What Are VPN audits, and Why Are They So Important?

The VPN market is saturated, with dozens of VPNs offering various technologies, features, and, most importantly, price points. When deciding on a VPN, you may be tempted to choose a low-cost or even free VPN to save money. 

But are free VPNs all they’re chalked up to be? 

A VPN requires specialized infrastructure, software, and skilled staff to maintain the network. It’s worth questioning how free VPN providers can afford to offer proper privacy and protection without taking a single cent from their customers.

The truth is, you still pay for the service, just in a different way. The privacy policies of certain free VPN providers state that they may share user data with third parties like advertisers, marketers, and other partners. Free VPN providers sell these types of data to remain in business. It’s not unrealistic to assume they’ll also cut corners with unreliable services or weak encryption to save money.

So what are the hallmarks of a good VPN service? For starters, a quality VPN opens itself up to scrutiny and audits. This gives you confidence they have nothing to hide. At CyberGhost VPN, we’re delighted to have been independently audited by Deloitte.

Read on to find out what a VPN audit covers and why it matters to VPN providers.

What Is a VPN Audit?

Most VPN audits focus on a VPN provider’s logging policy, but some concentrate more on security. Here’s the difference between the two types of audit.

Security Audits

Security audits focus on how secure a VPN’s infrastructure and software are. The audit may look at a provider’s security policies and test apps and source code for vulnerabilities.

Security audits can vary widely. Some may only focus on a specific app or browser extension, whereas others take a broader approach to security.

Privacy Audits

A privacy audit is a review of a VPN’s privacy practices and logging policy. During a privacy audit, an auditor will typically look at the provider’s privacy policy, terms of services, and security practices by conducting tests and vulnerability assessments. 

VPN logs are various types of user data that providers can collect from you. This can include IP addresses, server statuses, and visited websites. If a provider claims it has a No Logs policy, an audit can confirm this to give customers extra peace of mind.

Internal vs. External Audits

It’s important to understand the difference between an internal and external audit.

Internal Audits

Most companies have some kind of internal audit process to troubleshoot issues and improve their service.

In an internal audit, the cybersecurity department of a VPN provider conducts its own tests, looking for weaknesses in its network and software systems. Internal audits are cheap to carry out, as they tend to only require staff time. However, the downside is that the company doesn’t get independent verification from a third-party auditor.

External Audits

Published VPN audits are generally conducted by impartial third-party providers, and their goal is to ensure transparency and fairness. These audits are commonly conducted according to international testing standards like those established by the International Auditing And Assurance Standards Board and other respected institutions.

External audits are expensive and require a lot of staff time to prepare. However, they offer extra reassurance to customers that their VPN provider is fulfilling its obligations.

How Are VPN Audits Conducted? 

The VPN provider and auditor agree on the scope of a VPN audit. Privacy audits tend to be more in-depth than security audits. The best audits delve into the servers, infrastructure, and management systems to ensure nothing gets overlooked. Other VPN providers may have their browser extensions, apps, servers, and even source code examined.

Depending on what is being tested, auditors might conduct penetration testing to determine the security of a VPN provider’s system and check settings to verify they comply with what the VPN provider says it does.

In 2022, CyberGhost was independently audited by Deloitte Romania. Deloitte scrutinized our VPN server network and management systems to confirm whether our privacy policy matches our server configurations.

Deloitte paid special attention to our No Logs policy and its implementation. The company also looked at our change, configuration, incident management, and dedicated IP VPN token-based systems. 

What Do VPN Audits Say About a Service? 

A VPN audit helps solidify a VPN provider’s legitimacy and gives you confidence your provider takes the necessary measures to safeguard your privacy. 

This doesn’t automatically mean unaudited VPNs are untrustworthy or unsafe. Not every VPN provider has the capacity to commission an audit, as VPN audits are generally costly and require extensive preparation.

What Information Do VPN Audit Reports Give? 

Depending on the scope of the audit, an audit report can provide a comprehensive overview of the VPN provider and its services. This can include information about: 

          • Logging 
          • VPN servers and physical infrastructure 
          • Security and logging configurations 
          • Apps and extensions
          • Backend systems 
          • Source code 
          • Interviews with a VPN provider’s staff on compliance and security

Besides the positive aspects of the VPN service, a thorough report will most likely reveal some issues for the VPN provider to address. This may include minor shortcomings, such as inefficient use of RAM, or more significant issues, like a bug that could disrupt services. 

A report can also reveal potential problems a VPN provider could face. VPN audits help identify the types of security measures and improvements providers need to make to minimize risks to your data.

Where Can You Find Audit Reports?

Some VPN audits are available for download either on the VPN provider’s or third-party auditor’s website. Other VPN providers publish snippets of the audit report and share selected results with consumers. 

At CyberGhost VPN, we believe in full transparency. Rather than share excerpts of the report, which you might take out of context, you can read our full audit report. You can obtain a copy of the report by emailing ceroromania@deloitte.com, by filling out this contact form, and directly from your CyberGhost account.

Was CyberGhost VPN Independently Audited?

Yes, CyberGhost VPN was independently audited by Deloitte Romania in 2022. During the audit, Deloitte paid special attention to our No Logs policy and its implementation. The team also looked at our change management protocols, configuration and incident management, and dedicated IP token-based systems. 

The goal of the audit was to examine and determine to what extent our privacy policy matches our existing server configurations. 

Secure Your Data with a Premium VPN

When deciding on the right VPN, you want to put your privacy and security first. Basic VPNs may hide your IP address and route your internet traffic, but they don’t offer the same level of protection as premium VPNs, and some don’t even encrypt your data.

Premium VPNs, like CyberGhost, give you advanced security and dns leak protection. Most have a No Logs policy which helps further protect your data. Remember, when you use a VPN, you entrust your data, browsing habits, and other information to its servers. You need to be sure your service provider handles your data and online experience correctly. 


What is a VPN audit?

A VPN audit may be security-focused or privacy-focused. Privacy-focused audits independently verify a VPN provider’s logging policies. If a VPN provider claims to hold no logs, a VPN audit can confirm this.
Both security and privacy audits can highlight technical and software issues for a VPN provider to address. 

Can VPN companies track your activity? 

Technically, yes, any VPN company could see your browsing data and track your activity. Free VPNs sometimes collect and sell your data to third parties to make money. This data might include your IP address and the websites you visited when using the VPN. 
Most premium VPN providers have a No Logs policy. This means they promise not to track or store your online browsing data. Some VPNs conduct audits to get independent verification of their claims. Find out more about how a VPN hides and protects your data

Can a VPN be subpoenaed? 

Yes. A VPN provider, like any other company, can be subpoenaed. CyberGhost has been subpoenaed in the past. However, this doesn’t necessarily mean that we’ll be forced to hand over information. We also use RAM-based servers, which wipe all user activity with every reboot, so it’s unlikely we’d have any data to hand over.
CyberGhost VPN operates out of Romania, which upholds strong privacy laws and supports our No Logs policy. You can learn more about the legal requests we get (and refuse) by reading our transparency reports.

Does CyberGhost VPN keep logs? 

No, CyberGhost does not keep logs of user activity. CyberGhost is a No Logs VPN provider, which means we never track your online habits when you’re connected to our servers. We’ve built our VPN infrastructure around our No Logs policy. For example, we use RAM-based servers, which delete all data every time they reboot.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*