Is Surfshark Safe? The 2026 Forensic Security Audit

What Surfshark Gets Right

Surfshark's safety case is not built on one flashy claim. It comes from several things stacking up at once. It supports modern VPN protocols, offers account 2FA, publishes more trust material than most rivals, and includes genuinely useful extra features such as NoBorders, Dynamic MultiHop, Bypasser, and rotating IP. That makes it feel like a serious security product rather than a bare VPN tunnel with a polished website.

• It supports WireGuard, OpenVPN, IKEv2, and the newer Dausos protocol on supported macOS App Store builds.
• It offers a kill switch on the main desktop and mobile apps.
• It gives you account-level 2FA and recovery codes.
• It includes NoBorders for restrictive networks and Dynamic MultiHop for users who want two-hop routing.
• It says its whole VPN network is RAM-only, which is a meaningful design choice rather than just another marketing badge.
• It has added more recent external review points, including a 2026 SecuRing infrastructure audit and a Cure53 assessment of Dausos.

No-Logs Claims and Audit Timeline

This is where Surfshark looks strongest, but it is also where accuracy matters most. Surfshark says it does not log what you do online, which means no browsing history, traffic content, or destination activity records. Deloitte has independently reviewed the no-logs policy more than once, including a 2025 verification that looked at systems, internal processes, server types, deployment processes, privacy-related settings, and whether the no-logs policy was applied across relevant infrastructure.

The current support wording adds an important nuance. Surfshark says online activities are not logged, but it also says servers can temporarily store information about your connection to a particular VPN server, including user ID and or IP address plus connection timestamps. Surfshark says this information is automatically deleted within 15 minutes after the session ends. That is still far better than retaining browsing behaviour, but it is not the same thing as saying that absolutely nothing operational ever touches the system.

Breach History and Transparency

Surfshark says it has never had a data breach. That is the company's current public position, and it still matters because breach history is one of the quickest ways to judge whether a VPN provider's trust story keeps falling apart under pressure.

The bigger 2026 update is transparency. Surfshark now publishes quarterly request numbers and has moved away from relying on a warrant canary alone. For January to March 2026, Surfshark reported 361,451 DMCA requests, 30 inquiries from government institutions, and zero national security letters, gag orders, or warrants from government organisations during that reporting period. Surfshark also added an April 14, 2026 update saying it fulfilled a legally binding warrant from the Amsterdam District Court. According to Surfshark, the only information it could disclose was confirmation of the account's existence and payment-related information, not browsing activity or traffic logs.

Security Features, Protocols, and Server Design

Surfshark's protocol picture has changed since older versions of this article. It still supports WireGuard, OpenVPN, and IKEv2, but there are platform details worth getting right. Surfshark now also promotes Dausos, its proprietary post-quantum protocol, currently available through the macOS App Store version of the app. Surfshark also says WireGuard now includes post-quantum protection by default on macOS, Android, and Linux, while IKEv2 is no longer directly available in the Surfshark Windows app and must be set up manually through Windows built-in VPN settings.

Surfshark also says its network is fully RAM-only, which reduces the risk of persistent data sitting on hard drives. Add the kill switch, Bypasser split tunnelling, rotating IP, and account 2FA, and the service ends up looking stronger on real-world protection than a lot of mainstream rivals.

Dausos and Post-Quantum Protocol Update

Dausos is the biggest new technical update since this article was first drafted. Surfshark describes it as a proprietary VPN protocol built for consumer VPN use, with dedicated private data tunnels, post-quantum cryptography, and AEGIS-256X2 encryption. Cure53 has independently assessed Dausos, which is a positive sign.

The caveat is availability and maturity. Dausos is currently for Surfshark's macOS app from the App Store, not the website .dmg installer, and it is not yet a normal everyday option across Windows, iOS, Android, Linux, and routers. That means it should be treated as promising, not as the main reason everyone should trust Surfshark today. For most users, WireGuard and OpenVPN remain the more proven defaults.

Jurisdiction and Ownership

Surfshark is based in the Netherlands through Surfshark B.V. For most users, that is a respectable jurisdiction and not an automatic privacy red flag. Surfshark's own security pages frame the Netherlands as a favourable place to operate because there are no mandatory data retention laws for its service model.

Ownership also matters. Surfshark merged with Nord Security in 2022, but both brands say they still operate as autonomous companies with separate infrastructures and product development. That does not erase the need for scrutiny, but it does matter when people worry that one shared holding group means one shared VPN backend.

What Still Holds Surfshark Back

Surfshark is strong overall, but there are still a few things that stop it from being a perfectly clean trust story.

• The no-logs wording needs adult reading: the company does not log your online activity, but the support wording still describes short-lived connection data being kept temporarily.
• Legal requests can still reach account records: the April 2026 warrant update shows that account existence and payment-related information can be disclosed when legally required.
• Dausos is promising but new: a fresh protocol needs time and wider platform coverage before it becomes a settled trust advantage for everyone.
• Feature-rich services always need more testing: when a provider offers lots of extras, there are simply more moving parts to maintain cleanly across apps and platforms.
• Trust goes beyond encryption: even if the VPN tunnel looks good, things like billing complaints, renewal terms, and policy changes still affect how some users view the brand.
• You should still test your own setup: no matter how many audits a provider has, smart users still run IP, DNS, WebRTC, and kill switch checks on their own devices.

Final Verdict