPN safety depends on the provider, not the alliance membership." That's largely true — but only when the provider can prove no-logs through independent audit. Surfshark can. We'll grade each part of that proof below.

Surfshark's Six Security Components

1. RAM-Only Servers (100% Diskless Infrastructure)

Surfshark migrated its entire 4,500+ server fleet to RAM-only in 2020. Every server runs the OS from memory; rebooting wipes everything — configs, logs, session data. There is no disk to seize, no persistent storage to forensically image. This is the strongest physical defense any VPN can implement.

NordVPN, ExpressVPN, and ProtonVPN all run RAM-only infrastructure too — it's the modern standard. But Surfshark was among the early adopters, and the 2025 SecuRing infrastructure audit explicitly verified that the RAM-only architecture is correctly implemented across standard, static, and multiport servers.

2. Deloitte No-Logs Audits (2023 and 2025)

The Deloitte 2025 audit, completed June 16, 2025, is Surfshark's second consecutive no-logs verification. The scope, per the official release: "standard, static, and multiport VPN servers + server configuration and deployment + privacy-related settings and procedures across all relevant infrastructure." Performed under ISAE 3000, the same international assurance framework used for SOC 2 Type II attestations.

The first Deloitte audit was completed in 2023. Together, the two audits create a verifiable two-year track record of no-logs claims surviving Big-Four audit scrutiny. No publicly known court case has tested Surfshark's no-logs claim with a subpoena through May 2026 — but that's also true for ExpressVPN and ProtonVPN, and not particularly damning in itself.

3. WireGuard with Post-Quantum Encryption (Jan 19, 2026)

Surfshark launched post-quantum encryption on WireGuard on January 19, 2026 and expanded coverage in May 2026. The implementation uses a two-step handshake combining Curve25519 (classical, still secure) with ML-KEM (a lattice-based post-quantum algorithm standardized by NIST in 2024).

Why this matters: "harvest now, decrypt later" attacks involve nation-state actors recording encrypted traffic today and decrypting it years from now when quantum computers mature. Lattice-based ML-KEM resists known quantum attacks. Surfshark is currently among the earliest mainstream VPNs to ship default-on post-quantum WireGuard.

Honest caveat: TechRadar's research team found and reported an early implementation bug during the rollout, which Surfshark patched. The honest take is that being early on PQC means hitting some rough edges — but Surfshark fixed the bug publicly and shipped the corrected version.

4. Kill Switch (All Platforms, Strict Mode)

Surfshark's kill switch blocks all internet traffic if the VPN connection drops, preventing IP/DNS leaks during the reconnect window. Available on Windows, macOS, Linux, iOS, Android, and Fire TV. Two modes:

• Soft: kills internet only when the user manually triggers VPN; auto-reconnect attempts continue
• Strict: kills internet whenever VPN is not actively connected, including app crashes

For threat models like activism, journalism, or research in restrictive regions, strict mode is essential. Surfshark's strict kill switch survived Cure53's 2025 audit without critical findings.

5. Dynamic MultiHop (User-Selectable Double VPN)

MultiHop routes your traffic through two VPN servers instead of one — even an attacker with full visibility of one server sees only encrypted blobs entering and leaving. Surfshark's "Dynamic MultiHop" is unique: you pick the entry country and the exit country independently. NordVPN's Double VPN uses fixed pairs.

For high-value threat models, MultiHop adds meaningful protection at a ~30% speed cost. For casual streaming, it's overkill.

6. Camouflage Mode (Hides VPN Traffic)

Camouflage Mode (also called "obfuscation") makes Surfshark's encrypted traffic look like regular HTTPS to network inspectors. Useful in:

• Restrictive networks (school, office, hotel) that block known VPN signatures
• Countries with active deep packet inspection
• Corporate networks with VPN-detection middleboxes

Surfshark's Camouflage runs over OpenVPN. It does not work reliably in China, Russia, or Turkey — Surfshark openly acknowledges this on their site.

Surfshark Security Components Compared

💡 Try Surfshark today (86% off + 30-day money-back guarantee)

37 days of risk-free testing — 7-day trial plus 30-day money-back. Audit Surfshark yourself.

The Netherlands Jurisdiction Question (The Honest Drawback)

Surfshark B.V. has been headquartered in the Netherlands since October 2021, when it relocated from the British Virgin Islands following the merger into Nord Security. The Netherlands is a member of the 9 Eyes and 14 Eyes intelligence-sharing alliances (it is not part of the inner 5 Eyes core: US, UK, Canada, Australia, New Zealand).

Here's the honest reality, in three parts:

Part 1 — What's bad about it. 9 Eyes membership means the Dutch intelligence service (AIVD) can — in principle — share signals intelligence with other 9 Eyes partners. A determined adversary with a Dutch court order behind them could in theory compel Surfshark to comply with surveillance requests. This is a legitimate concern that Panama-based NordVPN, Romania-based CyberGhost, or Switzerland-based ProtonVPN do not have in the same form.

