How to read a no-logs audit (without the marketing gloss)
Every VPN claims "no logs". A small fraction back the claim with an audit. An even smaller fraction publish the audit. Here's how to actually read one.
SecurityA "no-logs audit" sounds like the kind of thing where if a company says they have one, that's the end of the conversation. It is not. The phrase covers a wide range of work, from rigorous code-and-infrastructure reviews by an independent auditor to four-page marketing exercises that audit nothing more than the company's privacy policy.
Here is how to tell the difference.
Step 1: Did they audit code, infrastructure, or just policy?
A real no-logs audit examines three things: the source code of the apps and the server software, the live infrastructure (with the auditors physically or remotely connected to running servers), and the operational policies around what happens if law enforcement shows up. A weak audit only does the third.
Look for the words "code review" and "live infrastructure inspection" in the executive summary. If you don't see those, you are reading a policy review.
Step 2: Who did the audit?
There are perhaps a dozen firms in the world that consumer-VPNs hire. The reputable ones (in alphabetical order): an independent auditor, KPMG, NCC Group, PwC, Securitum, Trail of Bits. Outside that list, raise your eyebrow and read more carefully.
Inside that list, check whether the firm has reputational independence: an independent auditor in particular has called out shoddy practices in audits before, which is the behavior of an auditor doing real work.
Step 3: What is the scope?
Audits cover a defined scope. "We audited the iOS app" is dramatically narrower than "we audited the iOS, Android, macOS, Windows, and Linux apps along with the production server fleet". Both might be called a "no-logs audit" by marketing.
Read the scope page (usually 2-3 in). Note exactly what was tested. If only the apps were audited, the server-side claims about logging are not verified.
Step 4: Are findings published?
A real audit produces a list of findings, ranging from "informational" to "critical." A bad audit publishes only the all-clear summary. A good one publishes the findings, the company's response, and a follow-up showing the issues were fixed.
PlanetProxy publishes all findings since 2022, including the embarrassing ones. (We had a critical session-token leak in 2023; it's in the report. We fixed it in 14 days.)
Step 5: RAM-only servers and warrant canaries
Two technical things make audits more meaningful. First, if servers run from RAM and are wiped on every power cycle, the auditor can verify there are no disks to log to — a structural rather than policy guarantee. Second, a transparency report is a small public statement, updated monthly, that says "we have not received a national security letter." If it stops being updated, you have a signal.
How PlanetProxy stacks up
- Annual audit by an independent auditor, scope: all apps + server fleet + policies. Reports public.
- Biannual targeted audit by NCC Group on rotating sub-areas (clients one cycle, infra the next).
- RAM-only server architecture, audited 2024.
- Transparency report published periodically.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
SecurityPP · DispatchThe kill switch: the small detail that decides whether a VPN actually protects youSecurity · 6 minThe kill switch: the small detail that decides whether a VPN actually protects you
A VPN is only as good as the moment its tunnel drops. Here is what the kill switch is, why most implementations are weak, and how to verify yours actually works.
- SecurityPP · DispatchPost-quantum cryptography: why "harvest now, decrypt later" is the threat that mattersSecurity · 8 min
Post-quantum cryptography: why "harvest now, decrypt later" is the threat that matters
A large quantum computer is probably still years away. The recordings of your traffic from this afternoon are not. Here is what HNDL actually means, what NIST finalised in 2024, and what "post-quantum ready" looks like for a VPN that is not just selling a sticker.
- SecurityPP · DispatchAI-powered phishing in 2026: how the attack changed and what works against itSecurity · 7 min
AI-powered phishing in 2026: how the attack changed and what works against it
The "Nigerian prince with three typos" is gone. The replacement is fluent in your dialect, knows your boss's name, and can call you in your CFO's voice from 60 seconds of podcast audio. Here is what the data says, what defences are actually holding, and which "best practices" are now folklore.