PureVPN is committed to the online privacy and security of our users. As part of our commitment, we have continually worked towards ensuring that the trust remains safeguarded.
As an additional step to bolster trust, PureVPN engaged Altius IT, a leading independent US-based auditor, to perform a security audit of our systems and No-Log Policy.
And today, we are pleased to announce that Altius IT has verified PureVPN’s Zero Log Policy. The auditor provided the following conclusion, stating:
“[We] Did not find any evidence of system configurations and/or system/service log files that independently, or collectively, could lead to identifying a specific person and/or the person’s activity when using the PureVPN service.”
Here is the summary of the audit report.
————————————-SUMMARY OF THE AUDIT REPORT—————————————-
PureVPN No Log Certification
Brief Summary of the Audit Report
Introduction
Transparency is the core principle that builds trust. It is the aspect that ensures users that the service they are using is reliable and trustworthy.
The audit report by Altius IT is the reflection of the transparency that PureVPN promises in its privacy policy and no-log claim.
Altius IT is a security/privacy audit and risk management service. The independent auditor is board certified by the Information Systems Audit and Control Association
(ISACA) as:
- Certified Information Systems Auditors
- Certified in Risk and Information Systems Controls
- Certified in the Governance of Enterprise IT
Based in California, Altius IT has provided auditing and risk management services to thousands of organizations over the years. It has also served on the Board of Directors of renowned associations, namely:
- International Association of Professional Security Consultants
- NetTeCH nationwide association of IT companies
- Association of Professional Consultants
- Technology Professionals Association
The independent auditor follows industry standards and requirements of ISACA, an international association that ensures IT governance.
PureVPN called in the experts at Altius IT to audit its servers, servers’ configurations and system logs to obtain “reasonable assurance” regarding the VPN service’s no-log claims.
Audit Summary
The scope Altius IT services involved reviewing and assessing the documentation and systems of PureVPN. It developed an audit process that included the analysis and evaluation of servers’ configuration as well as system log files.
Altius IT started its audit by first going through the privacy policy of PureVPN, clause by clause. It reviewed, especially, all the logging-related statements so that it can compare them against the technical server configurations and systems.
The logging-related statements included the types of data that PureVPN claims that it doesn’t record, the type of information it captures and how does it capture.
Documentations Review
Before starting the technical assessment, Altius IT reviewed all the documents pertinent to the servers, network provisioning, and network modification.
- PureVPN provided Altius IT its Network Diagram that carries detailed information of its network infrastructure.
- PureVPN also provided documents related to the default VPN server provisioning configuration as well as the playbooks (a set of configurations) that are used on the Central Orchestration server.
- PureVPN also forwarded documents related to the personnel who are responsible for deploying updates on the network and making other necessary changes or modifications.
Technical Evaluation
After reviewing the documentation, the auditing firm proceeded to the evaluation of technical configuration.
- Altius IT first identified a sample of Central Servers on which PureVPN services are running. It also inspected the configurations made on those Central servers.
- It then identified a sample of VPN Servers on the network. The auditor installed PureVPN’s application on their mobile and connected to the selected VPN servers.
- They used different modes and features of the app. The auditor referred back to the VPN Server Configuration to inspect any changes or modification.
- They also kept checking the VPN server log files for entries related to:
- Browsing activities
- Connection logs
- VPN IPs, original IPs
- Connection time
- History of browsing
- Sites visited
- Outgoing traffic
- Or, any other personally identifiable information.
Findings
After detailed evaluation and auditing, Altius IT reported that it didn’t find any evidence that shows PureVPN keeps any data that could identify any specific person or any browsing activity.