HMA no log policy gets stamp of approval from auditor

(Image credit: HMA)

Following an independent audit from the cyber-risk consulting firm VerSprite, the VPN service HMA has been awarded a low risk user privacy impact rating for its no-logging policy.

The assessment, which categorizes risk level on a scale of low to critical, included analysis of data, traffic and storage on both the client and server-side of the company's service as well as the disconnection of user identities with data containing information about online user activity.

HMA first introduced its no-logging policy earlier this year and its successful third-party audit from VerSprite forms part of a broader initiative by the company to become a privacy champion for users worldwide.

Commercial director at HMA, Andrei Mochola explained why the company decided to carry out an independent audit of its service and infrastructure in a press release, saying:

“The VPN industry has struggled with a trust issue for a long time. The ownership of some VPN companies is ambiguous at best or concealed at worst, and many people are unaware that they’re handing over their data to organisations which offer little to no visibility on what they do with it. Our ambition is to set a new standard in privacy protection for consumers by being painstakingly transparent across all touch points in our privacy policy, our products and our communications.”

Independent audit

VerSprite's technical private independent audit covered HMA's clients for Android, iOS, Mac and Windows and started from the installation process all the way through the entire data flow of the in-scope endpoint applications.

The firm applied a privacy-focused threat model to encompass manual assessment techniques aimed at identifying where privacy violation risks may be present within the VPN service's clients. The objective of the independent audit was to identify, report and provide recommendations for any technical gaps related to HMA's no-logging policy. This isn't the first time that HMA has worked with VerSprite as the firm also conducted security penetration testing on its VPN service.

CEO of VerSprite Tony UcedaVélez provided further insight on how its security team searched for privacy violations in HMA's VPN clients, saying:

“For years, VerSprite's Research & Offensive Security teams have found numerous zero day vulnerabilities and risks in VPN software. HMA relied on our offensive security team’s talents to focus more on privacy violations that could be present via the VPN client software. We worked to help validate the assurances made from the no-logging policy and helped them understand the nature of the risks identified so that they could improve the product’s overall privacy level.”

  • We've also highlighted the best VPN services
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.