Surfshark Review: NordVPN's Fake Competitor (Same Company, Lower Price, Why?)

Surfshark is owned by the same parent company as NordVPN, but costs less. I investigate why, how the merger actually works, and whether you should buy it.

Surfshark at a Glance

label	value
Pricing (2-year plan)	$1.99/month
Servers	4,500+ in 100 countries
Simultaneous connections	Unlimited
Protocols	WireGuard, OpenVPN, IKEv2
Speed retention (avg)	81% downloads, 52% uploads
No-logs audit	Yes (Deloitte, 2025)
Infrastructure audit	Yes (SecuRing, December 2025)
Parent company	Cyberspace (same as NordVPN, AtlasVPN)
GDPR response	Passed (24-hour PDF response)
Netflix unblocking	Yes, 9-15 regions
Streaming issues	Occasional, region switching fixes
Money-back guarantee	30 days

⚡ 30-Second Verdict

Buy Surfshark if: You want the cheapest VPN that actually works, don’t care about brand loyalty, and need unlimited device connections. The SecuRing audit is solid, speeds are real, and GDPR compliance beats NordVPN by a country mile.

Don’t buy Surfshark if: You think you’re buying a competitor to NordVPN. You’re not. You’re buying NordVPN’s discount product, owned by the same parent company. If privacy from the parent entity matters, look at Mullvad or ProtonVPN instead.

The real question: Why does Cyberspace undercut itself? Read on.

Commission Disclosure: I earn affiliate commissions when you sign up through the links on this page. I’m disclosing this upfront because transparency matters—and because Surfshark’s pricing strategy is so aggressive, the conflict of interest is worth highlighting. More on why that pricing exists in a second.

The Ownership Reality: Surfshark Is NordVPN’s House Brand

Here’s the thing nobody talks about loudly enough: Surfshark and NordVPN are owned by the same company—Cyberspace, a Dutch holding company.

The merger finalized on February 2, 2022. Both companies claim to “operate autonomously,” which is technically true in the way that Costco’s private label is “autonomous” from Costco. Same parent, separate product lines, different price points.

Cyberspace also owns AtlasVPN, acquired in 2021. So when you’re comparing Surfshark to NordVPN, you’re not looking at competition. You’re looking at portfolio management—the same corporation selling different tiers of the same service to different market segments.

What “Operating Autonomously” Actually Means

The companies use separate infrastructure and maintain separate product roadmaps. Surfshark’s engineering doesn’t report to NordVPN’s CTO. There are real technical differences—different encryption stacks in places, different server management approaches.

But they share the same parent investors. The same legal liability framework. If Cyberspace gets subpoenaed, both brands are at risk. That’s not separation; that’s corporate structure.

Why This Matters for Privacy

If you’re buying Surfshark because you think it’s a scrappy competitor to NordVPN, you’re buying a comfortable lie. The entity controlling both companies has the same leverage points, the same jurisdictional exposure, the same capability to comply with government requests.

The silver lining: Cyberspace has institutional incentive to keep both brands’ privacy records clean. A single major leak would crater the valuations of both services. So the parent company’s self-interest actually aligns with your privacy. That’s not the same as trusting the company—it’s trusting the math.

The SecuRing Infrastructure Audit: What Actually Happened

In December 2025, Surfshark published the results of an independent infrastructure security audit conducted by SecuRing, a Czech penetration testing firm. This was Surfshark’s sixth independent audit.

What SecuRing Tested

The auditors ran penetration testing and simulated real-world attacks against Surfshark’s VPN infrastructure. The goal: verify that the network infrastructure resists unauthorized access, survives attacks, and meets “the highest security standards” (their phrasing, not mine).

They tested connectivity resilience, authentication systems, encryption implementation, and infrastructure hardening.

The Results

No critical vulnerabilities. One medium-risk finding: a single server, on a specific occasion, was using both strong modern security and some older cryptographic methods as fallback options. The older methods were only accessible in rare situations, but they existed.

Surfshark patched it. Results released January 23, 2026.

What This Means

This is solid work. SecuRing is a real firm doing real penetration testing, not a third-rate rubber stamp operation. The single medium finding and subsequent fix is normal—finding nothing would be suspicious.

But here’s what audits don’t test: They don’t audit logging. They don’t verify that Surfshark actually deletes data. They don’t check whether government requests are being secretly honored. Audits verify that the infrastructure is technically sound, not that the company is trustworthy.

Surfshark also commissioned a separate no-logs audit from Deloitte in 2025, one of the Big Four accounting firms. That audit did test logging practices and deletion policies. Deloitte signed off.

Combined? These audits give you real evidence that Surfshark’s infrastructure isn’t leaking your data by accident, and that they’re actually not storing it in the first place. That’s not a guarantee—it’s just the best evidence available in this industry.

