Proton VPN Passes its Independent No-Logs Audit for 5th Consecutive Year
Published
Key Takeaways
- Proton VPN 5th no-logs audit: Securitum found no browsing, DNS, or traffic logs across reviewed VPN servers and configurations in 2026 audit.
- Scope and methodology: Audit covered selected Free and Paid servers, configuration files, and systems under operator-assisted inspection model.
- Controls and limitations: Dual-control safeguards exist, but audit is point-in-time, sampled, and excludes source code and broader infrastructure.
Proton VPN has completed another independent review of its no-logs practices, with cybersecurity firm Securitum concluding that the company's VPN server infrastructure remains consistent with its publicly stated privacy commitments.
The assessment was carried out on-site at Proton AG's offices in Zurich, Switzerland, between May 20 and May 22, 2026. Two senior security consultants from Securitum conducted the review, focusing on whether Proton's VPN infrastructure collects, stores, or retains information that could be used to identify users' online activity.
According to the audit report, the review covered selected production VPN servers, configuration files, deployment systems, operational procedures, and internal technical documentation related to the company's no-logs implementation.
What the Audit Set Out to Do
At its core, the assessment focused on a straightforward question: does Proton VPN's infrastructure actually function without collecting or retaining information that could reveal user activity?
To answer that, Securitum reviewed production VPN servers from both Proton's Free and Paid environments, with server samples selected at random during the engagement. The auditors examined VPN configurations, traffic-handling systems, DNS processing, monitoring tools, local logging behavior, runtime data, and operational procedures.
The review was conducted in an operator-assisted model. Proton engineers demonstrated systems, configurations, and documentation live, while Securitum directed the verification process, selected areas for inspection, and requested specific evidence.
Auditors also reviewed configuration management practices and change-control procedures designed to protect the integrity of Proton's no-logs environment.
What Auditors Found
Securitum structured its assessment around a series of technical questions aimed at determining whether Proton VPN's infrastructure could create, store, or retain user-identifiable activity records.
According to the report, auditors did not identify any mechanisms configured to track or retain users' browsing activity on the reviewed VPN servers. The examined systems were found to process customer traffic without storing records of browsing history, traffic contents, or online destinations.
The review also examined metadata that could potentially be used to link users to VPN activity, including source IP addresses, assigned tunnel IP addresses, session timestamps, session duration, DNS queries, and VPN server selection information. Securitum reported that it found no evidence that such information is retained in a way that could be associated with individual users.
DNS handling was reviewed as part of the assessment, with auditors stating that they did not identify DNS query logging capable of linking queried domains to a specific user, VPN session, or assigned tunnel IP address.
Securitum additionally reported that it found no evidence that the reviewed VPN servers inspect or log the contents of users' network traffic. Based on the configurations and operational procedures examined during the audit, customer traffic was not found to be written to storage, exported to centralized logging systems, or otherwise retained.
The auditors also investigated whether Proton VPN records information about the websites, services, or external servers users access while connected to the VPN. After reviewing DNS systems, firewall configurations, traffic-processing mechanisms, metrics, and runtime data, Securitum stated that it did not identify retained records that would allow Proton to determine which websites or services were accessed by a specific user.
Another area of focus was whether Proton could determine which external services had been accessed through a particular VPN server. According to the report, the monitoring systems reviewed were designed to track server health, performance, and operational status rather than customer activity. Securitum said it found no customer-generated destination data in the reviewed server-level monitoring and logging systems.
The audit also examined whether Proton applies the same no-logs protections across its network. Based on selected server samples and configuration reviews, Securitum reported that it found no differences suggesting that privacy protections are applied differently across Free and Paid environments, subscription tiers, or geographic regions.
Beyond user activity logging, auditors reviewed controls intended to prevent unauthorized configuration changes. According to the report, Proton demonstrated mechanisms designed to detect unexpected modifications that could enable logging features, including VPN daemon logs, DNS query logging, firewall logging, or debugging output. The company also showed monitoring and alerting systems intended to identify deviations from approved server configurations.
Securitum further reviewed Proton's change-management procedures and reported that modifications affecting logging-related settings require review and approval by another authorized employee before deployment. The report describes this as a dual-control process intended to reduce the risk of unauthorized or unilateral changes.
The auditors also directly inspected active VPN configuration files and stated that they did not identify logging directives that would retain browsing activity, DNS queries, destination metadata, session information, or user-to-server mappings.
Finally, Securitum examined whether Proton maintains records showing which VPN server a user was connected to at a particular time. According to the report, Proton's architecture separates user identity from VPN server operations and avoids sending primary account identifiers, such as email addresses, to VPN servers during normal session handling. While temporary runtime data may be used to support active sessions, auditors reported that they found no evidence that such information is retained after a session ends or exported in a way that creates historical user-to-server records.
What the Audit Did Not Cover
It is worth being clear about what was outside the scope of this review, since no audit covers everything.
The assessment did not include a review of Proton's CI/CD pipelines - the automated systems used to deploy software updates. It also did not involve any source code review of the VPN software itself, nor did it cover Proton's account management, billing, or customer support systems. B2B VPN servers were also excluded, as was any analysis of the VPN client applications used by end users.
The auditors were also clear that this is a point-in-time assessment. It reflects how things were configured during those three days in May 2026. It is not a continuous guarantee of future behavior. Additionally, because the review was conducted in an operator-assisted model - where Proton staff demonstrated the systems rather than auditors having fully independent remote access - the results are based on what was shown and made available during the engagement.
Securitum reviewed selected server samples and not the full global server fleet, which spans many countries and data centers.
The Bigger Picture
Proton VPN's no-logs claim has now been independently verified four consecutive times by the same auditing firm. Each published report is publicly accessible, and Proton has shared links to all of them - including the current one.
The audit also noted that since the previous assessment in 2025, Proton has made infrastructure changes focused on reducing unnecessary system privileges, improving separation between components, and tightening configuration controls. These changes were reviewed as part of the 2026 engagement and were found to be consistent with the no-logs approach.
Securitum's recommendation going forward is that Proton continue commissioning independent audits on a regular basis, so that any future changes to the platform can continue to be verified by a third party.
The full report is published and accessible through Proton's official channels.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular