Virtual private networks (VPNs) are supposed to give you better online privacy by encrypting and routing data through secure servers, shielding your online activity from spies, advertisers, and anyone else who may be snooping. But how can you be sure that a VPN is actually doing what it claims to do? After all, you’re handing over a lot of sensitive information to the VPN company to handle, so it’s important that these privacy-focused services maintain a high standard of trust. That’s where audits come in.
A VPN audit assesses how well a company adheres to privacy standards, manages its security infrastructure, and ensures it keeps the promises it makes to the public. I review VPNs for a living, and audits are one of the factors I take into consideration when making my assessments. Here’s why you should, too.
VPN Audits Explained: Why Third-Party Verification Matters
Consider this: You’re planning to buy a car from a seller on a local marketplace. The owner says it’s the best car ever, with no issues or any major mechanical problems. If you simply take their word for it and drive off with it, then you may have some nasty surprises waiting for you under the hood. Instead, taking it to a local mechanic for an inspection gives you an objective, knowledgeable third-party that can tell you what’s really going on.
Audit firms fill a similar role in the VPN space. Your personal assessment of a service can only go so far. Research goes a long way, but no amount of investigating on your part will grant you access to backend servers or employee codes of conduct. An audit has the potential to turn all of those ephemeral claims you see in privacy policies into verifiable claims. A third-party firm stakes its name and reputation on being an independent arbiter of truth, providing objective facts free of internal policies or existing power structures.
The Best VPNs We’ve Tested
A thorough audit is designed to report flaws and discrepancies in internal policies or detect weaknesses in security infrastructure. The firms are unaffiliated third-party agencies that specialize in security and corporate policy adherence. While no single audit is definitive, the results of multiple consecutive audits, ideally, point to a verifiable trend you can base your purchasing decision on.
Who Audits VPNs? Inside the Firms Behind the Reports
Audits are performed by a set of accounting and security firms frequently referred to as the “Big Four:” Deloitte, PricewaterhouseCoopers (PWC), Ernst & Young (EY), and Klynveld Peat Marwick Geordeler (KPMG). Another popular name in the VPN space is Cure53, which focuses more on cybersecurity than the broader nature of larger firms. Further down the list are other cybersecurity firms, such as VerSprite, Securitum, and Leviathan.
“Different firms bring different strengths. Specialists like Cure53 are excellent at deep technical testing and uncovering edge cases, while firms like Deloitte or PwC are strong when you want broader assurance around processes, controls, or governance,” said Aaron Engel, CISO of ExpressVPN. It’s not a one-size-fits-all solution. Different firms bring alternative approaches and methodologies. The Big Four tend to audit privacy policies, while more specialized firms handle security assessments.
Andrew Gault, CEO of ZeroTier, asserted that “The right firm depends on what you are trying to demonstrate and to whom.” A VPN’s choice of firm is influenced by the image it aims to present. A company with a brand image as the most secure VPN on the market may undergo more audits by firms like Cure53 to verify its claims, while another VPN may focus more on privacy audits by the Big Four to present an image of ironclad privacy.
Privacy vs. Security: Understanding the Scope of VPN Audits
Not all audits are the same. Pay keen attention to the wording a company uses when releasing the results of an audit. Each one will vary in scope, which is why a single audit isn’t enough to determine whether a service is trustworthy. First, here are the two main types of audits and what they cover:
-
Privacy audits: No-logs policies without an independent audit are just unverified promises. Anyone can write up what appears to be an air-tight no-logs policy. A privacy audit by a trusted firm confirms that the VPN in question adheres to its internal policies on data storage, user information, and terms of service. Now, keep in mind that an audit of this nature only checks whether the VPN is following the policies as written. A VPN could theoretically pass an audit with flying colors, but that won’t matter if its policy indicates it stores user data.
-
Security audits: Privacy audits test policy adherence while security audits test infrastructure. A firm will hunt for vulnerabilities and conduct penetration tests to verify whether servers and the network architecture are as protected as the VPN claims. These assessments also evaluate the source code and consumer-facing applications for bugs or weaknesses.
VPNs that get a couple of audits per year tend to request comprehensive ones that include both privacy and security evaluations. However, some companies opt for smaller, more focused assessments at multiple points throughout a given year. These include:
-
Browser extension audit: A focused look at just the service’s browser extension, which is normally a lightweight proxy. It verifies that the extension adheres to privacy policies and doesn’t leak customer data.
