Is Surfshark VPN Safe?

Quick answer: yes, Surfshark is safe enough for most people who want a modern VPN for private browsing, safer public Wi-Fi use, streaming, and general day to day protection. It does a lot right. The strongest points are repeated external audits, strong protocol support, RAM-only server claims, practical security features, and much better transparency than the average cheap VPN. The main caveat is that Surfshark’s privacy story is slightly more nuanced than the homepage slogan. The company says it does not keep logs of your online activity, but its privacy policy also says servers temporarily keep limited connection details and remove them within 15 minutes after your session ends.

Netherlands based Deloitte no-logs verification SecuRing infrastructure audit RAM-only servers OpenVPN obfuscation 2FA available

What looks good

Surfshark has a stronger trust case than a lot of mid-priced rivals. The mix of independent audits, clear documentation, modern protocols, RAM-only infrastructure, and account security features gives it a solid safety baseline.

What needs context

Surfshark is safe, but it is not some flawless privacy machine. The current privacy policy is more precise than the marketing summary, and that precision matters if you care about the fine print.

Bottom line

For most users, Surfshark is one of the safer mainstream VPNs on the market. For privacy purists, the real answer is still yes, but read the policy and trust notes properly first.

What Surfshark Gets Right

Surfshark’s safety case is not built on one flashy claim. It comes from several things stacking up at once. It supports modern VPN protocols, offers account 2FA, publishes more trust material than most rivals, and includes genuinely useful extra features such as NoBorders, Dynamic MultiHop, Bypasser, and rotating IP. That makes it feel like a serious security product rather than a bare VPN tunnel with a polished website.

The short version

If you judge a VPN by whether it looks serious in day to day use, Surfshark passes that test easily. It covers the basics well and then adds a deeper feature set on top, which is not something you usually get at its price level.

It supports WireGuard, OpenVPN, and IKEv2.
It offers a kill switch on the main desktop and mobile apps.
It gives you account-level 2FA and recovery codes.
It includes NoBorders for restrictive networks and Dynamic MultiHop for users who want two-hop routing.
It says its whole VPN network is RAM-only, which is a meaningful design choice rather than just another marketing badge.

No-Logs Claims and Audit Timeline

This is where Surfshark looks strongest, but it is also where accuracy matters most. Surfshark says it does not keep logs of what you do online, which means no browsing history, traffic content, or destination activity records. That part is the core promise, and Deloitte has independently reviewed the no-logs policy more than once.

The current privacy policy adds an important nuance. Surfshark says its servers temporarily keep limited connection details such as user ID and or IP address plus VPN connection timestamps, then automatically delete that information within 15 minutes after the session ends. That is still far better than retaining your browsing behaviour, but it is not the same thing as saying that absolutely nothing operational ever touches the system.

2018

Cure53 audited Surfshark’s browser extensions.

2021

Cure53 audited Surfshark’s server infrastructure and found no significant concerns.

2023 and 2025

Deloitte verified Surfshark’s no-logs commitments twice.

What that really means

Surfshark’s audit history is better than what most VPNs can show. The honest reading is not “zero data of any kind ever exists”. The honest reading is “there is external evidence that Surfshark does not keep logs of your online activity, and the company is unusually open about the small amount of short-lived connection data used to operate the service.”

Breach History and Transparency

Surfshark says it has never had a data breach. That is the company’s current public position, and it matters because breach history is one of the quickest ways to judge whether a VPN provider’s trust story keeps falling apart under pressure.

On transparency, Surfshark now does more than many rivals. It publishes a transparency report, updates the user-data request numbers quarterly, and has explicitly said it is moving away from a warrant canary in favour of more detailed reporting. That is a healthier model because it gives readers something more concrete than a single “nothing to report” line.

Breach record

Surfshark’s own public statement is that it has never had a data breach.

Legal requests

Surfshark says government and legal inquiries it receives are tied to VPN server IP addresses and timestamps, not stored browsing histories.

Reporting model

Quarterly transparency reporting is more useful than relying on a warrant canary alone, and Surfshark has said as much itself.

One extra trust note

Separate from technical security, Surfshark also faced auto-renewal complaints in California in 2025. That is not the same thing as a breach or a VPN failure, but it does belong in the wider trust picture if you are judging the company as a whole rather than the tunnel alone.

Security Features, Protocols, and Server Design

Surfshark supports WireGuard, OpenVPN, and IKEv2, which is the protocol line-up you want to see from a modern VPN. OpenVPN gets special credit here because Surfshark’s own support material says that when you use OpenVPN inside Surfshark, you are using obfuscated servers. That matters because it helps make VPN traffic harder to identify on restrictive networks.

Protocol choice

WireGuard, OpenVPN, and IKEv2 are all supported, which gives users a healthy balance of speed, maturity, and flexibility.

