Proton VPN has passed the fifth consecutive independent audit of its no-logs policy, with European security firm Securitum concluding that the VPN provider's infrastructure does not retain browsing activity, DNS queries, connection metadata, or records that could link users to specific VPN activity.
The latest assessment was conducted between May 20 and May 27, 2026, at Proton AG's headquarters in Zürich, Switzerland. Two senior Securitum consultants spent six person-days reviewing Proton VPN's production infrastructure to verify whether the service operates in accordance with its publicly stated no-logs commitments.
Proton is the Swiss company behind Proton Mail, Proton VPN, and other privacy-focused services. The company has made independent audits a core part of its transparency efforts, publishing both application security audits and annual reviews of its VPN infrastructure.
According to the audit report, Securitum examined selected production VPN servers from both Proton's free and paid offerings, as well as VPN configuration files, deployment mechanisms, internal documentation, and operational procedures. The assessment was conducted on-site with Proton engineers demonstrating systems and configurations under the auditors' direction.
The auditors found no evidence that Proton VPN's infrastructure logs users' browsing activity, DNS queries, destination websites, network traffic contents, or connection metadata that could be used to reconstruct a user's online activity. Securitum also reported finding no persistent records that would allow Proton to associate a specific user with activity performed through a reviewed VPN server.
A key focus of the review was whether Proton could determine which websites or services a user accessed while connected to the VPN. Securitum concluded that the reviewed environment does not log or retain destination information in a user-attributable manner and does not maintain records showing which services were accessed through specific VPN servers. The auditors also found no persistent logging linking Proton accounts to particular VPN server connections.
Beyond verifying the absence of activity logs, Securitum examined the controls Proton has in place to prevent logging from being enabled without authorization. The auditors reviewed configuration management systems, monitoring tools, and alerting mechanisms designed to detect changes that could affect the VPN's no-logs posture. They also verified the existence of a dual-approval workflow requiring privacy-related infrastructure changes to be reviewed and approved by another authorized employee before deployment.
The report further states that the same no-logs protections apply to both free and paid VPN servers, with auditors finding no differences that would result in less restrictive privacy protections for certain regions or subscription tiers. Active VPN configuration files reviewed during the assessment also contained no logging directives that would retain user-identifiable activity data.
As with previous assessments, Securitum noted that the audit represents a point-in-time review rather than a continuous guarantee. The engagement covered selected production server samples rather than Proton's entire global VPN network, and conclusions were based on the systems, documentation, and evidence made available during the assessment period.
Despite those limitations, the auditors' overall conclusion remained clear.
“The technical evidence reviewed during the engagement did not indicate that the examined Proton VPN server infrastructure logs users' browsing activity, DNS queries, destination services, network traffic contents or user-identifiable connection metadata,” Securitum concluded. The firm added that it did not identify persistent records that would allow Proton to associate a specific user with activity performed through a reviewed VPN server.
The 2026 review marks the fifth consecutive annual no-logs audit conducted by Securitum since Proton began publishing independent assessments of its VPN infrastructure in 2022.
Leave a Reply