Has any independent audit verified DuckDuckGo’s claim that it does not share user data with partners or third parties?

1. What audits actually exist — narrow technical reviews, not full privacy attestations

Reporting documents a named external review: Securitum conducted an October 2024 audit that examined DuckDuckGo’s VPN infrastructure, backend API, and VPN apps and found no critical vulnerabilities, a limited scope that focused on technical security rather than an enterprise‑wide privacy attestation ^[1]. That audit, as described in available coverage, bolsters confidence in the VPN product’s security posture but does not alone validate corporate statements about data sharing across search results, browser telemetry, or third‑party integrations ^[1].

2. Where the critics say the gap remains — no formal privacy audit reported

Multiple privacy observers and reporting repeatedly emphasize the absence of a disclosed, formal privacy audit covering DuckDuckGo’s overall practices, with critics noting that users and experts lack a single, transparent independent review that conclusively confirms the company never shares user data with partners or third parties ^{[2] [3]}. Coverage explicitly calls out that while some checks and investigations have occurred, they have not been framed as comprehensive independent audits of all privacy claims ^{[2] [3]}.

3. The Microsoft exception: why a narrow audit wouldn’t resolve the core concern

A recurring factual thread in the reporting is DuckDuckGo’s past handling of Microsoft trackers — an exception that allowed some Microsoft tracking to operate despite DuckDuckGo’s blocker, which prompted concern among experts and users and became a focal point for questions about the company’s “privacy‑first” messaging ^{[2] [4]}. Even a technical security audit of a VPN backend would not, by itself, settle whether policy, contractual exceptions, or search result sourcing create channels for data sharing with partners like Microsoft ^{[2] [4]}.

4. Regulatory or complaint investigations versus independent audits

Available sources note that at least one official complaint investigation verified that DuckDuckGo’s privacy claims were not effectively false advertising, but reporting distinguishes that process from a formal independent privacy audit — the complaint outcome was a regulatory check on advertising truthfulness rather than a forensic verification of data flows to third parties ^[2]. That distinction matters: a finding that advertising wasn’t false does not equate to a forensic, auditor‑backed confirmation that no user data is shared under any circumstance ^[2].

5. The current balance of evidence: partial assurance, not definitive verification

Taken together, the documented Securitum audit provides concrete independent scrutiny of a specific product area (VPN) and found no critical vulnerabilities ^[1], while multiple analyses and privacy commentators continue to flag the absence of a company‑wide, independent privacy audit and point to behaviour and policy exceptions that raise unresolved questions about data sharing ^{[2] [3] [4]}. Reported audits are therefore supportive in narrow domains but do not satisfy the standard of a comprehensive third‑party verification of DuckDuckGo’s blanket “no sharing” claim ^{[1] [2]}.

6. What remains unknown and what to watch for

The reporting does not provide evidence of a holistic, public independent audit that explicitly certifies DuckDuckGo’s claim of never sharing user data with partners or third parties across search, browser, and other services, and it is reasonable to conclude from the sources that such an audit either has not been performed publicly or has not been disclosed in the cited coverage ^{[2] [3] [1]}. Future transparency would require a publicly released, scope‑clear third‑party audit that maps data flows, contractual exceptions, and telemetry practices — absent that, the question remains only partially answered by the available reporting ^{[2] [1]}.