OpenVPN obfuscation

Surfshark’s support material explicitly says OpenVPN uses obfuscated servers, which is a real plus on networks that interfere with obvious VPN traffic.

NoBorders and MultiHop

NoBorders helps on restrictive networks, and Dynamic MultiHop gives users proper two-hop routing without forcing them into fixed server pairs.

Surfshark also says its network is fully RAM-only, which reduces the risk of persistent data sitting on hard drives. Add the kill switch, Bypasser split tunnelling, rotating IP, and account 2FA, and the service ends up looking stronger on real-world protection than a lot of mainstream rivals.

Why this matters in practice

What makes Surfshark feel modern is not just the encryption. It is the way the support features join up. You get protocol flexibility, some stealth capability, stronger account protection, and more than one layer of defence against everyday leaks and restrictions.

Jurisdiction and Ownership

Surfshark is based in the Netherlands through Surfshark B.V. For most users, that is a respectable jurisdiction and not an automatic privacy red flag. Surfshark’s own security pages frame the Netherlands as a favourable place to operate because there are no mandatory data retention laws for its service model.

Ownership also matters. Surfshark merged with Nord Security in 2022, but both brands say they still operate as autonomous companies with separate infrastructures and product development. That does not erase the need for scrutiny, but it does matter when people worry that one shared holding group means one shared VPN backend.

My take on this

The Netherlands is a plus, but not the whole story. What lifts Surfshark above the average VPN pack is not jurisdiction on its own. It is the combination of location, audits, better documentation, and a more mature security design.

What Still Holds Surfshark Back

Surfshark is strong overall, but there are still a few things that stop it from being a perfectly clean trust story.

The no-logs wording needs adult reading: the company does not log your online activity, but the privacy policy still describes short-lived connection data being kept temporarily.
Feature-rich services always need more testing: when a provider offers lots of extras, there are simply more moving parts to maintain cleanly across apps and platforms.
Trust goes beyond encryption: even if the VPN tunnel looks good, things like billing complaints and policy changes still affect how some users view the brand.
You should still test your own setup: no matter how many audits a provider has, smart users still run IP, DNS, and kill switch checks on their own devices.

Best fit

Surfshark is a strong fit for people who want a capable all-round VPN with lots of practical extras. It is especially good for users who care about ease of use but still want more than the bare minimum.

Final Verdict

So, is Surfshark safe?

Yes, with honest caveats. Surfshark is one of the safer mainstream VPNs you can buy. The service gives you a stronger audit trail than most rivals, a cleaner server design than most rivals, and a deeper security toolkit than most rivals. The thing to remember is that safe does not mean above scrutiny. Surfshark still deserves a careful read, but after that careful read, it still comes out looking good.

Frequently Asked Questions

Is Surfshark safe for banking and public Wi-Fi?

Yes. For ordinary use on cafés, airports, hotels, and shared networks, Surfshark is a sensible extra layer of protection. It does not replace good account security, but it does reduce easy network snooping.

Does Surfshark really keep no logs?

Surfshark says it does not log your online activity, and Deloitte has verified that policy. The nuance is that the current privacy policy also describes limited connection details being held temporarily and removed within 15 minutes after the session ends.

Has Surfshark ever had a data breach?

Surfshark’s public statement is that it has never had a data breach. That is the current official position, and it is one of the reasons the service still looks comparatively strong in trust terms.

Can Surfshark hide the fact that I am using a VPN?

Sometimes, yes. Surfshark says its OpenVPN implementation uses obfuscated servers, and it also offers NoBorders for restrictive networks. That does not mean it will beat every hostile network, but it is better prepared than many mainstream VPNs.

Is the Netherlands a good jurisdiction for a VPN?

Generally yes. For a VPN business, it is a respectable jurisdiction and Surfshark presents it as a place without mandatory data retention laws for its service model. It is a plus, though not the whole trust story on its own.

FIELD NOTES

Surfshark is a good example of why VPN trust should be judged in layers. The headline claims matter, but the policy details matter more. The audits matter. The reporting model matters. The ownership structure matters. Put all of that together, and Surfshark still lands on the safe side of the line.

BY MARTIN NEEDS

Director @ NeedSec LTD | Cybersecurity Expert | 10+ Years Experience

"The question with a VPN is never just whether it encrypts traffic. It is whether the provider’s claims, policies, audits, and app behaviour line up in a way that actually earns trust. Surfshark does better than most on that front, but the best reading is still a careful one, not a gullible one."

OSCP Certified CSTL (Infra/Web) Cyber Essentials Assessor CompTIA PenTest+ Cybersecurity Expert

This information is for educational purposes. VPN apps, privacy policies, audit reports, and support pages can change. Always test your own setup for IP leaks, DNS leaks, protocol behaviour, and kill switch performance before relying on any VPN for privacy-sensitive work.

Is Surfshark Safe? The 2026 Forensic Security Audit