V-DIG Audit — Surfshark

Audit Phase: V-DIG Domain Audit Target Entity: Surfshark (Surfshark B.V. / Nord Security group) Audit Date: 2026-05-01

Enterprise Technology Stack & Vendor Relationships

Corporate & Ownership Structure

Surfshark is a VPN and consumer cybersecurity product company incorporated as Surfshark B.V. in the Netherlands, with a British Virgin Islands holding entity and primary engineering operations in Vilnius, Lithuania.¹ In February 2022, Surfshark completed a merger with Nord Security (parent of NordVPN), forming a combined group under which both brands operate as distinct products while sharing group-level corporate governance.²³ The merged group’s Netherlands-registered entity, Cyberspace B.V., serves as the primary European corporate vehicle.³

Israeli-Origin Software & Services

No public evidence identifies any licensing, subscription, procurement, or technology integration relationship between Surfshark and Israeli-origin cybersecurity or enterprise software vendors. Specifically, no relationship has been identified with Check Point Software Technologies, Wiz, SentinelOne, CyberArk, NICE Ltd, Verint Systems, Claroty, or AnyVision/Oosto in any corporate filing, press release, partnership announcement, technology blog post, or third-party audit report reviewed for this audit.¹²³

Palo Alto Networks, while Israeli-founded (by Nir Zuk), is a US-domiciled, US-listed corporation headquartered in Santa Clara, California.⁴ No public evidence identifies Surfshark as a Palo Alto Networks customer or integration partner.

Documented Security & Audit Vendors

Surfshark’s publicly disclosed security infrastructure relies on two non-Israeli firms for independent assurance:

• Cure53 (Berlin, Germany): Conducted penetration testing and security audits of Surfshark’s infrastructure, with results published in a publicly accessible report.⁵⁶
• Deloitte: Conducted Surfshark’s no-logs policy audit in 2023, independently verifying that Surfshark does not retain user connection logs.⁷

Surfshark’s privacy policy and GDPR compliance documentation are maintained as public-facing instruments.⁸⁹ Its no-logs technical architecture is separately documented on the corporate blog.¹⁰

Payment & E-Commerce

Surfshark uses Nexway as its e-commerce and payment processing partner for subscription sales. Nexway is a French-headquartered firm; no Israeli-origin payment processing or fintech integration has been identified in Surfshark’s public commercial documentation.

Procurement & Integrator Relationships

No public evidence has been identified of any systems integrator, digital transformation consultancy, or IT outsourcing partner engaged by Surfshark that has mandated or deployed Israeli-origin technology as part of its engagement. Source classes checked include corporate filings, press releases, technology partnership directories, Crunchbase,¹¹¹² LinkedIn,¹³ and trade press.

Scale of Dependency: No public evidence of any Israeli-origin technology embedded in Surfshark’s core or peripheral infrastructure.

Evidence Gap — Internal IT Stack: Surfshark does not publish a comprehensive vendor disclosure or software bill of materials for its internal enterprise IT environment. It is therefore not possible to fully rule out the use of Israeli-origin security software (e.g., endpoint detection and response tools) in back-office functions from public sources alone.

Evidence Gap — Group-Level Procurement: Following the 2022 merger,²³¹⁴ some procurement decisions may be made at the Nord Security group level rather than the Surfshark entity level. Group-level vendor relationships are not comprehensively disclosed publicly.¹²

Surveillance, Biometrics & Retail Technology

Facial Recognition & Biometrics

No public evidence identified. Surfshark is a VPN and consumer/enterprise cybersecurity software company with no documented retail, physical security, or biometric product line. No relationship with Trigo, BriefCam, AnyVision/Oosto, or Trax has been identified in any source reviewed for this audit.

Predictive Analytics & Population Monitoring

No public evidence identified. Surfshark’s published product portfolio comprises a VPN service, antivirus module, data breach monitoring (Alert), private search, and an ad/tracker blocker (CleanWeb).¹¹⁵ None of these products is designed or marketed for population-level predictive analytics or behavioural monitoring. This conclusion is consistent with NGO surveillance-technology assessments from Amnesty International¹⁶ and Human Rights Watch¹⁷ — neither of which identifies Surfshark in the context of surveillance technology provision.

