Is Surfshark Safe in 2026? Security, Privacy and Logs Examined

Surfshark has grown rapidly on the back of its unlimited connections and industry-low pricing. But cheap VPNs have historically been among the least trustworthy. The question of whether Surfshark is genuinely safe deserves more than a marketing brochure answer. We examined every aspect of Surfshark security to give you a concrete assessment.

Jurisdiction and ownership

Surfshark is registered in the Netherlands, an EU country with robust data protection laws under GDPR. This is a step down from Panama or Switzerland in terms of jurisdiction favourability but it comes with meaningful GDPR protections that require demonstrated lawful purpose for data processing. The Netherlands is technically part of the Nine Eyes intelligence sharing alliance, which is a legitimate concern for users with elevated threat models, though in practice this is more relevant for state-level surveillance than typical VPN use cases.

In 2022, Surfshark merged with Nord Security, the company behind NordVPN. The two brands continue to operate independently with separate infrastructure, separate no-logs policies, and separate technical implementations. The merger is a corporate relationship, not a product merger.

No-logs policy and independent audits

Surfshark has a no-logs policy stating that no connection logs, IP addresses, or session timestamps are retained. This policy was audited by Cure53 in 2021 and again in 2023. Cure53 is a well-respected German cybersecurity firm with a track record of thorough and honest audits. Both audits confirmed that the no-logs policy is technically implemented, not just written in a privacy policy.

Unlike NordVPN and ExpressVPN, Surfshark has not had a server seized that provided real-world proof of the no-logs policy. The audit history is credible but this distinction is worth noting for users who want the strongest possible assurance.

Encryption and protocols

Surfshark uses AES-256 encryption on OpenVPN and IKEv2 connections, and ChaCha20 on WireGuard. All three encryption standards are considered secure by current cryptographic consensus. WireGuard via the Surfshark implementation provides the best combination of speed and security for most users. The Nexus network technology routes traffic through multiple servers for users who want additional privacy layers.

The kill switch is implemented correctly, blocking all internet traffic if the VPN connection drops unexpectedly. DNS requests route through Surfshark servers by default, preventing your ISP from seeing domain queries even when the VPN briefly reconnects. In leak testing using ipleak.net and browserleaks.com, no DNS or WebRTC leaks were detected.

RAM-only infrastructure

Surfshark transitioned to RAM-only server infrastructure. RAM does not persist when power is removed, meaning even physical server seizure would yield no user data. This is the same approach used by NordVPN and ExpressVPN and represents the current gold standard in server architecture for privacy.

Security audits of the apps

Beyond the no-logs audit, Cure53 has audited Surfshark browser extensions. The 2022 extension audit found minor issues that were patched before the report was published. The transparency around publishing audit results rather than simply claiming audits happened is a positive indicator of the security culture at the company.

Is it safe for sensitive use cases?

For typical use cases including public WiFi protection, avoiding ISP data collection, and streaming access, Surfshark provides genuine protection. For users with elevated threat models such as journalists, activists, or anyone concerned about state-level surveillance, ProtonVPN with Swiss jurisdiction and open-source apps provides stronger assurances. The Netherlands jurisdiction and the Nord Security ownership structure introduce variables that matter more for high-stakes use.

The verdict

Surfshark is safe for typical VPN use. The Cure53 audits are credible, the encryption is strong, the RAM-only infrastructure provides technical backing for the no-logs claims, and the kill switch and DNS protection work correctly. For most users the security level is more than sufficient. For users requiring the strongest possible jurisdiction and the most verifiable security claims, ProtonVPN or Mullvad provide marginally stronger assurances.