-
Code audit: Open-source code is a great first step toward transparency, but a third-party audit takes that verification to the next level. A code audit examines the public (or sometimes private) source code on which a VPN is built and ensures there are no vulnerabilities. A private code audit can be done, but you’ll still have to make a judgment call on whether or not to trust the findings since the code isn’t available to the public.
-
Front-end audit: Front-end refers to anything customer-facing, like the desktop client and mobile app. These audits check for security issues on a per-platform basis.
-
No-logs audit: Sometimes a company uses the terms “no-logs audit” and “privacy audit” interchangeably to refer to a comprehensive privacy assessment. However, a no-logs audit can occasionally refer to a smaller, more focused review of only the service’s no-logs policy.
A good audit is designed to find problems, not to validate marketing claims.
Regardless of the type of audit, the results need to be publicly available. Any company can say it passed an audit with flying colors and gussy up the findings in a nice slideshow, but the full report should be available for viewing. Otherwise, you’re left trusting the company’s word, which defeats the purpose of having an independent audit done.
“A good audit is designed to find problems, not to validate marketing claims. It starts with a clear scope and a realistic threat model, and it gives auditors enough access to challenge assumptions and examine how the system actually works,” Gault said. Moreover, recency is important. An audit conducted in 2019 verifying a service’s no-logs policy means nothing about its data-handling practices in 2026. An audit reflects a moment in time, which is why reputable VPNs conduct audits regularly. Audits should be treated as a single indicator of trustworthiness.
Audits aren’t perfect and represent only a narrow timeframe, but a consistent commitment to the process shows that a VPN is taking steps to protect its customers. The exact timeline varies by scope, but most thorough audits can take weeks or months to complete. Given how long an investigation takes, it is normal and expected for a VPN to conduct only a couple of comprehensive audits each year.
Occasionally, you may see an internal audit or a self-reported assessment performed by the VPN’s staff. Such internal evaluations aren’t strong indicators of trustworthiness, since you’re still relying on the VPN rather than an outside verifier.
Auditing the Auditors: How Reliable Are These Firms?
The Big Four were once the Big Eight, Big Six, Big Five, and finally the Big Four. The history of the Big Four is of mergers and acquisitions. Each of these firms is a conglomerate of many smaller companies that handle thousands of clients. These firms are professional service networks that provide services such as accounting, consulting, and auditing.
Given how frequently their names come up in VPN discussions, it’s easy to mistake these firms for dedicated cybersecurity companies. The reality is that the Big Four have such vast coverage that their scope of work is incredibly broad, and not limited to VPNs or security. VPN privacy policy audits are just one small aspect of the business, which is why some VPNs opt to use more specialized firms such as Cure53 for a security audit in conjunction with a privacy policy audit from one of the Big Four.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Many would cite the longevity of each firm, with some, like Deloitte, established as far back as 1845, as a marker of trust. Market dominance also plays a factor. An audit is viewed more favorably if it is conducted by one of the big firms. Simply being an independent set of eyes is the main benefit of going with such a firm. They are massive companies with the resources to conduct comprehensive audits quickly and efficiently.
However, all four firms are just as flawed and prone to controversy as the companies that they tend to audit. PWC has faced various scandals over tax avoidance and its involvement in Russia’s war on Ukraine, and has been fined for failing to meet adequate auditing standards. Deloitte was subject to a data breach in 2017 that resulted in the leak of confidential client and employee data. Similarly, KPMG and EY have both been under scrutiny for alleged tax fraud and have faced multiple accusations of poor auditing practices.
The Public Company Accounting Oversight Board (PCAOB) has also questioned the effectiveness of audits performed by the Big Four. In 2019, the PCAOB conducted an analysis that found the Big Four failed or otherwise misrepresented findings in 31% of audits. Likewise, the PCAOB found in a subsequent study that auditors tend to present findings that make their clients happy so they don’t lose future business.
Smaller security firms such as Cure53, VerSprite, and Securitum have not faced similar controversies or breaches. However, the firms have come under scrutiny for focusing on positive findings rather than critical ones in their reports. Niche cybersecurity firms can perform security audits, but many VPNs still opt for the Big Four for privacy audits, in part because of the market influence their names carry.
