The popular VPN provider, NordVPN, has undergone a fourth independent security audit that confirmed the VPN provider’s no-logs policy is valid.
NordVPN announced the audit, which was performed by Big Four firm Deloitte, earlier this week, and shared Deloitte’s findings on its blog. The company looked for vulnerabilities in NordVPN’s product for a week, between Nov. 30 and Dec. 7, 2023.
The evaluation involved conducting interviews with NordVPN staff members and a thorough examination of the VPN’s server setup, infrastructure, and technical log files. Deloitte also inspected settings and procedures related to privacy on NordVPN’s standard servers, obfuscated servers (which hide VPN traffic), Double VPN (route traffic through 2 servers instead of 1 to double-encrypt traffic for better privacy), Onion Over VPN servers (allow browsing Tor), and P2P servers (optimized for use with file-sharing software, like torrent clients).
The firm concluded that NordVPN is true to its no-logs policy, which states that the VPN provider doesn’t track or log any records regarding users’ online activities, including the websites they browse or the files they share and download.
“Based on the procedures performed and the evidence obtained, in our opinion, the configuration of IT systems and management of the supporting IT operations is properly prepared, in all material respects in accordance with the NordVPN’s description set out in the Appendix I, as of 07th December 2023,” the Deloitte report reads.
According to NordVPN’s Privacy Policy, the only data collected includes the customer’s email address, which is used for account creation and communication, and payment details for processing refunds. NordVPN also records the timestamps of each user’s most recent session to verify that they’re not using NordVPN on more than 6 devices simultaneously. However, this information is removed 15 minutes after the user disconnects from NordVPN, and the VPN deletes all and any communications a user’s had with NordVPN’s customer support.
NordVPN conducted its last audit a year ago. This marks the second time that Deloitte audits and verifies NordVPN’s no-logs policy. Its no-logs policy was first audited and confirmed in 2018 by PricewaterhouseCoopers (PWC) AG in Switzerland conducted audits. The popular VPN provider hired the same company to conduct an audit of its no-logs policy in 2020, too, and found no privacy concerns.