Is Surfshark Safe? No-Logs Policy and Audit Deep Dive (2026)

A careful 2026 assessment of Surfshark's no-logs assurance, security audits, RAM-only servers, platform limits, Dutch jurisdiction, and suitable threat models.

Is Surfshark Safe? No-Logs Policy and Audit Deep Dive (2026)
Table of contents
Last updated: June 2026

Is Surfshark safe? For ordinary privacy needs, public Wi-Fi, travel, and reducing what an internet provider can observe, its security design is credible. Surfshark uses modern VPN protocols, RAM-only servers, a published no-activity-logs policy, and a growing record of external assessments. Deloitte issued no-logs assurance reports in 2023 and 2025, while Surfshark's Trust Center lists a 2026 Cure53 assessment covering infrastructure and the Dausos protocol.

That evidence deserves weight, but it is not a permanent guarantee. An assurance engagement examines a defined scope and time; it does not prove how every future app version, server, or legal request will behave. Surfshark is also based in the Netherlands, so users with a nation-state threat model should assess jurisdiction, account data, device security, and operational habits rather than relying on a VPN logo. This guide separates vendor claims, independent evidence, practical limits, and decisions you can verify on your own devices.

Disclosure: This article may contain affiliate links. A purchase may earn us a commission at no extra cost to you. Commercial relationships do not change the evidence standard used below.

Direct answer: Surfshark is a reasonable security choice for most consumers in 2026, supported by RAM-only infrastructure, modern encryption, two Deloitte no-logs assurance engagements, and current security assessments. It is not an anonymity guarantee: audit scope, platform-specific kill-switch behavior, Dutch jurisdiction, account records, and endpoint security still matter.

What "safe" should mean for a VPN

A useful Surfshark security review must answer four separate questions.

  1. Transport security: Does the app create an encrypted tunnel with a current protocol and protect DNS traffic?
  2. Data practices: What activity, connection, account, billing, diagnostic, or support data can the provider retain?
  3. Operational security: Are servers, deployment processes, apps, and internal controls tested outside the company?
  4. Legal and personal fit: Which company controls the service, which law applies, and is the product suitable for your threat model?

A VPN protects traffic between your device and its VPN server. It does not remove malware, repair a compromised browser, make an account anonymous, prevent a site from recognizing your login, or legalize prohibited activity. It also moves some trust from your internet provider to the VPN operator. The correct question is therefore not only is Surfshark safe, but safer than which alternative, against which risk, on which device?

Surfshark safety verdict by use case

Use case What Surfshark can help with Important limit Practical verdict
Home browsing Hides destination traffic from the local ISP and encrypts the VPN tunnel Logged-in sites and browser trackers can still identify you Good fit with normal browser hygiene
Hotel or airport Wi-Fi Reduces exposure to hostile or poorly configured local networks A fake login page, phishing site, or infected device remains dangerous Good fit; verify the VPN indicator before sensitive work
Banking Protects the network path on untrusted Wi-Fi Banks may challenge shared VPN addresses or unusual locations Usually suitable; use the bank app and MFA
Streaming and travel Changes the apparent network location and protects the local connection Availability and performance vary; services can block VPN addresses Useful, but not guaranteed for every service
File sharing Conceals traffic from the access provider and supports a private tunnel Copyright law, account exposure, and application leaks still apply Technically useful; follow applicable law
Journalism or activism Adds one layer against local-network and ISP observation A VPN alone is insufficient against device compromise, targeted surveillance, or identity mistakes Use only within a broader security plan
Nation-state adversary May reduce passive visibility and retained activity data Provider jurisdiction, legal compulsion, endpoint compromise, and traffic correlation remain Obtain specialist threat-model advice

Marketing often promotes the same setup to a tourist and a targeted source, although their consequences differ. High-risk users should consider compartmentalized identities, secure devices, metadata, communication tools, and emergency procedures alongside the VPN.

The evidence hierarchy: what each claim is worth

Not all security evidence is equivalent. A clear hierarchy prevents an antivirus test, penetration test, compliance badge, and no-logs assurance report from being counted as four versions of the same proof.

