Is Surfshark Safe? Security, Privacy & Audit Analysis
Is Surfshark safe? Independent audit results, encryption protocols, jurisdiction analysis, kill switch testing, and no-logs policy verification.
Is Surfshark Safe? A Direct Assessment
Surfshark earns a trust score of 85/100. It operates under Netherlands jurisdiction, uses AES-256-GCM encryption, and maintains a strict no-logs policy verified by independent audits from Deloitte. With 3,200+ servers across 100+ countries, it provides kill switch protection, DNS leak prevention, and RAM-only server infrastructure. Surfshark is safe for most users.
Jurisdiction and What It Means for Data Requests
Surfshark relocated its legal headquarters from the British Virgin Islands to the Netherlands in 2021. The Netherlands sits within the EU but offers specific advantages for VPN providers. Dutch law does not require VPN companies to retain user data.
The Netherlands belongs to the 9 Eyes intelligence-sharing alliance. This concerns some privacy advocates. However, alliance membership only matters if the provider stores data that governments can request. A verified no-logs policy neutralizes this risk entirely.
If Dutch authorities issue a valid legal request, Surfshark can only hand over what it has. According to its transparency report, Surfshark has received government requests and complied with zero data transfers. The company physically cannot produce browsing records, connection timestamps, or IP address logs.
Independent Audit History
Deloitte No-Logs Audit
Deloitte completed an independent audit of Surfshark’s no-logs infrastructure in 2023. The Big Four firm examined server configurations, deployment processes, and internal data handling procedures. Deloitte confirmed that Surfshark’s infrastructure aligns with its stated no-logs policy.
This Surfshark audit followed an earlier 2022 examination by Deloitte covering the same scope. Both assessments found no evidence of user activity logging on any server.
Cure53 Security Audit
Cure53, a German cybersecurity firm, audited Surfshark’s browser extensions in 2018. The team identified 2 critical, 2 high-severity, and 2 medium-severity vulnerabilities. Surfshark patched all 6 issues before the audit report went public.
Cure53 also conducted a follow-up assessment of Surfshark’s server infrastructure in 2021. That review found no critical vulnerabilities. The firm noted that Surfshark’s security posture had improved significantly since the initial examination.
What These Audits Mean
Two separate firms have now validated Surfshark’s privacy and security claims. Deloitte focused on logging practices while Cure53 tested technical defenses. Together, these audits provide stronger assurance than either would alone.
Logging Policy Details
Surfshark’s privacy policy specifies exactly what the company collects and what it does not collect. The distinction matters more than any marketing claim.
What Surfshark Does NOT Store
- Browsing history or traffic destinations
- IP addresses used to connect to the VPN
- Session timestamps showing connection or disconnection times
- Network traffic volume or bandwidth consumption
- DNS queries made while connected
What Surfshark DOES Collect
Surfshark stores your email address and encrypted password for account management. It collects billing information processed through third-party payment providers. The company gathers anonymized diagnostic data and crash reports for performance improvements.
Surfshark also tracks aggregate connection frequency data. This means it knows how many times a user connects per day but not when or where. This data cannot identify individual browsing sessions or visited websites.
RAM-Only Server Infrastructure
All 3,200+ Surfshark servers run entirely on volatile RAM memory. This means every server wipes all data automatically upon reboot. Even a physical server seizure would yield zero usable information. This architecture makes the Surfshark no-logs claim technically enforceable rather than just policy-based.
Encryption Standards and Protocols
Surfshark uses AES-256-GCM encryption as its default cipher. This standard protects classified government communications worldwide. No known attack can break AES-256 with current computing technology.
Available Protocols
| Protocol | Speed | Security Level | Best For |
|---|---|---|---|
| WireGuard | Fastest | High | Daily browsing, streaming |
| OpenVPN UDP | Moderate | Very High | Maximum compatibility |
| OpenVPN TCP | Slower | Very High | Restrictive networks |
| IKEv2 | Fast | High | Mobile devices |
WireGuard serves as the default protocol on most Surfshark apps. It provides roughly 40% faster speeds than OpenVPN while maintaining comparable security. Surfshark adds a double NAT system on top of WireGuard to address its known privacy limitation around static IP assignment.
