Has DuckDuckGo undergone independent privacy audits or published transparency reports about data retention?

1. What has been independently audited: product security, not broad privacy claims

DuckDuckGo has made at least one explicit concession to external review: the company engaged Securitum to carry out a security audit of its VPN and supporting infrastructure in October 2024, and the published summary reports no critical vulnerabilities while listing findings, remediations, and accepted risks ^[1]. That audit — a conventional security assessment focused on implementation weaknesses and operational risk — is the clearest example in the public record of an independent third‑party engagement ^[1]. The presence of that audit supports DuckDuckGo’s claim that it conducts product‑level security assessments and plans regular external audits of that offering ^[1].

2. What DuckDuckGo publicly publishes about privacy and telemetry

DuckDuckGo publishes a privacy policy describing its data‑handling posture, examples of minimal contact‑data usage, and technical practices intended to avoid building search histories or profiles ^[3]. The company also documents a Content Security Policy (CSP) reporting mechanism that it says is anonymous and does not contain personal information, which it uses to validate CSP updates without creating user‑level telemetry ^[2]. These documents constitute transparency artifacts but are policy statements and operational descriptions rather than independent attestations about data retention or the absence of tracking ^{[3] [2]}.

3. The gap flagged by privacy researchers: no comprehensive privacy audit or public retention report

Investigative reporting and privacy commentators have seized on a perceived gap: while DuckDuckGo has product security audits, critics say it has not, at least publicly, undergone a formal, comprehensive privacy audit that independently verifies the company’s overarching privacy claims and explains data‑retention practices in forensic detail ^[4]. The cited coverage states that the only external check documented was a complaint investigation that verified ad‑copy wasn’t false advertising, and that independent auditors found exceptions and opaque handling — notably a Microsoft “tracking exception” — that undercut the tidy privacy narrative ^[4]. That reporting frames the absence of a full privacy audit as the central concern for privacy experts ^[4].

4. Alternative readings, motivations, and what the evidence supports

DuckDuckGo’s published audits and policy pages can be read as genuine effort at selective transparency: third‑party security reviews for high‑risk products (VPN) and technical controls like anonymous CSP reporting are verifiable items in the public record ^{[1] [2]}. Conversely, privacy watchdogs and some security researchers interpret the lack of a single, wide‑scope independent privacy audit and a detailed public data‑retention report as a legitimate shortcoming, especially after revelations about specific exceptions or integrations with large ad/telemetry systems ^[4]. Reporting suggests vested interests on both sides: the company has commercial incentive to preserve a privacy brand, while critics have incentive to push for stricter verification; the public documents show compliance steps but do not replace a comprehensive, third‑party privacy attestation about search‑engine tracking and retention policies ^{[1] [3] [4]}.

5. Bottom line

The factual record shows DuckDuckGo has undergone and published at least one external security audit (the 2024 VPN audit) and publishes privacy and CSP documentation, but independent reporting and privacy experts note there is not a publicly available, comprehensive independent privacy audit or detailed transparency report that explicitly documents data‑retention practices for its core search service and whether any exceptions (such as Microsoft‑related mechanisms) exist and how they are logged ^{[1] [2] [3] [4]}. Where the sources are silent, this analysis does not speculate beyond the cited documents.