Third-Party Deployment

No public evidence identified that any Israeli-origin surveillance, biometric, or predictive analytics technology reaches Surfshark indirectly through third-party managed services or bundled enterprise suites. Source classes checked include Who Profits Research Center database,¹⁸ NGO surveillance-tech reports,¹⁶¹⁷ corporate product documentation, and trade press.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Israeli VPN Exit Node

Surfshark’s publicly accessible global server list includes an Israeli (IL) endpoint.¹⁹ This is consistent with Surfshark’s standard commercial practice of offering VPN exit nodes in countries where subscribers wish to appear to be located. This arrangement constitutes a customer-facing VPN exit node, not an operational data centre, primary co-location facility, or sovereign cloud deployment owned or leased by Surfshark in Israel.

Surfshark operates its global server fleet on a RAM-only, diskless architecture, meaning no persistent data is written to storage at any node, including the Israeli exit node.²⁰ The identity of the specific Israeli co-location or hosting provider supplying physical rack space for this exit node is not publicly disclosed by Surfshark.

Evidence Gap — Israeli Exit-Node Sub-Contractor: The specific data centre operator or network transit provider enabling the Israeli VPN server is undisclosed in Surfshark’s public documentation. Whether that sub-contractor has Israeli state or defence connections cannot be determined from public sources.¹⁹

Project Nimbus & State Cloud Contracts

No public evidence identified of any Surfshark participation in Project Nimbus — the USD 1.2 billion cloud infrastructure contract awarded jointly to Google Cloud and Amazon Web Services by the Israeli government and military²¹ — or in any comparable Israeli state-backed cloud infrastructure programme.²² Surfshark is not a hyperscale cloud provider and does not offer infrastructure-as-a-service products of the type tendered under Project Nimbus.

Data Sovereignty & Resilience Services

No public evidence identified that Surfshark markets, has tendered for, or has contracted any service for digital sovereignty, data residency, or infrastructure resilience to Israeli state institutions, military bodies, or Israeli government-affiliated entities.

GDPR & Data Residency

Surfshark’s GDPR compliance documentation confirms its primary data processing is structured around European data protection law, consistent with its Netherlands incorporation.⁹ Its transparency report documents government data requests received across jurisdictions.²³ No Israeli law enforcement or military data requests are specifically identified in the publicly available version of that report.²³

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence identified of any contract, partnership, memorandum of understanding, or service agreement between Surfshark and the Israeli Ministry of Defence, Israel Defence Forces (IDF), or Israeli intelligence agencies (Mossad, Shin Bet, Unit 8200, or commercially affiliated bodies). Source classes checked include Israeli government procurement and tender databases, defence technology trade press, corporate disclosures, Crunchbase,¹¹ and international technology partnership directories.

Dual-Use Technology Provision

No public evidence identified that Surfshark’s commercially available VPN or cybersecurity products have been publicly reported or confirmed as deployed for military, intelligence, or law enforcement surveillance applications within Israel or the occupied Palestinian territories. Surfshark’s terms of service prohibit use of its services for unlawful purposes.²⁴ Surfshark’s transparency report²³ documents legal requests received from government authorities; the publicly available version of this report does not identify Israeli law enforcement or military requestors.

Offensive Cyber & Weapons Technology

No public evidence identified. Surfshark’s entire documented product portfolio is defensive and privacy-oriented: VPN tunnelling, antivirus, data breach alerting, private search, and tracker blocking.¹¹⁵ No offensive cyber capability, zero-day exploit development, vulnerability brokering, or weapons-effects system has been identified in any source reviewed.