Features and Performance: How Surfshark Stacks Up to NordVPN

Server Network

Surfshark: 4,500+ servers in 100 countries (142 city locations)
NordVPN: 8,400+ servers in 167+ countries

NordVPN has more servers. Surfshark chooses density over distribution—more servers in existing locations, fewer new countries. For most users, this doesn’t matter. You’re not connecting to Turkmenistan.

Geographic distribution across Surfshark’s network:

Europe: 46 locations
Americas: 18 locations
Asia Pacific: 27 locations
Middle East & Africa: 9 locations

Protocols and Speed

Surfshark supports WireGuard, OpenVPN, and IKEv2. All three are standard, open-source, battle-tested options. No proprietary nonsense.

Speed test results (2025 benchmarks):

Local WireGuard: 238 Mbps down, 258 Mbps up (97% retention)
Average across multiple locations: 81% download retention, 52% upload retention
Distant servers (Brazil, Australia, South Africa): Significant drops, but that’s expected with VPN physics

For comparison, TechRadar recorded Surfshark hitting 950+ Mbps on some WireGuard connections. Real-world speeds depend on your ISP, distance, and server load. Surfshark is fast. NordVPN is slightly faster in some tests, especially on its proprietary NordLynx protocol. Neither will bottleneck your connection for normal use.

Simultaneous Connections

Surfshark: Unlimited
NordVPN: 10 simultaneous connections

This is a massive advantage for Surfshark if you have a family, roommates, or multiple devices. You can run Surfshark on your router and protect every device in your house. NordVPN requires you to choose.

Streaming Capabilities

Surfshark unblocks Netflix in 9-15 regions, including the US, UK, Japan, Australia, Germany, Brazil, Canada, France, India, Italy, Mexico, and Singapore. Works on most devices, though Netflix blocks are an ongoing arms race.

Important: Surfshark discontinued SmartDNS in February 2026, which means you can’t use it on devices that don’t support VPN apps (PlayStation, older Apple TV). NordVPN still offers SmartPlay for this use case.

Surfshark also launched Nexus in early 2025—a software-defined networking upgrade that routes traffic through its entire infrastructure instead of single servers. Theoretically faster and more resilient. Real-world impact: noticeable for some users, irrelevant for others.

The Pricing Question: Why Does Cyberspace Undercut Itself?

This is the question that cuts to the core of what’s actually happening here.

2-year plans:

Surfshark: $1.99/month
NordVPN: $2.69/month

Monthly plans:

Surfshark: $15.45/month
NordVPN: $12.99/month (NordVPN wins here)

Cyberspace is literally selling you the same parent company’s technology at different price points. Why?

Theory 1: Market Segmentation

Different products for different customer segments. Surfshark targets price-sensitive buyers and families (unlimited connections are huge for this). NordVPN targets users who want more servers and don’t mind paying for brand recognition.

This is normal corporate practice. It’s why BMW sells both 3-Series and 7-Series cars. Why Microsoft sells Excel and also Calc. Market segmentation is not inherently evil—it’s how you maximize revenue.

Theory 2: The Acquisition Play

Surfshark was acquired by Nord Security in late 2021, merged in early 2022. When you acquire a company, you can either:

Shut it down and consolidate
Keep it as a separate brand to capture a different market

Cyberspace chose option 2. Keeping Surfshark running, with aggressive pricing, captures price-sensitive users that would never buy NordVPN. NordVPN users stay loyal (switching costs, brand preference). New price-conscious users buy Surfshark. Net result: higher total revenue.

The pricing isn’t a mistake. It’s intentional. And it works.

Theory 3: The Long-Term Consolidation

This is darker speculation, but worth saying: Cyberspace may be using Surfshark’s low prices to establish market dominance, integrate infrastructure, and eventually raise prices or consolidate once market competition is destroyed.

I have no evidence this is the plan. But it’s what I’d do if I owned two VPN companies and wanted to eliminate the middle tier of competitors. Undercut them for three years, build market share, then consolidate.

Caveat: This is speculation based on corporate math, not insider knowledge.

This is the most damning real-world test of privacy claims.

In early 2026, TechRadar contacted 10 major VPN providers and asked for all personal data stored on their accounts. They monitored responses over eight weeks.

Results:

Provider	Response Time	Compliance
Surfshark	24 hours	Professional PDF report, GDPR compliant
NordVPN	8+ weeks	Never delivered, failed to comply
TunnelBear	8+ weeks	Never delivered, failed to comply
Others	Mixed	Various delays

Surfshark delivered a properly formatted, readable PDF with all requested data within 24 hours.

NordVPN, owned by the same parent company, failed to respond within 30 days (the legal GDPR requirement) and never delivered data by the eight-week mark. When TechRadar followed up, NordVPN blamed the user for not verifying identity during the request—a claim that doesn’t hold up legally under GDPR.

