As title says ProtonVPN were just audited on their own accord by Securitum. Key points below.
- Does Proton VPN track your activity on VPN servers (servers that are passing the traffic)?
- Does Proton VPN log metadata about the activity on VPN servers, such as DNS traffic?
- Does Proton VPN inspect or log the network traffic on VPN servers?
- Does Proton VPN monitor or log information about which services (websites, servers, etc.) you connect to?
- Does Proton VPN monitor which services (websites, servers, etc.) have been used by a specific VPN server?
- Does Proton VPN apply the same privacy policy to all servers, regions, and subscription tiers?
- Does Proton VPN have a specific process to ensure that any unauthorized configuration change (such as “log=false” to “log=true”) will be detected? Will it trigger an automatic alarm?
- Does Proton VPN have a proper change management process in place to ensure that any authorized changes applied to the logs-related configuration files are reviewed and approved by another employee (dual control)?
- Do VPN configuration files have any logging enabled?
- Does Proton VPN log information about which VPN server you are connected to at a given time (or which users are connected to a specific VPN server at a given time)?
The resulting report confirms that we do not keep any metadata logs, do not log your VPN activity, and do not engage in any practices that might compromise your privacy.
You can read the full blog and audit at the following links.