Proton VPN homepage
ProtonVPN
Subscribe by RSS

Proton VPN’s no-logs policy annual external audit

Andy Yen

Share this page:

Update September 19, 2025: This article has been updated to feature the latest audit of our no-logs policy by Securitum. Links to all our no-logs policy audits are included.

We’re pleased to announce that Proton VPN has passed a fourth consecutive annual third-party audit of our infrastructure that confirms our strict no-logs policy. When we say we are a no-logs VPN, it is not just a claim: it has been double-checked by independent experts.

As an organization founded by scientists who met at CERN, we believe in peer review and transparency. This is also why we make all our apps open source so that anyone can examine our code. 

Of course, we understand that not everyone has the time or skills to inspect code themselves. That is why, in addition to our internal audits, we regularly submit our apps to third-party security audits(new window) and make the results public. This way, everyone can get an independent expert’s opinion of our apps’ security.

In the most recent security audit of all Proton apps(new window), security experts from Securitum(new window), a leading European security auditing company that oversees more than 300 security testing projects every year for major corporations and banks, uncovered no significant security issues. This shows that Proton’s internal audits and culture of secure software development are effective. And because our apps’ code is entirely open source, our security is bolstered by our bug bounty program(new window), which brings security experts together from all around the world to check our applications. 

However, with a VPN service, it’s also important to verify what is happening on the server side, and not just the application side. 

Why it’s important to verify a VPN’s no-logs policy

When you connect to a VPN, it effectively becomes your internet provider, meaning any VPN provider is technically capable of tracking and logging what you do online. While many VPNs claim to have no-logs policies, these policies do not always hold up when put to the test. 

Proton VPN’s strict no-logs policy was tested in a legal case in 2019. We were ordered to turn over logs to help identify a user, but we were unable to comply because these logs did not exist. Proton VPN’s Swiss jurisdiction also confers additional benefits for VPN services. For example, within the current Swiss legal framework, Proton VPN does not have any logging requirements. However, there remains the possibility that an incorrect server configuration or flawed system architecture could cause logs to be accidentally stored.

To address this, we’ve asked Securitum to perform regular thorough examinations of our infrastructure and server-side operations. Each year, Securitum security experts spent several days on site reviewing our VPN configuration files and server configurations, assessing our operating procedures, and interviewing our staff. Their annual audits are extensive and checked the following:

  • Is user activity tracked or logged on the production VPN servers that handle user traffic?
  • Is connection metadata, such as DNS queries or session timestamps, logged on VPN servers?
  • Is user network traffic actively inspected, or are its contents logged on VPN servers?
  • Is information monitored or logged regarding the specific services (e.g., websites, external servers) a user connects to?
  • Are aggregate logs maintained that correlate services accessed (e.g., websites, servers) with the specific VPN server used?
  • Is the No-Logs policy applied uniformly across all servers, in all geographic regions, and to all user subscription tiers?
  • Is an automated process in place to detect and generate alerts for unauthorized configuration changes that could enable logging (e.g., changing a “log” parameter from false to true)?
  • Is a formal Change Management process, incorporating a dual-control (four-eyes) principle, enforced for all authorized changes to logging-related configurations?
  • Do the active configuration files for the core VPN services contain any enabled logging directives?
  • Is information logged that associates a specific user with a specific VPN server they are connected to?

The resulting reports confirm that we don’t keep any metadata logs, do not log your VPN activity, and do not engage in any practices that might compromise your privacy.

The reports also confirm that as Proton VPN adds more features and functionality to our service, this in no way impacts our strict no-logs policy. As the latest (2025) report concludes:

“The technical evidence reviewed showed no instances of user activity logging, connection metadata storage, or network traffic inspection that would contradict the No-Logs policy. Furthermore, the audit verified the implementation of robust administrative and technical controls, including automated configuration management and a formal dual-control change process, which are designed to ensure the continuous integrity of the no-logging environment.

Based on these findings, Securitum attests that the Proton VPN service, as configured at the time of the audit, fully complies with the privacy commitments outlined in its No-Logs policy”.

You can read the latest full report from Securitum below:

In line with Securitum’s recommendations, this is now the third consecutive annual audit of our no logs policy. You can also read our past no-logs audits by Securitum:

Trust through transparency

At Proton, we believe that all claims should be investigated and verified, including our own. Going forward, we will continue to perform regular security audits and publish the results so you can read an independent security professional’s report before you entrust us with your data.

If you are a security researcher, we also invite you to support security at Proton through our bug bounty program(new window) that offers generous bounties to anyone who can identify vulnerabilities in our open-source services.

Sign up for Proton VPN(new window) to get a transparent, open-source, and fully audited no-logs VPN that respects your privacy

Protect your privacy and security online
Get Proton VPN free

Related articles

Algerian flag with an alert symbol
Algeria bans Roblox in September 2025 due to child safety concerns, joining other nations. Find out why and how parents can keep kids safe online.
Plex.tv
Media server, commercial streaming service, closed-source software. Plex is a lot of things, but is it legal? Is it safe? And is it free?
A computer with the Omegle logo on the screen and a profile icon, representing the risks of Omegle and similar platforms for children
Omegle may be gone, but similar sites are just as risky to kids. Learn how to protect your child from dangerous chat apps and online predators.
Is Pluto TV safe?
  • Privacy basics
Pluto TV: What’s the catch?
Is Pluto TV safe — and is it really a totally free streaming service? Here's what you need to know before you start streaming.
Kanopy streaming service
Free streaming platform Kanopy offers hundreds of films, documentaries, or more to public library members. But is it really free, and is it safe to use?
dWallet
Brazil is piloting a bold initiate that allows citizens to control and sell their personal data. Is this a good thing?