What this proves:

Surfshark has competent legal/compliance processes
NordVPN either doesn’t care about GDPR or is incompetent at handling it
Same parent company, wildly different execution

This is the single most important real-world test of privacy claims, and Surfshark demolished NordVPN on it. The parent company’s failure on one brand doesn’t mean Surfshark’s infrastructure is compromised—but it does raise questions about whether Cyberspace is equally motivated to protect privacy across both brands.

Who Should Buy Surfshark vs. NordVPN vs. Mullvad vs. ProtonVPN

Buy Surfshark if you:

Care most about price
Have multiple devices or family members to protect
Want solid audits and real speed
Are okay with being part of a corporate portfolio

Buy NordVPN if you:

Prioritize speed and streaming performance
Want more server locations
Prefer brand recognition over pricing
Don’t mind the GDPR response failure (yet)

Buy Mullvad if you:

Want the strongest privacy guarantee in the industry
Don’t want to provide any personal information to sign up
Are willing to pay more ($5.99/month) for jurisdiction independence
Are skeptical of corporate privacy claims (rightfully so)

Buy ProtonVPN if you:

Want privacy plus integrated email and cloud storage
Prefer Swiss jurisdiction over Dutch
Don’t mind the Proton ecosystem friction
Are willing to pay for the full suite

Controversial Moments: Auto-Renewal Lawsuits

Surfshark has been hit with multiple lawsuits over auto-renewal billing practices in 2024-2025.

The claim: Customers were automatically enrolled in renewal plans without clear consent, charged repeatedly after their subscriptions ended, and weren’t notified about the auto-renewal nature of their purchase.

One customer claimed he bought a 24-month plan in May 2020 and was billed for renewals in 2022, 2023, and 2024 despite the subscription already being concluded.

What this means: Surfshark’s billing practices (or at least, its disclosure of those practices) may not meet California legal standards. Whether the company did this intentionally or through negligent UX design isn’t clear from public statements. But “we accidentally charged you repeatedly” isn’t a great defense.

On the flip side: No data breaches. No privacy scandals. No secret logging. The controversies are about billing, not security or privacy.

Don’t Trust Me — Verify Everything

I’m making affiliate commissions on every Surfshark sign-up through this site. I also have opinions about corporate consolidation, GDPR compliance, and privacy. Neither of these facts is hidden, but they’re real conflicts of interest.

Here’s how to verify my claims:

Pricing & plans: Check Surfshark’s official pricing page yourself
SecuRing audit: Read the full audit report on Surfshark’s trust center
GDPR test: TechRadar’s full investigation is publicly available
Merger details: Official announcements from both Nord Security and Surfshark
Lawsuits: Search “Surfshark auto-renewal lawsuit California” in your legal database of choice

If my framing pisses you off, read the original sources and decide for yourself. That’s the point of all this.

Key Takeaways

Surfshark is owned by the same company as NordVPN. This isn’t conspiracy—it’s public record. Cyberspace acquired both brands and operates them as a portfolio.
The pricing makes sense once you know this. Market segmentation is real and boring. Surfshark targets price-conscious users; NordVPN targets those willing to pay more.
Surfshark’s audits are solid. SecuRing’s infrastructure testing found real issues and Surfshark fixed them. Deloitte’s no-logs audit passed. This is real evidence, not marketing.
The GDPR test matters more than audits. When TechRadar asked for personal data, Surfshark delivered in 24 hours. NordVPN—same parent company—failed to deliver in eight weeks. Real-world execution matters.
Speed is real, privacy is theoretical. Surfshark’s speed tests are reproducible and documented. Privacy claims are statements of intention, backed by audits, but ultimately unverifiable without government surveillance leaks.
The auto-renewal lawsuits are real problems. Multiple customers claim they were charged repeatedly without clear consent. This is a business practice issue, not a privacy issue, but it’s worth considering.
If privacy from the parent entity matters, don’t buy Surfshark. It’s still Cyberspace. If you want actual distance from corporate holding companies, Mullvad (Swedish, independent) or ProtonVPN (Swiss, separate company) are better choices.

Affiliate Disclosure & Commission Terms

I earn affiliate commissions when you purchase Surfshark through the links on this page. These commissions don’t change the price you pay—they come directly from Surfshark’s affiliate partner budget.

I disclose this because:

You deserve to know when I have financial incentive to recommend something
Transparency builds trust better than hiding it
My credibility depends on honest reviews, which is worth more than commission rates

I won’t recommend something bad because the commission is good. I also won’t criticize Surfshark’s legitimate advantages to pretend I’m unbiased. What you’re getting is my honest assessment, with the conflict of interest stated upfront.

You can take it or leave it. That’s how this works.