What Is A VPN Audit and Why Do They Matter?
Let’s say, you’ve finally found it: the best VPN for you. It’s sleek, has a no-logs policy, coupled with an absolute smorgasbord of security features — and it does all that without breaking the bank!
But, how would you know that your VPN actually does all of those things? It’s one thing to say they’ll do it, but it’s another matter entirely to actually do it — especially once they’ve gotten your money.
That’s where VPN audits come in. These are usually performed by a different company to verify that your VPN is actually doing what they say they’re doing, security-wise.
In this article, you’ll learn how these audits are conducted, what they cover, and where you can find them. What’s more, we’ll even list three reliable VPN providers and their audit results, just so you can be sure that they’re trustworthy. If all that sounds like your cup of tea, go ahead and dive right in!
What Is a VPN Audit?
When you pay for a VPN, you’re putting not just your trust but also the safety of your private data in that company’s hands. However, your trust can only get you so far. As the old Russian proverb goes, “Trust, but verify.”
Fortunately, most VPN companies (the good ones, anyway) know this, so they call in other companies to perform audits. These are reviews of a VPN’s various aspects, covering topics such as its security, server infrastructure, and policies.
For example, a security audit will let you know if a VPN’s security is as good as it says it is (or not), and this would involve checking whether or not your VPN provider actually uses encrypted connections to send data back and forth between your computer or device, among other things.
On the other hand, a privacy audit would check how your VPN company handles customer information, such as billing info, IP addresses, and more. Do they keep any logs, or are they as “zero-log” as they say? An audit will let you know exactly that.
These audits are often performed by third-party organizations, such as cybersecurity companies like Cure53, or auditing firms like KPMG or Deloitte.
These are known as external audits, as they are performed by personnel from outside of the VPN provider, ensuring that the results are as unbiased and independent as they can be.
What Information Do VPN Audits Provide?
Now that you know what VPN audits are, it’s time to learn precisely what information they provide. As we’ve stated above, this information generally depends on the scope of the audit. However, a comprehensive audit often looks at the following aspects:
- VPN servers and infrastructure
- Logging policies
- Source code
- Backend systems
- Configurations (e.g. logging and security)
- Apps and extensions
- Company staff (they’re interviewed on things like compliance and security)
What to look for in a VPN audit
Although companies often want to only show their nicer side, a good audit should also reveal any negative aspects of the company. These range from low-severity issues, such as inefficient RAM usage, or high-severity ones, such as code vulnerabilities that could potentially result in a service interruption or even a server intrusion.
Some audits can even indicate any potential issues that the provider may face in the future, which helps a provider remedy them before they become a real problem.
All in all, these various bits of information help you get a clearer picture of just how a VPN company operates, allowing you to verify whether or not they’re as trustworthy as they say they are, and then make an informed decision.
How Important Are These VPN Audits Anyway?
VPN audits are important for users who want to make sure their VPN is trustworthy and that they’re actually getting what they’re paying for. These audits can help users understand how secure their VPN actually is, as well as what information is being collected (if any) and how it’s used.
Because these audits are conducted by third parties, they provide an independent view of a VPN that doesn’t have any biases or conflicts of interest. This means that you’ll get an honest assessment of your chosen service — not one influenced by marketing campaigns or other factors that might sway an internal audit team.
Where Can I Find VPN Audits?
Given how important and informative these audits are, most VPN providers usually post their results on their websites for everyone to see, often on their blog or news sections. However, providers sometimes only include snippets of their audit results in these articles.
Thankfully, if you’ve signed up with a nice, reliable, and trustworthy VPN, they’ll usually put a link to the full audit report in the article itself, letting you check the results yourself and see how well (or how poorly) they’ve done.
What’s more, these audits can also sometimes be found on the third-party auditor’s website.
If you’re curious about the results of these audits, then you’re in luck. We’ll link the most recent auditing results of three of the best VPN providers that we’ve found in the section below. Don’t just take our word for it — read the audits’ results for yourself!
3 Premium VPN Providers You Can Always Rely On
Now that you know the ins and outs of VPN audits, you may be wondering which VPN providers are actually good and which ones aren’t. Alternatively, you may be sweating bullets, wondering whether or not you should continue with your current — unaudited — provider or switch to a new one.
Either way, relax — we got you. Here are three handpicked VPN services that passed their recent audits with flying colors:
1. ExpressVPN
First up is ExpressVPN ($8.32/mo), which is hands-down one of the best VPN services you can buy — despite its higher price tag. It’s fast, easy to use, and extremely secure — it even works on iOS! What’s more, it’s also very reliable, having servers across 94 different countries.
It even has a no-logs policy — no activity logs, no connection logs — nothing. It won’t log your IP address, browsing history, traffic destinations or metadata, or DNS queries. The only things that they collect are the following:
- Apps and app versions successfully activated
- Dates (not times) when connected to the VPN service
- Choice of VPN server location
- Total amount (in MB) of data transferred per day
They say that they collect this data to troubleshoot issues, provide technical support, and identify and fix any network-related issues. Sounds good, right? But where’s the proof?
Here it is. ExpressVPN’s most recent audit was done by Cure53, a German cybersecurity firm, in October and November 2022. This audit focused on Lightway, an open-source VPN protocol that ExpressVPN “built from the ground up.”
Only five low-severity and four informational issues were found. No critical, high, or medium-severity issues were identified, and ExpressVPN immediately remedied these issues, as confirmed by a retest by Cure53 in February 2023.
ExpressVPN’s blog post also contains links to all of their past audits, so you can snoop around and dig through as many audits as you like. For example, the no-logs policy which conducted in 2022 has passed the audits.
2. Surfshark
Founded in 2018, Surfshark ($2.30/mo) is a relatively new provider, but it’s already been making waves. It’s built a solid reputation for itself with its array of more than 3,200 servers across 100 countries, unlimited connections, excellent price, and formidable security, complete with AES-256-GCM encryption.
Surfshark also has a no-logs policy, hiding your online activities from your ISP, which can help you avoid targeted ads and overall increase your online security.
And if you’re looking for proof of this, here’s one of the Big Four auditing firms, Deloitte, confirming in December 2022 that, and yes, Surfshark does indeed keep zero logs of your activities.
3. NordVPN
Last but certainly not least is NordVPN ($3.29/mo), boasting over 5,600 ultra-fast servers in 60 countries, 256-bit encryption, and even a pretty crazy “Double VPN” feature, which routes your traffic through two VPNs, doubling the encryption.
NordVPN also touts itself as “more than just a VPN”, providing you with threat protection, the ability to create your own private encrypted network, and even a dark web monitor. And like the previous two VPNs, NordVPN also has a no-logs policy — how’s that for value?
Like Surfshark, NordVPN was also recently audited by Deloitte on its no-logs policy, handily passing the auditing firm’s keen eye and stringent procedures. Oh, and did we mention that this is the third time that NordVPN’s passed this audit? Talk about dedication!
What’s more, NordVPN most recently passed a security audit by Cure53, which performed a “penetration test and source code audit” against NordVPN’s servers, infrastructure, and Windows, Linux, and macOS apps.
Audited for Privacy, Audited for Success
Well, that’s it for our overview of VPN audits and how they work (as well as everything in between)! We know how confusing it can be when there are so many different options available, but with our tips and suggestions, you’ll have no problem at all picking a safe and secure VPN provider.