Published on: January 12, 2023
NordVPN conducted the third independent audit of its no-logs policy. The audit was performed by Deloitte, which is an industry-leading auditing firm. It’s a member of The Big Four — four massive firms that oversee over 80% of US public companies. Deloitte confirmed that NordVPN doesn’t store any logs of user data, including the websites customers visit and files they download.
NordVPN also passed audits in 2020 and 2018, which were both reviewed by PricewaterhouseCoopers AG in Switzerland.
The most recent audit lasted from Nov. 21 to Dec. 10, 2022. The investigation into NordVPN was very in-depth, as Deloitte had “interviews with NordVPN employees as well as inspections of server configuration, technical logs, and other servers in our infrastructure.” They also tested their double VPN, obfuscated, Onion Over VPN, and P2P servers to guarantee all of their servers are safe. Their settings and procedures were also tested.
According to the full report, the security audit doesn’t cover dedicated IP servers nor does it audit for security or security measures in place for data transferring. This audit exclusively verifies the no-logs policy using a point-in-time assessment. This means that practitioners can only rely on what they saw during the period of time they tested the servers.
The conclusion of the report states that “the configuration of IT systems and management of the supporting IT operations is properly prepared,” which is a very reassuring conclusion from such a massive audit firm.
NordVPN recently posted the audit results to its website and stated “these results underline NordVPN’s unwavering commitment to user privacy.” NordVPN also gave the reason they sought a third review of their no-logs policy.
“By engaging a trusted and independent Big Four firm, we hope to reassure our users that NordVPN will always uphold a robust no-logs policy,” the VPN said in a blog post. “Our users need to know that they can trust us. If you’re going to use a VPN service, you need to know that it’s not going to track your data. You need to have confidence in the security and effectiveness of its features and infrastructure. That’s what our audit process is all about.”