NordVPN has published the results of an audit conducted by Deloitte last month to confirm its no-logs claims.
NordVPN, like all virtual private network (VPN) products, encrypts internet traffic and hides the user’s IP address to make tracking harder and provide privacy and security. A critical link to this privacy chain is the “no-log” practices, meaning that they do not store any records of the users’ browsing activities and data exchange.
However, without independent audits verifying those no-log VPN claims, users cannot be sure they constitute anything other than empty marketing promises. Through rigorous testing and examination of the VPN’s infrastructure and policies, these audits assess whether the provider is genuinely not keeping logs of user activities.
In the case of NordVPN, the company claims that it logs only the minimum necessary for service provision, which includes email address, encrypted password, basic billing information, and order history. Also, NordVPN’s servers verify the user credentials and subscription status during account authentication. Finally, session information containing the username is sent periodically to the firm’s infrastructure and deleted within 15 minutes after its termination.
NordVPN claims not to store incoming or outgoing traffic data, user IP addresses, websites visited, amount of data transferred, which VPN servers were used, what DNS queries were made, and what files were downloaded. All connections between the user and the servers are encrypted, logging is disabled at both the service and the network level, and all VPN servers run on RAM (with no hard drives). We also find RAM-only servers with ExpressVPN and Surfshark.
Deloitte conducted the fourth no-logs audit for NordVPN, serving as yet another independent organization validating the vendor’s claims.
To reach sound conclusions, Deloitte’s specialists were provided access to NordVPN infrastructure from November 30 until December 7, 2023. During that period, they interviewed NordVPN employees, examined servers and logs, reviewed configuration settings that impact data privacy, and evaluated NordVPN’s technologies such as ‘Double VPN,’ ‘Onion over VPN,’ ‘P2P servers,’ and ‘Obfuscated servers.’
The conclusion is that NordVPN does not store any logs anywhere on its service infrastructure, so users’ browsing histories, IP addresses, and data exchange remain private at all times. Most importantly, this data cannot be demanded or forcibly acquired (via seizures) by law enforcement authorities, not even when investigating criminal offenses.
The full findings of the Deloitte audit can be found here for those interested in diving deeper into what the firm looked at and how they validated NordVPN’s claims.
While this is an important validation of the privacy assurances given by the renowned software vendor, users need to remember that these audits do not guarantee that solid privacy-preserving practices are followed without deviation during periods outside the examination times.
Also, some technologies, such as the dedicated IP VPN servers, SmartDNS, SNI Proxy, and HAProxy, which NordVPN offers to cover specific user needs, were outside the scope of this audit and weren’t evaluated. The same applies to physical security, internal control environment, and internal security measures set to prevent unauthorized access within the firm’s environment.