Skip to content
My account
Get Surfshark

Surfshark’s trust center

Here, you’ll learn how we maintain the highest security standards for all our services:

Security

Your security and privacy are our top priority. Find out how Surfshark keeps its products and processes safe with thorough testing and strong protective measures.

The safest protocols

Surfshark offers only the safest protocols, including WireGuard, OpenVPN, and IKEv2 VPN, as well as our in-house build protocol Dausos.

Industry-leading encryption

We use the VPN standard AES-256-GCM encryption, as well as ChaCha20 for WireGuard, and AEGIS-256X2 for Dausos.

Third-party bug bounty

We run a third-party bug bounty and collaborate with reliable companies to identify even the most minor security flaws in our software.

Penetration tests

We regularly run system penetration tests to identify vulnerabilities and evaluate our software, ensuring thorough checks and accurate improvements.

Safe design and development

By using static application security testing * and other methods to identify security gaps, we can effectively eliminate potential dangers.

IT security monitoring

Surfshark monitors its IT systems around the clock for any harmful activity and potential attacks. This monitoring is fully automated and runs 24/7.

Automated app patching

Surfshark uses automated, unattended upgrades to always keep our production environment up to date with the latest software requirements.

Latest threat insights

Our automated system keeps us up to date on the latest global threats, knowledge, evaluations, and threat actors so that we can be prepared.

Secure encrypted logins

Surfshark's user logins are encrypted to ensure maximum security. Even if a server data breach were to happen, the login information remains protected.

No user activity collection

We have a strict no-logs VPN policy, meaning we do not track or store any user activity. Frequent third-party audits back this.

Privacy-focused jurisdiction

Surfshark is based in the Netherlands. The laws of the Netherlands do not establish any obligation to log or retain user data.

GDPR compliance

Since we're based in an EU country, we comply with the General Data Protection Regulation ** for all our customers, regardless of their location.
A hand holding a gear icon with a shield and checkmark in the center.

Process security

Only approved access

Surfshark uses a privileged access management * system to ensure only approved staff get the necessary access, and detailed audits track all employee activities.

Minimal data access

We follow the principle of least privilege **, meaning staff access only the tools and systems needed for their jobs. Customer support operates with minimal access.

Background checks

Surfshark performs background checks on new employees to verify their credibility and reduce internal threats, ensuring a secure work environment.

Supporting internet for all

We proactively support the works of non-profit organizations that advocate for safeguarding online freedom and transparency.

Surfshark’s support allowed us to provide 100 pro bono Surfshark One vouchers to members of our Global Tech Hub network. This helps journalists and media workers operating in challenging environments protect their devices and networks with one simple tool, strengthening their digital security and access to reliable information.

“We are proud to work alongside Surfshark on the VPN Trust Initiative (VTI), collaborating on important issues that enhance transparency, accountability, and trust within the VPN industry. Together, we are helping shape a safer and more secure online environment.”

Frequently asked questions

What certifications does Surfshark have?

Surfshark holds a MASA certificate, awarded in December 2023 and January 2025 after passing a security audit, and has earned an Independent Review badge on the Google Play Store. Surfshark also has a VPN trust seal awarded for following VPN Trust Initiative principles. In addition, Surfshark Antivirus has been certified by an independent German IT security organization, AV-Test.

Surfshark has undergone multiple independent audits to validate its security practices and no-logs policy, including a recent infrastructure security audit by SecuRing completed in December 2025, which confirmed the network's resilience against attacks and found no critical vulnerabilities. Audits by Deloitte in 2023 and 2025 have also verified Surfshark's adherence to its no-logs policy, assuring users that their online activity is not monitored or stored.

Is Surfshark a no-logs VPN?

Yes. Surfshark does not keep any logs of user activity, including IP addresses, browsing history, session information, used bandwidth, connection timestamps, network traffic, or other types of data.

Does Surfshark use RAM-only VPN servers?

Yes, Surfshark uses 100% RAM-only servers, rather than hard drives. This provides significant security and privacy benefits. Since RAM requires power to retain data, all information stored on the servers is automatically wiped every time a server is rebooted or powered down.

This makes it technically impossible for any user data to be stored long-term or retrieved after the fact, even if a server were physically seized.

RAM-only servers also ensure that the entire server network runs the latest software, as fresh configurations are loaded with each reboot.