Freely subscribe to our NEWSLETTER

Here’s the breakdown of published VPN audits:
VPN provider Privacy/no-logs audit? Security audit?
NordVPN Yes – Deloitte, 2022 Yes – Cure53, 2022
Surfshark Yes – Deloitte, 2022 Yes – Cure53, 2021
ExpressVPN Yes – KPMG, 2022 Yes – Cure53, 2022
CyberGhost Yes – Deloitte, 2022 No
Proton VPN Yes – Securitum, 2022 Yes – Securitum, 2022
Private Internet Access Yes – Deloitte, 2022 No
Atlas VPN No Yes – MDSec, 2022 (Windows app) and VerSprite, 2021 (iOS app)
Windscribe No Yes
PrivadoVPN No No
IPVanish Yes – Leviathan, 2022 No
StrongVPN No No
HMA Yes – VerSprite, 2020 Yes – VerSprite, 2020
TunnelBear No Yes – Cure53, 2022
VPNSecure No No
Hide.me Yes – DefenseCode Ltd, 2015 No

VPN audits are a key part of consumer trust towards VPNs, showing that they run a secure service that doesn’t abuse customers’ data. Companies do not have to release the findings but most reputable VPN providers will publish results to boost the reputation of their service. Nick Seaver, Cyber Risk Partner at Deloitte, stated:

“VPN providers are not obliged to release the findings of a privacy or security review to the public. However, many reputable VPN providers choose to publish the results of these reviews as a way to show potential and existing users that they are committed to maintaining high standards of security and privacy.”
With recent VPN data leaks, the question of VPN provider trust has become a central part of the online privacy debate meaning published VPN audits are more important than ever before. VPNs are used by around 1.5 billion online users for private and safe internet usage as well as bypassing restrictions and censorship.

There are two types of VPN audits that external authorities conduct:
• Security audits - conducted by a third-party auditor (see more on these below) - highlight whether a VPN platform has any vulnerabilities and what data it logs.
• Privacy policy/no logs audit - the auditor will review a provider’s no-logs policy, looking at their connection and usage logs, as well as any data saved on their servers. They will then release a report detailing their findings, outlining whether the policy matches the data held on their server.

Audits are normally conducted yearly by external companies specialising in VPN privacy and security. These include the notable ‘big four’ consulting firms - Deloitte, KPMG, PwC, EY - as well as specialist cybersecurity firms such as Cure53, MDSec, VerSprite, Securitum, and Leviathan.

Nick Seaver of Deloitte further states: “Many VPN providers claim to maintain a no-logging policy, which generally means at a minimum they do not store any data relating to user internet activity. The data that is logged by some VPN services can include the time users connect and disconnect from the VPN, their real IP address and the address of the VPN server, the volume of data transmitted and connection information, such as your device, operating system and VPN software.
For people who are using VPNs to keep their online activities confidential and secure, the provider’s logging policies are important and it’s a good idea to read the policy carefully. The policy should clearly explain what data the VPN does and does not log, for what purpose and the duration the logs are kept. Logging policies potentially enable the provider to track and store information about users’ internet activity.
If providers log your activities in detail, they can track your internet activity and potentially share it with others. If users want a VPN for privacy and security, it’s important to choose a provider with an appropriate no-logging policy.”