X-VPN Completes Independent No-Logs Audit, Confirms Privacy Practices Through Third-Party Review
Published
Key Takeaways
- X-VPN No-Logs Audit: Independent review verified no traffic logs, activity tracking, or connection data retention.
- Privacy Controls: RAM-only servers, disabled logging systems, and automated controls support no-logs operations.
- Future Governance: Company plans additional audits, stronger compliance measures, and greater transparency initiatives.
X-VPN has announced the completion of an independent assurance engagement that verified the company's no-logs claims and data-handling practices. According to the VPN provider, the review confirmed that it does not collect, store, or track users' connection data or online activities.
The assessment was carried out by one of Singapore's Big Four accounting firms and focused on statements made in X-VPN's Privacy Policy, along with the technical and operational controls supporting those statements. The engagement was conducted under the International Standard on Assurance Engagements (ISAE) 3000 (Revised).
Independent Review Verified Key Privacy Controls
As part of the review, auditors examined X-VPN's IT systems, operational procedures, and related controls through personnel interviews and system inspections.
The assurance engagement confirmed that X-VPN does not collect or retain traffic-related information, including users' IP addresses, destination IP addresses, browsing activity, websites visited, VPN server information, DNS requests, downloaded content, or connection timestamps.
The review also found that the company only processes the minimum information required to provide its service. This includes a user-provided email address, which does not need to be verified, a password stored using salted one-way hashing methods such as bcrypt, as well as order IDs and purchase history. No additional personal information is required to create or use an account.
According to the findings, X-VPN gathers only aggregated performance data such as CPU utilization, memory consumption, and service availability metrics. The company stated that these metrics do not contain personally identifiable information.
Auditors further verified that activity logging is disabled by design. System and service outputs are redirected to a null sink (/dev/null), while controls are implemented to prevent logs from being generated or retained within production environments.
Another key finding involved X-VPN's infrastructure. The company operates all VPN servers in RAM-only mode, meaning information exists solely in volatile memory and is never written to physical storage. As a result, all data is automatically erased whenever a server is shut down, restarted, or redeployed.
The assessment also confirmed that production servers are managed through an automated deployment system known as THA, which continuously enforces and validates the company's no-logs configuration standards.
Code changes are handled through a version-controlled CI/CD pipeline that includes multiple levels of review and automated security checks designed to support privacy-related safeguards.
Database access protections were also reviewed. The report found that database communications are secured through modern TLS encryption, mutual authentication mechanisms, IP whitelisting, and continuous monitoring.
Additionally, auditors confirmed that X-VPN's Privacy Policy is maintained through documented review, update, and publication processes designed to reflect actual data-processing practices. The company's Data Protection Officer (DPO) Group was also found to operate independently while providing ongoing oversight of privacy governance aligned with no-logs principles.
Based on the evidence reviewed and procedures performed, the auditing firm concluded that X-VPN complies with its stated No-Logs Policy.
The audit identified two observations during the assessment process. However, X-VPN said these findings did not affect the overall conclusion and were addressed promptly.
Due to technical disclosure requirements, the company has not made excerpts of the report publicly available. Existing users can access the full report through their X-VPN accounts. New and free users can create an account without providing additional personal information or making a payment.
What the Audit Means for Users
X-VPN said the independent assessment provides third-party verification that its statements regarding user data processing match its actual system configurations, operational procedures, and privacy controls.
According to the company, the findings indicate that it does not retain records that could be used to recreate users' online activities, identify browsing behavior, or connect internet usage to an individual's identity.
Company Highlights Importance of Independent Verification
The VPN provider stated that transparency and accountability are essential for building user trust. It said the external assessment offers a more rigorous way to demonstrate how privacy protections are implemented across its systems, operational processes, and governance framework.
X-VPN added that the verification process was intended not only to evaluate internal standards but also to address long-standing user expectations around privacy protection. The company emphasized that privacy, security, and trust should be standard features available to all VPN users rather than optional benefits.
Users interested in learning more about the verification process can visit X-VPN's Audit Center.
X-VPN Plans Additional Audits in the Future
While describing the completed assurance engagement as an important milestone, X-VPN said it does not view the audit as the final step in its privacy efforts.
The company stated that trust requires ongoing work and that privacy commitments must continue to be reflected through governance improvements, issue resolution, and transparent communication with users.
Looking ahead, X-VPN plans to strengthen its compliance and security governance programs and gradually expand its audit initiatives. The company also said it intends to share future audit findings publicly when appropriate and continue addressing concerns raised by users and the wider community through updates to its governance and disclosure practices.
According to X-VPN, its long-term goal is to demonstrate trustworthiness through continued actions rather than relying on a single audit result.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular