What exactly does Surfshark’s no‑logs policy cover and what IP metadata, if any, is retained?

1. What “no‑logs” means in Surfshark’s documents and audits

Surfshark defines “no‑logs” as not tracking, collecting, or sharing users’ online activity (browsing, traffic content, DNS requests), a claim repeated across its product pages and privacy policy and reinforced by Deloitte’s independent assurance that Surfshark’s systems are configured and operated in line with that policy ^{[1] [4] [6]}. Multiple tech outlets and earlier audits are consistent with Deloitte’s findings that the company enforces its no‑logs procedures across applicable infrastructure, and Surfshark has highlighted RAM‑only servers as a technical measure to ensure no persistent user data remains on disk ^{[2] [7] [3]}.

2. The data Surfshark explicitly does collect and retain

Surfshark’s public privacy policy and help documentation make clear the service still collects and stores certain account and operational data: user account credentials (email and encrypted password), basic billing and order history, device metadata (device name, OS, app version), and keeps account data for as long as the service is used plus two years after last login for business, legal, and security purposes ^{[1] [4]}. Payment processors involved in handling transactions may record transaction details including the payer’s IP address and card data needed for refunds and compliance; those are described as being held by “trusted payment partners” ^[4].

3. The grey area: ephemeral connection metadata and the 15‑minute window

Surfshark’s customer support and policy disclosures acknowledge that its servers temporarily store connection records—described as information about a user’s connection to a VPN server such as a user ID and/or IP address and connection timestamps—but state this information is deleted automatically within 15 minutes after a session ends ^[5]. Independent auditors examined configuration, deployment, and operational processes and reported that these practices align with Surfshark’s no‑logs description, but an assurance report does not equate to perpetual, verifiable deletion in every circumstance; it confirms procedures and implementation at the time of review ^{[6] [8]}.

4. What the audits do—and don’t—prove

Deloitte’s ISAE‑style assurance and earlier third‑party reviews confirm that Surfshark’s technical controls, personnel practices, and server configurations are consistent with the company’s no‑logs claims and that the policy is applied across its infrastructure, with the detailed report available to users in some form ^{[6] [7]}. Audits provide strong independent verification of policies and controls, but they are point‑in‑time assessments and typically test processes and evidence provided by the vendor, so they reduce but do not entirely eliminate the need for ongoing scrutiny or future re‑validation ^{[3] [9]}.

5. Practical takeaway and unresolved limits in public reporting

In practice, Surfshark presents a modern no‑logs posture: RAM‑only servers, short‑lived connection metadata, and independent assurance by Deloitte that its stated practices are implemented ^{[2] [5] [6]}. Users seeking absolute guarantees should note two realities visible in Surfshark’s own documents: transactional/payment systems can record IPs via payment partners and account/billing records are retained for operational reasons ^[4], and independent audits are temporally limited snapshots rather than continuous proofs ^[3]. Public reporting and Surfshark’s documentation answer what is collected and for how long in broad strokes, but the detailed audit (ISAE 3000) and operational logs policies are the primary sources for granular verification and are available to Surfshark users per the company ^{[7] [8]}.