Surfshark claims to keep no logs. But what does that actually mean, and is it true? The answer matters because a VPN that logs your activity defeats the entire purpose of using one. We dug into the audit results, terms of service, and what Surfshark actually stores.
What Surfshark’s No-Logs Policy Claims
Surfshark’s privacy policy states they do not collect or store:
- IP addresses assigned to your session
- Browsing history
- VPN session duration or timestamps
- Bandwidth data
- Network traffic or DNS queries
- Connection logs
This is what a genuine no-logs policy looks like on paper. The question is whether the audit supports it.
The Audit Evidence
Surfshark has been audited by Cure53, an independent German cybersecurity firm, twice: in 2018 and 2021. The audits covered:
- The apps (Android, iOS, Windows, macOS, browser extensions)
- The server infrastructure
- The backend systems
The 2021 audit specifically reviewed Surfshark’s no-log infrastructure and confirmed that the systems do not retain user activity data. No contradictory evidence was found.
Important context: Surfshark’s last audit was in 2021. That is now four years ago. NordVPN and ProtonVPN have more recent audits (NordVPN with ongoing PwC audits, ProtonVPN with a 2024 KPMG audit). Surfshark’s no-logs score in our database is 5/5, which reflects the quality of the 2021 audit, but a more recent audit would strengthen this position.
What Surfshark Does Collect
Surfshark’s privacy policy acknowledges collecting:
- Email address: Required to create an account
- Payment information: Processed by a third-party payment processor, not stored by Surfshark
- Device data for account management: Device type and app version (not linked to VPN activity)
- Aggregated performance data: Non-identifiable stats to improve the service
The email address is the most significant piece of data, since it ties your account to an identity. Surfshark does not offer anonymous account creation (unlike Mullvad, which requires no email). If a court ordered Surfshark to identify a user, they could provide the email address used for signup.
This is standard practice for mainstream VPNs. It is a distinction worth understanding: “no logs” means no activity logs, not complete anonymity.
Jurisdiction: Netherlands (Nine Eyes)
Surfshark is incorporated in the Netherlands, a Nine Eyes intelligence-sharing member. Dutch law could compel Surfshark to respond to legal requests. Surfshark’s response would be to produce the email address (if available) and confirm there are no activity logs to hand over.
In practice, no documented case of Surfshark being served a data request and producing user data exists. The jurisdiction is less ideal than Panama (NordVPN) or Switzerland (ProtonVPN), but Surfshark’s no-log infrastructure means the practical impact of a legal request is minimal.
RAM-Only Servers
Surfshark runs fully RAM-only servers, which means no data is written to physical storage. When a server reboots, everything is wiped. This makes forensic data recovery from a seized server impossible, which is the strongest technical proof of a no-logs implementation.
RAM-only servers score 5/5 in our database.
Comparison: Surfshark vs. Other VPN Logs Policies
| VPN | No-logs audit | Last audit | Audit firm | RAM servers | Jurisdiction |
|---|---|---|---|---|---|
| Surfshark | Yes | 2021 | Cure53 | Yes | Netherlands |
| NordVPN | Yes | Ongoing | PwC | Yes | Panama |
| ProtonVPN | Yes | 2024 | KPMG | Partial | Switzerland |
| ExpressVPN | Yes | 2023 | Multiple | Yes | BVI |
| Mullvad | Yes | 2025/2026 | Assured AB | Yes | Sweden |
| CyberGhost | Yes | 2012 | QSCert | Yes | Romania |
Surfshark’s audit record is solid, though not as current as NordVPN or Mullvad. The 2012 CyberGhost audit for context shows how an outdated audit can become meaningless, which is why audit recency matters.
The Real-World Test: Has Surfshark Ever Handed Data to Authorities?
No documented case of Surfshark providing user activity data to law enforcement exists. This is a positive signal, though it reflects both their no-logs policy and the fact that they have not yet been tested in a high-profile legal case.
For comparison: Mullvad was raided by Swedish police in 2023 and produced nothing because no data existed. NordVPN had a server seized in Finland in 2018 and produced nothing. These are stronger real-world tests than an absence of documented requests.
Should You Trust Surfshark’s No-Logs Policy?
For typical users, yes. The combination of a credible Cure53 audit, RAM-only servers, and no documented data handovers makes Surfshark a trustworthy no-logs option.
For users with serious privacy requirements (activists, journalists, users in authoritarian countries), a VPN with more recent audits and a better jurisdiction track record offers higher assurance. NordVPN or ProtonVPN are better choices for those use cases.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Our verdict: Surfshark’s no-logs policy is credible and backed by a Cure53 audit and RAM-only server infrastructure. The main caveats are that the most recent audit is from 2021 (due for renewal), the Netherlands jurisdiction is within Nine Eyes, and email is collected at signup (eliminating the option of fully anonymous use). For the vast majority of users, Surfshark’s logs policy is trustworthy. For the highest-stakes privacy needs, ProtonVPN or Mullvad offer stronger assurances.
FAQ
Does Surfshark sell user data? No. Surfshark’s privacy policy explicitly prohibits selling user data to third parties. They generate revenue from subscriptions, not data.
Does Surfshark know which websites I visit? No. Based on the audit results and no-logs infrastructure, Surfshark does not log or retain information about which websites or services you access while connected.
Is Surfshark’s no-logs policy verified by an independent audit? Yes, by Cure53 in 2021. A more recent audit has not been published as of mid-2026, which is a gap compared to competitors who audit annually.
What happens to my data if Surfshark shuts down or is acquired? Your email address would transfer to any acquirer. Activity logs do not exist to transfer. This is standard risk for any service that requires email registration.
The trust file, weighed against the field
Placing Surfshark on the evidence hierarchy our verification guide builds: a Cure53-audited no-logs claim plus a Deloitte assurance engagement, RAM-only fleet throughout, no logging incidents in company history, and a Netherlands flag that costs it points only at the jurisdiction layer. That bundle sits a rung below the annual-audit pair (Proton, Nord) and the court-tested singleton (PIA), and comfortably above the unaudited mass of the market.
For the buyer’s practical question (is Surfshark safe to trust with browsing data?), the file supports a clear yes for mainstream threat models, with the usual structural honesty: no-logs is always probabilistic from outside, and Surfshark’s probability is bought with audits, architecture and years of uneventful operation rather than with marketing adjectives.
The skimmer’s answer to the title: no logs that matter, audited twice, RAM-only throughout, no incidents, with the Netherlands flag as the one structural caveat for alliance-sensitive threat models. For everyone else, the policy holds and the price makes it one of the cheapest audited no-logs subscriptions available.
Keep reading: How to Verify a VPN’s No-Log Policy: What Actually Counts as Proof and Surfshark Review 2026: The Best Value VPN or Just Hype?.