Proton VPN’s no-logs policy confirmed by an external audit

Update July 18, 2024: This article has been updated to feature the latest audit of our no-logs policy by Securitum, which was concluded on July 12, 2024. Links to all our no-logs policy audits are included.

We’re pleased to announce that Proton VPN has passed a third consecutive annual third-party audit of our infrastructure that confirms our strict no-logs policy(neues Fenster). When we say we are a no-logs VPN, it is not just a claim: it has been double-checked by independent experts.

As an organization founded by scientists who met at CERN, we believe in peer review and transparency. This is also why we make all our apps open source so that anyone can examine our code. 

Of course, we understand that not everyone has the time or skills to inspect code themselves. That is why, in addition to our internal audits, we regularly submit our apps to third-party security audits(neues Fenster) and make the results public. This way, everyone can get an independent expert’s opinion of our apps’ security.

In the most recent security audit of all Proton apps(neues Fenster), security experts from Securitum(neues Fenster), a leading European security auditing company that oversees more than 300 security testing projects every year for major corporations and banks, uncovered no significant security issues. This shows that Proton’s internal audits and culture of secure software development are effective. And because our apps’ code is entirely open source(neues Fenster), our security is bolstered by our bug bounty program(neues Fenster), which brings security experts together from all around the world to check our applications. 

However, with a VPN service, it’s also important to verify what is happening on the server side, and not just the application side. 

Why it’s important to verify a VPN’s no-logs policy

When you connect to a VPN, it effectively becomes your internet provider, meaning any VPN provider is technically capable of tracking and logging what you do online. While many VPNs claim to have no-logs policies, these policies do not always hold up when put to the test. 

Proton VPN’s strict no-logs policy was tested in a legal case in 2019(neues Fenster). We were ordered to turn over logs to help identify a user, but we were unable to comply because these logs did not exist. Proton VPN’s Swiss jurisdiction also confers additional benefits for VPN services. For example, within the current Swiss legal framework, Proton VPN does not have any forced logging obligations. However, there remains the possibility that an incorrect server configuration or flawed system architecture could cause logs to be accidentally stored.

To address this, we’ve asked Securitum to perform regular thorough examinations of our infrastructure and server-side operations. Securitum security experts spent several days on site reviewing our VPN configuration files and server configurations, assessing our operating procedures, and interviewing our staff. The audit was extensive and checked the following:

  • Does Proton VPN track your activity on VPN servers (servers that are passing the traffic)?
  • Does Proton VPN log metadata about the activity on VPN servers, such as DNS traffic?
  • Does Proton VPN inspect or log the network traffic on VPN servers?
  • Does Proton VPN monitor or log information about which services (websites, servers, etc.) you connect to?
  • Does Proton VPN monitor which services (websites, servers, etc.) have been used by a specific VPN server?
  • Does Proton VPN apply the same privacy policy to all servers, regions, and subscription tiers?
  • Does Proton VPN have a specific process to ensure that any unauthorized configuration change (such as “log=false” to “log=true”) will be detected? Will it trigger an automatic alarm?
  • Does Proton VPN have a proper change management process in place to ensure that any authorized changes applied to the logs-related configuration files are reviewed and approved by another employee (dual control)?
  • Do VPN configuration files have any logging enabled?
  • Does Proton VPN log information about which VPN server you are connected to at a given time (or which users are connected to a specific VPN server at a given time)?

The resulting report confirms that we do not keep any metadata logs, do not log your VPN activity, and do not engage in any practices that might compromise your privacy. 

The report also confirms that as Proton VPN adds more features and functionality to our service, this in no way impacts our strict no-logs policy.

“During the audit, it was confirmed that the Proton VPN product complies with the No-Log policy and offers the highest standards of security and privacy. No traces of user logs were detected, and user privacy is protected through both technical and organizational measures. All changes and additional features are developed based on the fundamental principle of maximizing user security and privacy”.

You can read the latest full report from Securitum below:

In line with Securitum’s recommendations, this is now the third consecutive annual audit of our no logs policy. You can also read our past no-logs audits by Securitum:

Trust through transparency

At Proton, we believe that all claims should be investigated and verified, including our own. Going forward, we will continue to perform regular security audits and publish the results so you can read an independent security professional’s report before you entrust us with your data.

If you are a security researcher, we also invite you to support security at Proton through our bug bounty program(neues Fenster) that offers generous bounties to anyone who can identify vulnerabilities in our open-source services.

Sign up for Proton VPN(neues Fenster) to get a transparent, open-source, and fully audited no-logs VPN that respects your privacy

Verwandte Artikel

How to fix a 502 error
en
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
  • Proton VPN – Neuigkeiten
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
  • Proton VPN – Neuigkeiten
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.
What is doxing and is doxing illegal
en
  • Grundlagen der Privatsphäre
We look at what doxing is, who does it (and why), and at how to protect yourself from doxing .