Deloitte conducted assurance procedures on Surfshark’s IT systems configuration between Nov. 21 and Dec. 02, 2022, and concluded that the VPN does not log user data. “Based on the procedures performed and the evidence obtained, in our opinion, the configuration of IT systems and management of the supporting IT operations is properly prepared, in all material respects, in accordance with Surfshark’s description of its no-logs policy,” Deloitte stated. Surfshark has passed audits conducted by Cure53 in the past. However, it said the Deloitte audit is the biggest one yet. Surfshark is the latest VPN provider to publicly announce a successful audit of this kind after NordVPN, ExpressVPN, and Proton VPN.
Details of Deloitte’s Assessment
The purpose of Deloitte’s assessment was to verify if Surfshark abides by the claims it makes in its service description. This includes claims about its data collection practices. “We do not store any incoming and outgoing traffic data, including user and destination IP addresses, browsing history/websites visited, amount of data transferred, the VPN servers used, DNS queries or files downloaded,” Surfshark’s service description reads. Deloitte’s assessment involved conducting interviews with Surfshark employees and inspecting the VPN’s IT systems and servers. This included the design and configuration of the provider’s Standard VPN servers, Static IP VPN servers, Multihop servers, and Multiport servers. The firm also looked into relevant configuration management system roles, VPN Server configuration, API, and Software Defined Network. Deloitte concluded that Surfshark operates in line with its service description. Deloitte carried out its assessment in line with the ISAE 3000 (Revised) standards established by the International Auditing and Assurance Standards Board. Deloitte noted that its conclusion is limited to the assessment period, and changes made afterward could impact its findings.
Surfshark’s Commitment to User Privacy and Transparency
Surfshark said the assurance audit was an important transparency initiative demonstrating its commitment to privacy. “Working in an industry that highly relies on trust and transparency, we understand that it takes more than just words to validate our efforts,” said Justas Pukys, VPN Product Owner at Surfshark. “The positive result from Deloitte’s no-logs assurance report provides factual evidence to our users and future customers that Surfshark operates on the highest privacy and quality standards.” “We will continue to perform various audits and tests to get independent verification of our security and privacy measures,” Pukys added. If you want to learn more about this VPN, our detailed Surfshark VPN review is the perfect place to start.