NordVPN engaged the services of the accounting firm Deloitte to carry out the audit. Between Nov. 21 and Dec. 10, 2022, Deloitte studied Nord’s IT systems (including servers) and supporting IT operations. The company concluded that NordVPN does not maintain customer logs. This is the third time a third-party firm has audited NordVPN’s no-logs claim. PricewaterhouseCoopers conducted the other two audits in 2018 and 2020, respectively.
NordVPN’s No-Logging Stance put to the Test
Deloitte performed its assessment in line with the International Auditing and Assurance Standards Board’s ISAE 3000 (Revised) standards. The accounting firm looked into NordVPN’s service description, in particular, the VPN provider’s claim that it only collects the user data necessary to maintain its services. This data includes the following: email addresses, encrypted passwords, basic billing information, and order history. NordVPN also claims it does not collect users’ IP addresses, identities, or activity. “We do not store any incoming or outgoing traffic data, including user and destination IP addresses, browsing history/websites visited, amount of data transferred, the VPN servers used, DNS queries or files downloaded,” NordVPN states. To verify these claims, Deloitte conducted interviews with NordVPN’s employees and inspected its server configuration as well as its technical logs. The auditors also looked into Nord’s Standard VPN servers, Double VPN servers, Obfuscated servers, Onion Over VPN (TOR) servers, and P2P servers. NordVPN gave Deloitte access to its IT infrastructure and configuration files. “Based on the procedures performed and the evidence obtained, in our opinion, the configuration of IT systems and management of the supporting IT operations is properly prepared, in all material respects in accordance with the NordVPN’s description set out in the Appendix I, as of 10 December 2022,” Deloitte stated in its report. Deloitte highlighted some limitations of the assessment. For starters, this was a point-in-time assessment, which means the firm cannot provide any assurances outside of the assessment period. Furthermore, it does not constitute a financial audit, nor did Deloitte look into NordVPN’s data and systems security environment.
‘Users Need to Know They can Trust us’
It’s common practice for top VPN providers to submit their systems to independent auditors to validate their claims. In November 2022, ExpressVPN conducted three independent audits of its desktop apps to verify they were secure. In a statement, NordVPN stressed the importance of independent audits, especially in the VPN and privacy space. “Our users need to know that they can trust us,” NordVPN stated. “If you’re going to use a VPN service, you need to know that it’s not going to track your data. You need to have confidence in the security and effectiveness of its features and infrastructure. That’s what our audit process is all about.” “By engaging a trusted and independent Big Four firm, we hope to reassure our users that NordVPN will always uphold a robust no-logs policy,” the VPN provider added. If you’re interested in trying out NordVPN’s services, we recommend checking out our detailed NordVPN review. You can also read up on how to get a 30-day NordVPN free trial.
