In late 2022, Surfshark finally did what we’ve been waiting years for: it invited in auditors to assess its no-logs policy.
Although it has commissioned audits before, those have covered other aspects of its service, such as whether its apps contained any malware, or its general infrastructure.
However, this time, it’s the big one as far as its users are concerned. It’s all very well for any VPN service to say it doesn’t log any data: that’s easy. It’s quite another to prove it and, until now, it was one of the big boxes that Surfshark couldn’t tick.
But in December 2022, the company gave Deloitte access to everything necessary to confirm that it does everything it states in its no-logs policy.
And confirm it did, concluding “Based on the procedures performed and the evidence obtained, in our opinion, the configuration of IT systems and management of the supporting IT operations is properly prepared, in all material respects, in accordance with Surfshark’s description of its no-logs policy.”
The move comes just a fortnight after sister company NordVPN announced the results of its third no-logs audit, which was also carried out by Deloitte.
This is excellent news for all of Surfshark’s existing users, but also for anyone considering signing up to Surfshark but was previously unwilling to commit without this sort of assurance that it really doesn’t keep any data about how you use its service.
It’s important to understand that there are different types of logs and VPNs don’t really help themselves by not making it absolutely clear what ‘no logs’ really means.
Surfshark is doing a good job in this respect, outlining three main types of logs – technical ones about your connection, personality-related ones about you and your account and, most importantly – activity logs about how you use the services.
Surfshark’s website states “In short, Surfshark VPN does not keep track of your online whereabouts or actions in any way. The VPN server only keeps enough data to maintain your VPN connection, and nothing is kept after you’re done.”
One of the ways it ensures nothing could be recorded is that its servers all run in RAM and, if they have them, any hard drives are read-only so any activity data can’t exist once that server is powered off. And this doesn’t apply to just some of its servers, but all of them.
Surfshark has said it will make a summary of Deloitte’s report available to the public so that anyone who wants to can see proof that it sticks to its no-logs policy.