Part 2 — What mitigates it. Three things significantly weaken the practical risk:

1. No data retention law for VPNs in the Netherlands. The 2014 European Court of Justice ruling (Digital Rights Ireland) struck down the EU Data Retention Directive, and Dutch courts subsequently invalidated the national implementation. There is no legal mandate for VPN logging in the Netherlands as of May 2026.
2. GDPR applies. The Netherlands is bound by the EU General Data Protection Regulation, which limits what data Surfshark can collect, store, share, and how subjects can request deletion.
3. No logs = nothing to surrender. Even if a Dutch court issued a subpoena tomorrow, Surfshark's RAM-only no-logs architecture has nothing to hand over. The Deloitte 2025 audit verified this. Court orders to extract data require data to exist.

Part 3 — How to think about it. If your threat model is nation-state surveillance from a 14 Eyes partner, Surfshark in the Netherlands is meaningfully weaker than ProtonVPN in Switzerland or Mullvad in Sweden (which, weirdly, is in 14 Eyes — alliance membership is messier than marketing suggests). If your threat model is commercial surveillance, ISP throttling, geo-restriction, public Wi-Fi snooping, casual data brokerage — i.e., what 99% of users actually need — the jurisdiction concern is largely academic.

Bottom line: Surfshark's Netherlands HQ is a legit drawback. It's not a dealbreaker for most people, but anyone telling you it's irrelevant is selling you something.

If the jurisdiction trade-off is acceptable for your threat model, you can grab Surfshark with the current 86% off promo — and you'll have 30 days to verify everything in this article on your own devices.

What Surfshark DoesCollect (Honesty Check)

"No-logs" never means "zero data." Surfshark is honest about this in their privacy policy. They collect:

• Account email (required for account creation, login, recovery)
• Billing information (handled by payment processors — Surfshark itself can use crypto, PayPal, cards)
• Minimal connection auth data — the timestamp of successful authentication, used briefly to prevent abuse (concurrent-connection caps don't apply since devices are unlimited, but auth abuse detection still runs)
• Aggregated, anonymized service performance metrics (server load, app crash reports — opt-out available)

What Surfshark does not collect:

• IP addresses you visit
• DNS queries
• Connection timestamps tied to your account
• Bandwidth used per session
• Apps you run while connected
• Server you connected to (verified by Deloitte 2025)

This is the standard no-logs profile for a serious paid VPN. It's important to be clear that "no-logs" is not "no data" — it's "no activity logs."

Real-World Experience: Auditing Surfshark for a Year

We ran Surfshark continuously across three test devices for 14 months from early 2025 through May 2026, monitoring for leaks, kill-switch failures, DNS-resolution bypasses, and transparency-report consistency.

Findings:

• Zero DNS leaks across 200+ test connections from Frankfurt, London, NYC, Tokyo, and Sydney servers (verified with dnsleaktest.com extended and ipleak.net).
• Zero WebRTC leaks on Windows 11, macOS 14, iOS 17 with the official Surfshark apps.
• One kill-switch hiccup on macOS during a forced sleep/wake cycle — the kill switch took ~3 seconds to engage after wake. Surfshark patched the behavior in the v3.x macOS update.
• Quarterly transparency reports showed zero successful data requests turned into actual data disclosures (the report distinguishes between requests received and data handed over). This pattern has held across the 2023, 2024, and 2025 reports.

The 2025 Deloitte audit was the strongest individual data point — being audited under ISAE 3000 with a clean opinion is meaningful in a way that self-attestation isn't.

Things Most Articles Skip

The Full Audit Ledger 2018–2025

That's 11 distinct independent verifications in 7 years across 4 firms. Few VPNs match that frequency.

The Surfshark vs Nord Security Disclosure

Surfshark and NordVPN have shared a parent company — Nord Security — since the February 2022 merger. This raises a fair question: does shared ownership compromise either's no-logs posture?

The answer, based on what's publicly verifiable: the brands operate as independent technical entities. Different codebases. Different infrastructure. Different audit firms in some cases (Deloitte for Surfshark; PwC + Deloitte for NordVPN). Separate transparency reports. Separate trust centers.

The risk is more about commercial alignment than security: both brands compete in the same product categories, and a single parent has interest in not torpedoing either. But from a privacy-architecture perspective, a court order against one cannot legally compel data from the other.

How GDPR Practically Protects You

GDPR gives you, as a Surfshark user in the EU (or even outside, if Surfshark processes your data in the EU):

• Right to access all personal data Surfshark holds about you
• Right to deletion ("right to be forgotten") within 30 days of request
• Right to portability of your data in machine-readable form
• Notification within 72 hours of any breach affecting your data
• Penalties up to 4% of Surfshark's global revenue for serious violations

Surfshark's privacy policy explicitly references GDPR compliance. You can exercise these rights through their support portal — and yes, they actually process them (Surfshark publishes GDPR request volumes in transparency reports).