Evidence type What it can show What it cannot show
Privacy policy The provider's stated rules and categories Whether systems always follow the policy
Vendor Trust Center Current reports, architecture claims, and disclosures in one place Independent interpretation or complete historical performance
Penetration test Weaknesses found in defined systems during a test window Absence of every vulnerability in all products
No-logs assurance Whether described controls met defined criteria for the engagement Behavior outside the scope or after the assessment date
Transparency report Requests and responses reported by the provider Unreported events or a complete legal record
Public legal test How the provider responded in a documented case Future behavior under different law or facts

Surfshark's position is stronger than a policy-only provider because external firms have examined parts of its service. The evidence still needs labels. Deloitte's 2025 report is an ISAE 3000 reasonable-assurance report with a defined subject matter and assessment date. It should be read as meaningful point-in-time evidence, not as a certificate that permanently makes logging impossible.

Surfshark's core security controls in 2026

RAM-only VPN servers

Surfshark says its fleet runs on RAM-only servers. Its Trust Center listed 4,500+ servers in 100 countries when this article was updated in June 2026. A diskless design allows a reboot or reprovisioning event to clear the running state rather than leaving ordinary service data on persistent local disks.

That reduces the value of seizing or later examining a server drive. It does not mean that a running server processes no transient data, that account systems hold no records, or that software cannot be changed. RAM-only infrastructure is a strong control when paired with deployment security, access controls, monitoring, and repeat assessment. It is not a synonym for "zero data."

Encryption and VPN protocols

Surfshark supports established VPN protocols and cryptography, including WireGuard and OpenVPN. Its post-quantum work is relevant to users concerned about recorded encrypted traffic being attacked in the future, but implementation quality and device support matter as much as an algorithm name.

Use the protocol recommended by the current app unless your organization has a tested configuration. Avoid presenting "military-grade" or "bank-grade" labels as evidence; those phrases do not describe implementation, key handling, update discipline, or leak behavior. For a practical setup sequence, see the Surfshark setup guide.

VPN kill switch: useful, but platform-specific

A kill switch is intended to stop network traffic when the VPN tunnel fails. Its options and behavior can differ by operating system and app build, so "strict mode on every platform" is not a defensible promise. Mobile operating systems also impose networking rules that differ from desktop systems.

Open the current Surfshark settings on each device, identify the available kill-switch mode, and test it rather than assuming parity. Disconnect the tunnel while a page is loading, force-close the app, sleep and wake the device, and change between Wi-Fi and cellular data. If traffic continues when your configuration says it should stop, adjust the setting or do not use that device for a high-risk workflow.

Dynamic MultiHop and obfuscation

Dynamic MultiHop routes a connection through two VPN locations selected in the app. It can add separation between entry and exit, but it may increase latency and does not defeat endpoint compromise or a sufficiently capable traffic-correlation adversary. It is a tool for a specific model, not a universal upgrade.

Obfuscation aims to make VPN traffic less obvious to network controls. Results vary by network, country, protocol, and current blocking method. No provider should promise reliable access in every restrictive environment. Travelers should install and update necessary software before departure and maintain a lawful fallback connection plan.

Surfshark audit and assurance ledger

The useful question is not "how many audits?" Counting mixed assessments creates a marketing number with little meaning. The ledger below keeps each engagement in its own category.

Public year Organization Category Reported scope Limitation to remember
2018 Cure53 Security assessment Browser extensions Historical scope, not the current full service
2021 Cure53 Security assessment Server infrastructure A test window, not continuous monitoring
2023 Deloitte ISAE 3000 assurance No-logs controls and configuration Defined subject matter and period/date
2025 Deloitte ISAE 3000 assurance No-logs policy implementation Does not assure periods outside the report
2025 assessment; announced Jan. 2026 SecuRing Infrastructure assessment Standard, static, and multiport server environments Vendor-published summary; one SSL/TLS issue was corrected
2026 Cure53 Security assessment Infrastructure and Dausos, as listed by the Trust Center Scope does not equal a no-logs assurance engagement

The 2025 Deloitte report found that the described configuration and controls complied with the stated criteria for the assessed subject matter. Surfshark's Deloitte announcement provides an accessible summary, but the report itself is the better source for boundaries.

Surfshark announced the SecuRing result in January 2026 and said the work was conducted in 2025. Its SecuRing infrastructure summary reported no critical or high-risk user-security findings and described a corrected SSL/TLS configuration issue. Dating it "2025 assessment, 2026 announcement" avoids turning the publication date into the test date.

The Trust Center also lists Cure53's 2026 assessment of Surfshark infrastructure and Dausos. That updates the current security record, but it should not be backdated to 2025 or combined with Deloitte's privacy assurance as one undifferentiated audit total.

What Deloitte's no-logs assurance means

The strongest evidence for the Surfshark no-logs policy is the repeat Deloitte work in 2023 and 2025. It supports the conclusion that the assessed controls and configurations aligned with the stated no-logs criteria at the relevant assessment point. Repeat engagements are useful because systems and procedures change.

