Why do VPN audits matter?

In an age of malware, intrusive advertising, and cyber-criminals trying to snoop on your browsing habits and steal your information, a lot of folks use VPNs to give their online privacy an extra boost.

Without a VPN, your internet provider can see everything you do online. They can see what websites you visit, the apps you use, and the files you download. When you use a VPN, you block that information from your ISP, but now the VPN provider could (if it wanted to) see all this information as it passes through the encrypted tunnel. An unscrupulous provider could use that information against you or, worse still, sell it to a third party like a marketing company or even to a cybercriminal.

For this reason, it’s imperative that any VPN provider you pick, such as one from our best VPN list, is a no-logs provider. This means the VPN provider doesn’t keep any information that could be used to identify its users – and an audit is a surefire way to prove that a provider walks the walk as well as talks the talk.

NordVPN – from $3.09 per month
The best VPN overall
NordVPN is our top VPN pick thanks to an unbeatable offering that includes an impressive set of privacy and security tools, unrivaled unblocking ability, and a wide network of servers all over the world. Last year, NordVPN had its no-logs claim audited and verified for the fourth time, so this is a VPN provider you can use with confidence. See for yourself with a 30-day money-back guarantee.

View Deal

What is a no-logs policy?

At the core, a no-logs policy is a promise from your VPN provider that it isn’t collecting and storing the data that passes through its servers. From a privacy standpoint, that would include things like real-world IP addresses, browsing history, downloads, and so on.

That isn’t to say that VPNs don’t collect any data at all – they do need to collect some information to be able to offer a service. This usually includes connection activity, logging when people connect to the VPN and when they log off, but these logs should be anonymized so no one user can be identified, or temporary so that they’re deleted after some time.

The problem is that, when you use a VPN, you really have no idea if it’s sticking to its own rules. You’ve got no way to confirm whether or not it’s logging what you’re doing online.

This is where a VPN audit comes in. The provider will bring in a third-party auditor, such as Deloitte, PricewaterhouseCoopers, or Cure53 to name but a few, who can confirm whether or not the provider is actually sticking to its no-logging claims. Ideally, an audit shouldn’t be a one-time thing either, and the best VPNs undergo regular audits to prove they’re still living up to their privacy and security claims. ExpressVPN, for instance, has 18 independent audits under its belt!

What happens during a VPN audit?

A VPN audit is a marathon, not a race, which is why some smaller companies might avoid undertaking them. It’s a huge investment of both time and resources, but it’s well worth it to a company that wants its customers to know it meets the highest standards of privacy and security.

The VPN provider has to open its system to outside experts who will work to ensure that the provider complies with its no-logs policy. The auditors will check for flaws in the provider’s systems, evaluate the measures the provider has taken to protect its users, what records it holds, and so on.

The provider may also decide that it wants to go for a full-on security audit, and that’s where the auditors test the provider’s security features and the overall health of the service, looking for any weaknesses that could leave the provider open to potential data breaches or cyber-attacks.

No two audits are exactly the same as it’s up to the VPN provider to decide how far they wish to go, and what they want to give the auditors access to. As well as looking at software, policies, and processes, the audit might even involve on-site visits to the provider’s headquarters or the data center where the servers are located. Other things the auditors look at can include -

• Security and logging configurations
• The provider’s apps and browser extensions
• Backend systems
• The source code for the apps
• The auditor might even carry out interviews with a VPN provider’s staff

What are the benefits of a VPN audit?

We’ve established that a VPN audit can be quite disruptive to a VPN provider’s day-to-day activities, to say nothing of the costs involved in getting a third party in to examine the systems, but there are major benefits:

• An audit will highlight any issues to the provider, and show ways that it can improve existing system security
• The audit will ensure that the provider is compliance with all state, federal, and international regulations
• It gives the provider a clear picture of how will its current systems would work to protect user data in the event of a breach or system failure
• A successful audit helps promote trust with the provider users by proving that its no-logs claims aren’t just empty promises, but something it’s committed to upholding.

Where can you find audit reports?

Bringing in a third-party auditor is a time-consuming and costly proposition for a VPN provider, but it’s also an important marketing tool. An audit report can be used to reassure existing customers and potential new customers that their online activities are safe, and helps set a provider apart from its competitors that haven't been audited. Most providers will make an audit report available to the public or, at the very least, to their existing customers.

The provider will want to share the positive results as well as highlight their commitment to fixing any issues that the audit might have uncovered. Both NordVPN and ExpressVPN, for instance, publish their audit results on their respective blogs.