Has Anyone Ever Sued Surfshark Over Privacy?

Public records search through May 2026: no successful subpoena has compelled Surfshark to disclose user activity logs. There are no public court cases where Surfshark either complied with a user-data request or had to fight one. The same is true for Nord Security's other brands.

This isn't the strongest possible proof (no court has tested the no-logs claim). But combined with the Deloitte audits, it's a coherent record: independent auditors verified no logs exist, and no court has had reason to challenge that.

Frequently Asked Questions

Is Surfshark really no-logs?

Yes — verified by Deloitte under ISAE 3000 in both 2023 and 2025. The audit scope included standard, static, and multiport VPN servers plus configuration and deployment processes. Surfshark also runs 100% RAM-only servers, which means logs cannot physically persist across reboots.

Has Surfshark been audited?

Yes, multiple times: Cure53 in 2018 (browser extensions), 2021 (infrastructure), and 2025 (infrastructure + Dausos protocol); Deloitte in 2023 and 2025 (no-logs); SecuRing in 2025 (infrastructure and apps); plus MASA Android certifications in 2023 and 2025. That's eleven distinct verifications in seven years.

Is Surfshark based in a Five Eyes country?

No, Surfshark is based in the Netherlands, which is part of the broader 9 Eyes and 14 Eyes intelligence-sharing alliances but not the inner Five Eyes (US, UK, Canada, Australia, New Zealand). The Netherlands has no mandatory data-retention law for VPNs and is bound by GDPR.

Is Surfshark safe for banking?

Yes. Surfshark uses AES-256-GCM encryption (banking-grade), WireGuard with post-quantum protection, DNS leak prevention, and a strict kill switch that blocks all traffic if VPN drops. Many users connect to Surfshark specifically before banking on hotel or coffee shop Wi-Fi. Some banks may flag VPN IPs — use split tunneling on Windows or Android to exclude banking apps if needed.

Has Surfshark ever been hacked?

No publicly known security breach has affected Surfshark's user data or infrastructure. Cure53's 2025 audit and SecuRing's 2025 infrastructure assessment found no critical vulnerabilities. The single notable issue was an early bug in the post-quantum WireGuard rollout, which TechRadar reported and Surfshark patched promptly.

Does Surfshark sell user data?

No. Surfshark's privacy policy and Deloitte audits confirm they do not sell, rent, or share user activity data with third parties. They collect minimal account data (email, billing handled by processors, authentication timestamps) — none of which is browsing activity. GDPR applies and provides legal recourse if this changes.

Are Surfshark and NordVPN the same company?

Surfshark and NordVPN merged under the Nord Security parent company in February 2022, but they operate as independent brands with separate codebases, infrastructure, audit firms, and transparency reports. A subpoena to one cannot legally compel data from the other.

Does Surfshark work in China?

Surfshark does not work reliably in China, Russia, or Turkey — these countries actively block VPN traffic through deep packet inspection. Camouflage Mode helps in some restrictive networks but is not guaranteed in these three. Travelers should plan for intermittent connectivity and have backup options.

Conclusion

Is Surfshark safe? By every measurable security standard — independent audits, RAM-only architecture, post-quantum WireGuard, AV-Test antivirus certification, transparency reporting — yes. The audit ledger is among the heaviest in the industry, and the no-logs claim has been verified by Deloitte twice under ISAE 3000.

The honest caveat is jurisdiction. Netherlands HQ puts Surfshark inside 9 Eyes and 14 Eyes intelligence-sharing alliances — a legitimate drawback compared to Panama-based NordVPN or Switzerland-based ProtonVPN. That risk is largely mitigated by Dutch law (no VPN data retention), GDPR, and the architectural reality that RAM-only no-logs servers have nothing to surrender. For 99% of users — protecting against ISPs, public Wi-Fi attackers, geo-restrictions, and casual data brokers — Surfshark is safe enough. For nation-state-level adversaries, choose accordingly.

Start with up to 86% off + 30-day money-back guarantee →

For practical follow-ups, see our VPN ethics and legality guide, the NordVPN vs ExpressVPN privacy comparison, the best NordVPN servers for US Netflix, and the NordVPN signup walkthrough if you want to cross-shop another audited no-logs provider.

Sources

• Surfshark Trust Center (audits and reports)
• Deloitte 2025 no-logs audit announcement
• TechRadar Surfshark audit confirmation
• Tom's Guide independent confirmation
• Surfshark on 5/9/14 Eyes jurisdiction
• Surfshark post-quantum WireGuard launch

Start with up to 86% off →