It does not establish that:

  • no personal data exists anywhere in Surfshark's business;
  • every server and app will remain identical after the assessment;
  • future targeted logging is technically or legally impossible;
  • a device, browser, payment processor, or destination site retains nothing;
  • every possible government request would produce no information.

This distinction is not an attack on the report. It is how assurance evidence should be read. A precise claim is stronger than an absolute one because readers can see what was actually examined.

What Surfshark collects and what "no logs" excludes

"No logs" in VPN use normally means no activity logs that reconstruct browsing or VPN usage in the prohibited categories. It does not mean no account or business data. Review the live Surfshark privacy policy before purchasing because categories, optional analytics, and retention details can change.

Data area Reason it may exist Privacy question to ask
Account identifier Login, recovery, and service administration Can you minimize or change it?
Payment and transaction record Billing, tax, fraud prevention, refunds Which processor receives your data?
Support communication Troubleshooting and customer requests Did you disclose sensitive details unnecessarily?
Optional diagnostics App reliability and product improvement Is collection optional, and can it be disabled?
Authentication or operational data Service delivery, abuse prevention, and system security What is retained, for how long, and is it linked to an account?
Browsing activity and DNS history The no-activity-logs claim says these should not be retained as user histories Does the assurance scope cover the relevant controls?

Do not infer fields that the current privacy policy does not name. The practical review is to compare the policy, the Deloitte criteria, app privacy settings, and account portal. If you need low-linkability payment or identity practices, decide that before creating an account; a VPN cannot retroactively remove information you voluntarily supplied elsewhere.

Surfshark B.V. is based in the Netherlands. The country participates in the Nine Eyes and broader 14 Eyes intelligence-sharing arrangements, although it is not one of the Five Eyes members. That fact is relevant, but alliance membership alone does not tell you what data a provider stores, which legal order applies, or what a particular investigation could compel.

Dutch and EU law, including the GDPR, creates data-protection duties and rights. GDPR responses are not as simple as "everything is deleted within 30 days" or "every affected person receives a notice within 72 hours." Controllers generally respond to rights requests within one month, subject to extensions and lawful exceptions. A qualifying breach may require supervisory-authority notification within 72 hours; notification to individuals applies under a separate high-risk test.

Most importantly, no-activity logging and RAM-only servers can reduce historical data available in ordinary operations, but they do not nullify legal process. Account, payment, support, security, or future data may be treated differently. High-risk users should not substitute a vendor's jurisdiction blog post for legal advice about their circumstances.

As of the research cutoff on June 28, 2026, we found no publicly documented case showing Surfshark disclosing a user's VPN activity history. That is a bounded public-record observation, not proof that no request, incident, or nonpublic process has ever occurred.

What audits cannot prove

This is the first information gap most VPN comparisons miss. A report can be professionally executed and still leave important questions outside its scope:

  • Time: software, infrastructure, vendors, and personnel change after an assessment.
  • Coverage: a server audit does not automatically cover mobile apps, payment systems, support tools, or every browser extension.
  • Configuration: a secure feature does not help if the user disables it or the operating system handles transitions differently.
  • Endpoint security: an infected laptop can capture data before encryption or after decryption.
  • Identity: logging into a personal account identifies you to that service even when the IP address is a VPN endpoint.
  • Traffic analysis: sophisticated observers may use timing and volume without needing a server's browsing log.
  • Legal response: a technical assessment is not a court-tested record.

Use external evidence to reduce uncertainty. Apply the same principle when comparing providers in our Surfshark vs NordVPN guide or evaluating the bundle in the Surfshark One review.

A reproducible five-minute safety check

You do not need to claim a year of undocumented laboratory testing. You can run a short, repeatable check on the exact device and network you will use.

  1. Record the baseline: before connecting, note the public IP, approximate location, and DNS resolver shown by reputable IP and DNS test pages.
  2. Connect to Surfshark: choose a nearby server and repeat the IP and DNS checks. The public results should change to the VPN path.
  3. Check WebRTC exposure: use a browser test while connected. Investigate any result that exposes your ordinary public address.
  4. Test the kill switch: start a continuous page load or network request, interrupt the VPN, and observe whether traffic follows the configured behavior.
  5. Change networks: move from Wi-Fi to cellular or another Wi-Fi network and verify the tunnel re-establishes before opening sensitive apps.
  6. Review telemetry: inspect optional analytics or crash-report settings in the app and operating system.
  7. Repeat after updates: app and OS changes can alter behavior, so treat this as a configuration check, not a permanent certification.

