Our commitment to online privacy is at the heart of our service – we operate on a credo of 100% transparency. However, we know that VPN use is tied to trust. We know that reviewers and journalists have often called our US headquarters worrisome. We’re here to say that we’ve always adhered to our strict no-logs policy. We have never stored metadata and we have never had data to share with the authorities.
But we are a company that wants our actions to speak for us. We don’t want you to take our no-logs promise at face value. Just as we are transparent with our source code and our regular transparency reports, we also want to be honest with our infrastructure. Because of this, Private Internet Access became a independent audit to verify our no-logs policy.
Deloitte, one of the Big Four accounting firms, audited our server environment and found this We do not keep logs or details which could be used to identify our users or to locate their activities.
How did Deloitte test PIA’s infrastructure?
We asked Deloitte Audit Romania to review our VPN server network and management systems and how we maintain a zero-log VPN service to confirm this Server configurations comply with internal privacy policiesand are not designed to identify users or locate their activities. As part of this Assurance Engagement project, Deloitte inspected our server configuration and how we maintain a zero-log VPN service. This was determined by the auditing company Align server configurations from June 30, 2022 with internal data protection guidelines and are not designed to identify users or locate their activities.
The assurance engagement was conducted in accordance with the International Standard on Assurance Engagements 3000 (Revised) applicable to Assurance Engagements Other Than Audits or Reviews of Historical Financial Information (ISAE 3000 (Revised)) issued by the International Auditing and Assurance Standards Board (“ IAASB”) and should be read in its entirety.
What does this mean for our customers?
To put it simply, there is no trace of your activity on our servers. That’s because our VPN service runs on RAM-only servers. These servers boot from a read-only image and use RAM modules as opposed to hard drives. Hard drives are traditionally used for storage, while a RAM-only environment is more volatile. We’ve also configured our servers to routinely restart. With every restart or power failure, all data is immediately deleted.
We specifically designed our network architecture to prevent data retention. We don’t have user data and we can’t be compelled to share information about our users — in fact, the US government can’t force US-based VPN providers to violate a zero-log policy under consumer protection laws.
In addition, we have security systems in place to ensure that third parties cannot intrude on our network. One way to do this is to turn off all error logging and debug information. If we ever need error logs for development purposes, we’ll create a brand new traffic server in an isolated environment. Despite potential downsides to our development and debugging processes, this is an acceptable trade-off for securing user data.
Even our dedicated IP service is built as a token-based system to prevent any attribution to a specific user. This token is only stored in the client, which is insufficient for server-side mapping.
This no-logs audit is another milestone for PIA
We’ve always stayed true to our commitment to online privacy. We have always championed digital freedom and anonymity. This audit by Deloitte is just another milestone in our journey as privacy advocates, but it’s not the first time our no-logs policy has come under scrutiny. PIA is one of the few VPN providers to have proven their zero-log service in court. We’ve been subpoenaed several times for protocols, and each time we’ve had no data to share.
We are honest and transparent with our users and we don’t cut corners with the VPN service we offer. PIA is one of the few VPN providers that offers 100% open source VPN apps, although this is not standard industry practice. Our code is available for anyone to view and analyze.
We are also open to any changes to our server infrastructure and keep our users informed. Recently, in light of Indian Directive No. 20(3)/2022-CERT-In, we have relocated our servers in Mumbai and replaced them with virtual server locations. We made this decision to circumvent mandatory logging laws as we refuse to compromise our service and our no-logs commitment.
At home, we launched our 50 servers in 50 states campaign. Unfortunately, state and federal laws are still catching up with cybercrime, so we’re dedicated to helping Americans protect their online privacy and protect their traffic from malicious actors.
More updates to our infrastructure are coming soon as we undergo extensive hardware optimization. For example, we are slowly transitioning our fleet to colocated servers to provide increased security measures, better VPN speeds, and more reliable connections. This also means we are investing in and managing more of our own next generation servers.
We have always put our users’ privacy and digital security at the forefront of our service, and we are grateful to users who place their trust in us. We will never break that trust, and we remain true to our commitment to bring more transparency to the industry. We remain open to future independent audits and will also update our Transparency Report editions more regularly throughout the year.
Choose PIA for best-in-class security and online privacy
We have long been advocates for digital privacy and cybersecurity in the US and now have an independent audit validating our no-log VPN service. We offer the best privacy software possible, and our VPN online shield is critical to keeping your data safe in this digital age. It doesn’t matter if you need a Windows, macOS, iOS, Android or Chrome VPN, PIA protects up to 10 of your devices at the same time.
We can state unequivocally that we do not store any user activity logs or metadata. And we wouldn’t have it any other way.
We take our no-logs policy seriously, and this review isn’t our last effort. Going forward, we will continue to be transparent about the safeguards we have in place for our users.