Surfshark focuses on creating humanized security products.
Here, you’ll learn how we maintain the highest security standards for all our services and products, all to your benefit:
- Inspect the security standards we follow
- Get familiar with the technical aspects of our server infrastructure
- See our certifications, patents, and audits
- Learn more about our values and privacy-related initiatives
Security
Find out the security methods we apply to our products & services.
Click here
Servers
Discover how our high-end server infrastructure delivers top-level user privacy worldwide.
Click here
Quality
Learn which certifications, patents, and audits
verify the quality of our products.
Click here
Transparency
Explore our initiatives, showcasing a commitment to high industry standards.
Click here
Security
To ensure your security using Surfshark, we comply with the strictest security measures. Learn about our security implementations, testing procedures, and other methods that Surfshark and its products undergo to maintain the safety of our services and customers.
Implementation of the most secure protocols
Surfshark offers WireGuard, OpenVPN, and IKEv2 VPN protocols and uses robust AES-256-GCM encryption. Along with AES-256 encryption, Surfshark uses ChaCha20 encryption for the WireGuard protocol. Moreover, Surfshark uses a 2048-bit version of the RSA (Rivest-Shamir-Adleman) encryption keys.
Third-party bug bounty
We comply withthird-party bug bounty at Surfshark. It means that we employ reliable companies to search for bugs or system vulnerabilities in our software. This allows us to better identify and patch even the most minor security flaws and protect our clients and company operations.
Penetration tests
We check for exploitable vulnerabilities and assess the software by executing frequent system penetration tests. Regularly performed internal and external pen testing guarantees a thorough assessment of our service and products.
Secure design and development
Our design process includes security and privacy threat modeling. Using Static Application Security Testing (SAST) and other methods to find security gaps, threats, and vulnerabilities, we can reduce or eliminate potential dangers by implementing sufficient countermeasures.
Security measures
At Surfshark, we use various formats of security measures for our applications and internal operations to enhance security for the login process, prevent particular attacks, such as brute-forcing, and ensure system and data access is limited to authorized personnel.
Privileged Access Management (PAM)
Our company uses a Privileged Access Management (PAM) system to strictly control and monitor IT network access. This system allows only approved staff to have the necessary access and includes detailed auditing to keep track of all activities, improving our security and meeting industry standards.
Security monitoring
Surfshark monitors its IT infrastructure for suspicious and malicious activity and possible attacks. The monitoring is performed 24/7, and all processes are automated.
Zero-knowledge password storage
User logins in Surfshark’s database are encrypted, ensuring no one can decrypt the stored login information. Even in the event of a server data breach, no one could decode the users’ stored logins.
Automated patching
Surfshark uses automated unattended upgrades to ensure our production environment meets the software requirements.
Threat intelligence
We use an automated system that monitors and informs us about the latest threats worldwide based on knowledge, expertise, and experience about incidence, evaluation, and threat actors — Surfshark is constantly up to date.
The principle of least privilege (PoLP)
Our company adheres to the PoLP, also known as the principle of minimal privilege (PoMP). This means that our personnel only have access to the tools, resources, and operational systems required for their responsibilities at work. Our customer support operates with the least-required access.
Servers
Surfshark aims to provide the best possible environment in pursuit of higher user privacy and security. Increasing the number of servers and converting them into RAM-only profiles are only a few substantial steps toward more private and transparent practices in the VPN market.
100% RAM-only infra servers
Surfshark is among the first providers in the VPN industry to upgrade its servers to RAM-only infrastructure, meaning that servers boot up using only RAM memory instead of hard drive storage.
Learn more
10 Gbps server speed
By shifting the servers from 1 Gbps to 10 Gbps, Surfshark VPN connection is faster and gives the new servers better throughput, which means they can transfer big chunks of data quicker. Since the data is throughput faster, the servers host more people, and the speeds are more stable. Moreover, the servers are less crowded.
Learn more
3200+ servers worldwide
You can select from over3200+ servers spread across 100 countries. Surfshark also covers many VPN-restricting states and offers virtual locations that appear to be in one country but physically are in another. The more high-quality servers a VPN offers, the faster and less crowded the server connection is.
Automatic rebuilds
Most of our VPN servers are destroyed and rebuilt regularly. This way, we reduce the window of vulnerability for our systems.
Quality
Code review
With the help of SAST, Surfshark regularly performs software quality assurance.
24/7 support
To ensure our service quality, Surfshark offers 24/7 customer support. The support agents can be reached via live chat or email.
Employee background check
Surfshark runs background checks on new employees to verify their reputation and reduce internal threats.
Transparency
As a cybersecurity company, transparency is crucial to earning our users’ trust. That is why we regularly reveal the inner workings of Surfshark by publishing annual reports and disclosing government inquiries or any other legal requests.
Transparency report
We understand and welcome the growing need for transparency within the sector, such as the Digital Services Act (DSA). As a cybersecurity company, we feel it’s our duty to meet the highest standards and being transparent is one of them. In addition to the Warrant Canary, which was always present on our website, we’re also presenting our Transparency Report, which specifies the type and number of requests received. We will update these numbers accordingly every quarter.
Requests for user data (April-June 2024)*
*None of the requests resulted in the disclosure of user-related data.
Type | Requests received |
DMCA requests | 357269 |
Inquiries from government institutions | 45 |
National Security letters | 0 |
Gag orders | 0 |
Warrants from any government organization | 0 |
Requests received in accordance with DSA | 0 |
Surfshark commits to regularly publishing transparency reports to communicate about legal and government requests as well as requests received in accordance with DSA, highlighting our dedication to user privacy. All the inquiries from the government institutions were based on the VPN server IP address and specific connection timestamp. According to our no-logs statement, which was confirmed by Deloitte’s assurance report and strengthened by our use of RAM-only servers, we don’t collect any information about what you do online (like IP addresses, browsing history, or network traffic), ensuring we have no such information to disclose upon request. We aim to build trust with our users, proving our dedication to protecting their privacy.
Our work during the years
Annual Wrap-up 2023
DownloadAnnual Wrap-up 2022
DownloadAnnual Wrap-up 2021
DownloadAiming for higher industry standards
Surfshark works closely with the VPN Trust Initiative — an industry-led consortium that promotes consumer safety and privacy online. We support and follow VTI principles, which serve as a baseline for how VPN providers should operate. The principles cover security, advertising practices, privacy, disclosure and transparency, and social responsibility.
Surfshark has joined forces with a digital rights watchdog and internet monitoring organization — NetBlocks. Their mission and objectives of raising awareness and expanding the distribution of information about global internet outages resonate with our values of unrestricted and available to all internet.