Do not present the results as representative of Surfshark globally. Network, app build, protocol, device, and test service affect them. The value is detecting a problem in your setup.

Comparing long security reports can be tedious. ArWriter can help turn source notes into a structured checklist, but verify security and legal claims against the original reports before acting on generated text.

Parent company context without speculation

Surfshark and NordVPN share the Nord Security group following their 2022 merger announcement. That does not by itself prove shared logs, identical infrastructure, or a specific legal outcome.

Evaluate each product using its own current policy, corporate entity, Trust Center, applications, assessment reports, and transparency disclosures. Avoid unsupported claims that a legal order concerning one brand automatically reaches or cannot reach another. Those conclusions depend on entities, control, jurisdiction, and facts not established by product marketing.

For a broader privacy comparison, the VPN ethics and legality guide explains why lawful use, service terms, and technical privacy are different questions. The NordVPN vs ExpressVPN comparison provides another reference point for audit and jurisdiction claims.

Frequently Asked Questions

Is Surfshark safe to use in 2026?

Surfshark is a reasonable choice for common consumer privacy, travel, and public Wi-Fi risks. Its RAM-only infrastructure, modern protocols, Deloitte no-logs assurance, and current security assessments provide meaningful evidence. Safety still depends on your device, app settings, identity practices, jurisdiction concerns, and whether your threat model includes targeted state surveillance.

Does Surfshark keep connection or activity logs?

Surfshark states that it does not retain activity logs such as browsing history or DNS requests as user histories, and Deloitte assessed defined no-logs controls in 2023 and 2025. The service still needs some account, billing, support, and operational data. Read the current privacy policy for exact categories and retention details.

What exactly did Deloitte verify about Surfshark?

Deloitte performed ISAE 3000 assurance work over defined Surfshark no-logs controls and configuration. The 2025 report supports compliance with the stated criteria for its subject matter and assessment date. It does not provide continuous assurance over every future period, every business system, or every category of personal data.

Did Surfshark complete a security audit in 2026?

Surfshark's Trust Center lists a 2026 Cure53 assessment covering infrastructure and Dausos. Separately, Surfshark announced a SecuRing infrastructure result in January 2026 for work conducted in 2025. Those dates and scopes should remain distinct; neither should be counted as another Deloitte no-logs assurance engagement.

Is Surfshark's Netherlands jurisdiction a privacy risk?

It can matter for users whose threat model includes Dutch legal process or intelligence-sharing relationships. For ordinary users, data minimization, audited controls, server design, and account practices may be more immediate factors. Jurisdiction never makes a provider automatically safe or unsafe, and a VPN is not a substitute for tailored legal advice.

Does Surfshark's kill switch work the same on every platform?

Do not assume identical behavior. Available modes and operating-system controls can differ across Windows, macOS, Linux, Android, iOS, and other devices. Check the current app documentation and test tunnel interruption, app closure, sleep or wake, and network switching on the exact device before relying on the kill switch.

What does RAM-only infrastructure protect against?

RAM-only servers reduce persistent local data and can clear running state when a server reboots or is reprovisioned. That limits what a conventional server disk could retain. It does not remove transient processing, account records, support data, endpoint compromise, software changes, or every form of legal compulsion and traffic analysis.

Is Surfshark safe enough for journalists or activists?

It may be one useful layer, but a high-risk user should not rely on any consumer VPN alone. A complete plan may require hardened devices, compartmentalized identities, secure messaging, metadata controls, safe payment and account practices, tested fallback communications, and advice from a digital-security specialist familiar with the user's country and adversary.

Conclusion

So, is Surfshark safe in 2026? For most people seeking protection on public Wi-Fi, reduced ISP visibility, and a modern encrypted tunnel, the evidence supports a qualified yes. The service has RAM-only infrastructure, repeat Deloitte no-logs assurance, a public Trust Center, and current Cure53 and SecuRing assessment records.

The qualification matters. Deloitte's work is scoped and point-in-time. Kill-switch behavior is not identical everywhere. RAM-only systems still process transient data, and no-logs does not erase account or business records. Dutch jurisdiction is one factor in a threat model, not a magic verdict. Test your device, read primary reports, minimize the data you provide, and choose a higher-assurance workflow when the consequences of failure are severe.

Sources

Try ArWriter today

Use ArWriter to organize research, comparison notes, and source-backed drafts without losing the final human fact-check.

Start free ->