OpenVPN remains available for users who prefer its 20-year track record. Both UDP and TCP variants use 4096-bit RSA handshake keys alongside the AES-256 data channel encryption.
Kill Switch Behavior and DNS Leak Protection
Surfshark includes a kill switch on Windows, macOS, iOS, Android, and Linux applications. The feature blocks all internet traffic if the VPN connection drops unexpectedly. This prevents your real IP address from leaking during brief disconnections.
The kill switch operates at the system level on desktop platforms. It intercepts traffic at the network adapter before packets can escape unencrypted. Mobile implementations use platform-specific APIs to achieve similar protection within OS constraints.
DNS Leak Protection
Surfshark runs private DNS on every server in its network. All DNS queries route through encrypted tunnels to Surfshark-controlled resolvers. This eliminates DNS leak risks from third-party DNS providers like your ISP.
Independent tests on dnsleaktest.com and ipleak.net consistently show zero DNS leaks across Surfshark’s protocol options. IPv6 leak protection is enabled by default, blocking IPv6 traffic that could bypass the IPv4 VPN tunnel.
Past Security Incidents
Surfshark has not suffered a confirmed data breach or server compromise as of early 2025. No user data has appeared in public breach databases connected to Surfshark infrastructure.
In 2020, security researchers flagged a potential vulnerability in Surfshark’s Windows application. The issue involved an outdated OpenSSL library that could theoretically allow privilege escalation. Surfshark released a patch within 48 hours of disclosure. No exploitation in the wild was documented.
The Cure53 audit in 2018 represents the most significant vulnerability discovery. Those 6 findings in the browser extensions were resolved before public disclosure. Surfshark credits its bug bounty program with catching issues early. The company pays external researchers who responsibly disclose valid vulnerabilities.
Unique Security Features Specific to Surfshark
CleanWeb
CleanWeb blocks ads, trackers, and malware domains at the DNS level. It prevented over 1 billion tracking attempts across its user base in 2023. The feature works without installing separate browser extensions.
MultiHop (Double VPN)
MultiHop routes traffic through 2 VPN servers in different countries simultaneously. This adds a second encryption layer and makes traffic correlation attacks significantly harder. Users choose from preset server pairs or create custom combinations.
Nexus Technology
Surfshark Nexus connects users to its entire server network rather than a single server. Traffic enters through one server and can exit through another using SDN routing. This reduces latency while improving IP rotation and load distribution across 3,200+ servers.
Alternative ID
Alternative ID generates disposable email addresses and online personas. Users can register for services without exposing real personal information. This feature separates Surfshark from competitors who focus only on connection-level privacy.
Rotating IP
Surfshark changes your visible IP address every 5 to 10 minutes without disconnecting the VPN session. Your connection stays active while your digital fingerprint shifts continuously. This makes long-term tracking across websites substantially harder.
Frequently Asked Questions
Does Surfshark Keep Logs?
Surfshark does not keep logs of browsing activity, IP addresses, connection timestamps, or bandwidth usage. Deloitte verified this claim through independent audits in 2022 and 2023. The company stores only account credentials and anonymized aggregate connection data.
Has Surfshark Been Hacked?
Surfshark has not been hacked or breached. The Cure53 audit in 2018 found vulnerabilities in browser extensions, but these were patched before public release. No user data has ever been compromised through Surfshark’s infrastructure. A bug bounty program helps identify potential weaknesses proactively.
Is Surfshark Trustworthy?
Surfshark earns trust through 2 independent audits from Deloitte and Cure53, RAM-only servers, and regular transparency reports. Its 85/100 trust score reflects strong technical safeguards with room for improvement in audit frequency. The 30-day money-back guarantee lets you test the service risk-free.
Can Surfshark See My Data?
Surfshark cannot see your browsing data or connection details. RAM-only servers prevent persistent data storage. AES-256 encryption protects data in transit. Even Surfshark employees cannot access user traffic because the infrastructure is designed to never record or store it.