What is ProtonVPN's no-logs policy details?

1. Why auditors kept coming back — the timeline of repeated third‑party checks

ProtonVPN’s no‑logs assertions were subject to multiple independent audits that progressively reinforced the claim, with an early high‑level verification reported in April 2022 and additional, more recent audits in July 2024 and September 2025 confirming continued compliance with the policy. These audits by Swiss security firm Securitum inspected server deployments, configuration files, operational procedures and change‑management controls, and found no evidence of traffic or metadata logging, with the company publishing reports to demonstrate transparency ^{[2] [3] [5]}. The recurrence of audits—described as third and fourth consecutive attestations in 2024 and 2025—addresses concerns about drift in operational practices over time and signals Proton’s commitment to ongoing external validation rather than a one‑off review ^{[6] [7]}.

2. What Proton says it does and where your data “lives”

ProtonVPN’s public policy states the service does not log user traffic, communications content, or connection metadata, and applies the same protections to free and paid users, subject to reasonable limits on excessive consumption; servers are described as encrypted and the company emphasizes Swiss residency and strong local privacy laws for stored data. Proton also highlights its use of Secure Core servers to add layers of protection and that application code is open source and previously audited, which the company positions as further evidence its practices are verifiable and consistent with the no‑logs promise ^{[1] [8] [4]}. Transparency reports on law enforcement requests and the availability of audit results are used to substantiate the claim that even if requests occur, no session logs exist to hand over ^[1].

3. How auditors checked — methods and important caveats

Securitum’s audits involved both high‑level policy assessments and low‑level technical checks, including inspections of server configuration, deployment processes, and VPN configuration files; auditors reported no traces of logging mechanisms or storage of usage metadata in the environments reviewed. Press coverage details the audit scopes as including operating procedures and change‑management, and notes that Proton’s applications are open source and have undergone prior code audits, strengthening visibility into client behavior ^{[2] [3]}. Audits attest to the absence of logging in examined systems at the time of review, but the audits’ limited scope and snapshot nature mean they demonstrate compliance during audit windows rather than continuous, absolute proof across all future operations.

4. Real‑world test: legal request in 2019 and what it showed

ProtonVPN’s no‑logs stance was tested in a 2019 legal case where the company reported it could not produce logs because they did not exist, a factual event cited by Proton and auditors to show operational reality matches policy. This real‑world instance underpins the technical findings from audits by providing a non‑audit verification point that Proton’s infrastructure lacked user session logs at that time, and that Swiss jurisdiction and company practices contributed to the inability to comply with a logging demand ^[4]. Combining legal incident history with repeated audits and public transparency reporting creates a stronger evidentiary chain than any single element alone, though observers note each element addresses different angles of assurance.

5. What remains important for users assessing risk today

Taken together, public policy statements, repeated Securitum audits in 2022, 2024 and 2025, Proton’s open‑source apps, Secure Core architecture and the 2019 legal test provide multi‑pronged corroboration that ProtonVPN operates without user activity or metadata logging ^{[2] [3] [7] [4]}. Users should recognize audits are point‑in‑time verifications and that no system is immune to future changes, so ongoing transparency—regular audits, published reports and open code—matters for sustained trust. For those evaluating ProtonVPN, the most recent 2025 audit and the company’s repeated willingness to undergo independent checks are key facts supporting the no‑logs claim, while the combination of Swiss legal protections and published audit findings furnishes the most current and diverse corroboration available ^{[5] [7] [1]}.