AI, Algorithmic & Autonomous Systems

AI/ML Features & State Provision

Surfshark’s publicly documented AI and machine learning features are limited to consumer-facing functions: AI-driven malware detection within its antivirus module and automated server-load optimisation for VPN connection routing.¹⁵ No provision of AI or ML systems to Israeli state bodies, military agencies, or law enforcement entities has been documented in any source reviewed for this audit.

Training Data & Model Development

No public evidence identified of Surfshark AI models trained on civilian population data, intercepted communications, or surveillance-derived datasets from Israel or the occupied territories. Source classes checked include Surfshark’s corporate blog,¹⁵ academic publications, and NGO technology reports.¹⁶¹⁷

Autonomous Systems & Lethal Applications

No public evidence identified. Surfshark does not produce autonomous targeting, fire-control, drone guidance, or weapons-effects systems. This sub-category is not applicable to Surfshark’s documented business activities.

Technology Ecosystem & R&D Footprint

R&D Locations

No public evidence identified of any Surfshark or Nord Security group R&D facility, engineering office, innovation laboratory, or accelerator programme operating within Israel. The group’s documented engineering and R&D presence is concentrated in Vilnius, Lithuania (primary engineering hub), and Amsterdam, Netherlands.²³¹³ These locations are consistent across corporate press releases, LinkedIn company data,¹³ Crunchbase profiles,¹¹¹² and tech media coverage of the 2022 merger.¹⁴

Acquisitions & Strategic Investments

No public evidence identified of any Surfshark or Nord Security group acquisition of an Israeli-origin technology company, or of any strategic investment in Israeli technology start-ups, Israeli venture capital funds, or Israeli accelerator programmes. Nord Security’s disclosed corporate development activity — including the Clario integration and various Nord product-line expansions — does not involve Israeli-origin entities.¹²

Patent & Intellectual Property

No public evidence identified of patent co-development, cross-licensing agreements, or IP arrangements between Surfshark and Israeli-domiciled entities or Israeli research institutions (Technion–Israel Institute of Technology, Hebrew University of Jerusalem, Weizmann Institute of Science, or comparable bodies). Source classes checked include the USPTO patent database (searched by assignee), the European Patent Office register, and Surfshark corporate disclosures.

Civil Society Scrutiny & Regulatory History

NGO & Academic Reports

No published NGO investigation specifically addressing Surfshark’s technology relationships with the Israeli state, Israeli security services, or operations in the occupied Palestinian territories has been identified in research conducted for this audit. The primary surveillance-technology research bodies reviewed — Amnesty International,¹⁶ Human Rights Watch,¹⁷ the Who Profits Research Center,¹⁸ the Palestinian Campaign for Academic and Cultural Boycott (PACBI),²⁵ and the BDS National Committee²⁶ — do not name Surfshark in the context of Israeli state or military technology provision.

Boycott & Divestment Campaigns

No public evidence identified of any organised BDS or divestment campaign specifically targeting Surfshark related to technology provision to Israel or operations in the occupied territories. The BDS National Committee’s technology sector campaign materials²⁶ and PACBI’s published campaign targets²⁵ do not list Surfshark as a named company.

Regulatory & Legal Actions

No public evidence identified of regulatory inquiries, export control actions, sanctions-related investigations, or legal challenges involving Surfshark’s technology sales or services to Israeli state entities. Source classes checked include EU regulatory databases, the US Bureau of Industry and Security (BIS) Entity List, Israeli regulatory records, and major legal and financial news outlets. Surfshark’s publicly available transparency report²³ and privacy policy⁸ document its general legal compliance posture; no Israel-specific regulatory action is referenced in those documents.

Surfshark’s Own Transparency Infrastructure

Surfshark maintains a warrant canary and publishes periodic transparency reports disclosing aggregate government data request statistics.²³ It publishes its privacy policy⁸ and GDPR documentation⁹ as standing public instruments. Third-party audit reports from Cure53⁵ and Deloitte⁷ are publicly accessible. These disclosures, while not exhaustive, represent an above-average level of transparency for the consumer VPN sector and provide no indication of undisclosed Israeli state relationships.

End Notes