“…Having Deloitte, one of the Big Four auditing firms, reconfirming that is a big confirmation of privacy and transparency to our current and future users,” said Surfshark’s CTO, Donatas Budvytis, echoing the sentiment of the many companies that seek out one of the Big Four for audits.
Recommended by Our Editors
Deciding whether or not these firms can be trusted is complicated. Each one has a history of scandals and inaccurate auditing practices; however, a VPN that hasn’t been audited has no outside verification at all, regardless of how flawed that verifier is. One way to mitigate issues is to undergo multiple audits by various firms. Aaron Engel claims that ExpressVPN mitigates risk through diversification, and said that “We don’t believe one firm can validate everything…That diversity of scrutiny actually strengthens trust, because it reduces the risk of blind spots.”
From Findings to Fixes: Life After a VPN Audit
The actions that follow an audit are even more important than the audit itself. After all, an investigation could flag a litany of issues, but that won’t matter if the VPN doesn’t take any steps to fix them. A remediation period gives companies a chance to review and act on audit findings before the full results are published. This is why you tend to see notes in the report about how the VPN responded to a policy flaw.
Audits aren’t perfect and represent only a narrow timeframe, but a consistent commitment to the process shows that a VPN is taking steps to protect its customers.
The firm then releases the full report. The company that was audited is under no direct obligation to release a statement or report in conjunction with the findings, but I have found that most VPNs publish a statement or summary of the audit findings via newsletter or blog post. For example, TunnelBear released a rundown of Cure53’s 2025 audit.
“Once findings are delivered, there’s usually remediation work, improvement validation, and finally a public report,” said Engel, further emphasizing that, “It’s important to remember that audits don’t end when the report is published, as a good audit will drive ongoing improvements over time.”
What follows will depend on the scope of the audit and the nature of the issues found. It’s a good sign if a VPN publishes a roadmap of improvements or has clear steps it is taking to resolve issues and improve infrastructure, as outlined in the report.
Beyond Audits: How to Judge a VPN’s Real-World Integrity
Audits are valuable indicators of transparency, but there are other factors to consider when picking a service to trust with your personal data. The main aspect I consider when evaluating a VPN is how it has responded to data requests, breaches, and security incidents. Being affected by an attack that compromises sensitive data is a critical moment for a VPN. It can determine whether the service can resolve the vulnerability that led to the attack and take appropriate measures to regain user trust. Many of the biggest names in the VPN space have suffered critical breaches and have since recovered trust by taking appropriate measures after an incident.
You should also consider independent reviews. If no one has reviewed or used a service, it may have hidden vulnerabilities. I conduct rigorous tests and research independently to see if a VPN is worth paying for. Independent outlets can be helpful at slicing through the marketing noise. Affiliate reviews and VPN blogs may be useful for conveying basic details, but it’s best to look beyond the VPN’s own reporting for more objective accounts.
“Beyond that [audits], independent certifications matter. Standards like ISO 27001 indicate a company follows established security and risk-management practices, while other frameworks can signal operational maturity. They’re not a substitute for an audit, but they do show a baseline commitment to security best practices,” said Engel when asked about additional trust factors to consider when picking a VPN.
Trust can’t be determined from any single aspect of a VPN. Audits are immensely valuable tools for showing accountability, but they are only a single data point. It is best to get a comprehensive view of a company and evaluate its history, current practices, online presence, and more to get a clear picture.
About Our Expert
Justyn Newman
Senior Writer, Security
Experience
My writing journey started in 2012 and has taken me through various niches, but my main focus has always been on tech. I contributed to several growing PC hardware and software sites, focusing on gaming, peripherals, and privacy.
As the amount of information we put out on the internet has grown, so have the threats and the tools we use to combat them. With VPNs gaining traction in the late 2010s as a tool for the public instead of just an option for business security, I found myself reviewing countless options in this continuously changing landscape.
This led to my role before PCMag over at WizCase, where I honed my knowledge of VPNs and privacy tools and eventually oversaw all of the content produced. I led a talented team of fellow writers and editors to evaluate VPNs, password managers, antivirus, and parental controls.
Read Full Bio
