Using a VPN service is a great way to protect your privacy online.
However, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network.
This is the main reason why we publish a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects.
It’s worth keeping in mind though that not all VPN protocols and encryption algorithms are equally secure. PPTP is known to be vulnerable for example, and pre-shared keys are also a risk. We ask all VPN providers what their best recommendation is, but we encourage readers to fully research all options.
This year’s questions are as follows:
1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
2. What is the name under which your company is incorporated, and under which jurisdiction does your company operate?
3. What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?
4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?
5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?
6. What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?
7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?
9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?
10. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?
11. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)
12. What countries are your servers physically located? Do you offer virtual locations?
Below is the list of responses from the VPN services in their own words. These are not endorsements and trust is crucial. Providers which didn’t answer our questions directly, blocked certain traffic, or are logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.
1. We do not store any logs relating to traffic, session, DNS or metadata. We do not keep any logs for any person or entity to match an IP address and a timestamp to a user of our service. In other words, we do not log, period. Privacy is our policy.
2. Private Internet Access is operated by London Trust Media, Inc., with branches in the US and Iceland, which are a few of the countries that still respect privacy and do not have a mandatory data retention policy.
3. We have an active, proprietary system in place to help mitigate abuse.
4. At the moment we are using Google Apps Suite and Zendesk. However, we are in the process of migrating our support to Deskpro, an in-house self-hosted solution.
5. We do not monitor our users, and we keep no logs, period. That said, we do have an active, proprietary system in place to help mitigate abuse.
6. Every court order is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” We do periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. This is all driven based upon our commitment to privacy. All this being said, we do not log and do not have any data on our customers other than their signup e-mail and account username.
7. Yes, BitTorrent and file-sharing traffic are allowed and treated equally to all other traffic (although it’s routed through a second VPN in some cases). We do not censor our traffic because we believe in an open internet, period.
8. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, Bitcoin Cash, Zcash, CashU, PaymentWall, and any major store-bought gift card and OKPay. Payment data is not linked nor linkable to user activity do to our no logs policy.
9. At the moment, the most secure and practical VPN connection and encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256.
10. Yes, our users gain access to a plethora of additional tools, including but not limited to:
(a) Kill Switch: Ensures that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route.
(b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could lead to IPv6 IP information coming out.
(c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon.
(d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.
(e) MACE™: Protects users from malware, trackers, and ads.
11. We utilize our own bare metal servers in third-party data centers that are operated by trusted friends and, now, business partners whom we have met and on which we have completed serious due diligence. Our servers are located in facilities including 100TB, Choopa, Leaseweb, among others.
We also operate our own DNS servers on our high throughput network. These servers are private and do not log.
12. As of the beginning of 2018, we operate 3172 servers across 43 locations in 28 countries. For more information on what countries are available, please visit our network information page. All of our locations are physical and not virtualized.
1. We do not keep any logs nor timestamps that could allow our customers to be identified.
2. The registered company name is Tefincom co S.A., and it operates under the jurisdiction of Panama.
3.We have developed and implemented an automated tool that limits the maximum number of connections to six devices. We do not use any other tools.
4. We use Google Analytics and third-party ticket/live chat tools (Zendesk/Zopim). Google Analytics is used to improve our website and provide our users with the most relevant information. The ticket/live chat tool is used to provide the best support in the industry (available 24/7), but not tracking our users by any means.
5. We operate under Panama’s jurisdiction, where DMCA and similar orders have no legal bearing. Therefore, they do not apply to us.
6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our zero-log policy means that we don’t have any information about our users’ online activity. So far, we haven’t had any such cases.
7. Yes, we allow P2P traffic. We have optimized a number of our servers specifically for file-sharing; this way, we ensure that other servers, which are meant for streaming and other purposes, have uninterrupted speeds.
8. Our customers are able to pay via credit card, PayPal and Bitcoin. Our payment processing partners collect basic billing information for payment processing and refund requests, but it cannot be related to any Internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details with the user identity or other personal information.
9. The ciphers we use along with the OpenVPN and IKEv2/IPSec protocols have never been cracked. Therefore, both of these protocols are highly secure. For OpenVPN connection, we use the AES 256 CBC algorithm. IKEv2/IPSec ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys.
10. Yes, we do provide both an automatic kill switch and a feature for DNS leak protection.
11. We use a hybrid model, whereby we control some of our servers but also partner with premium data centers with strong security practices. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. We also have specific requirements for network providers to ensure highest service quality for our customers. We do have our own DNS servers, and all DNS requests go through those.
12. All of our servers are dedicated and located in the same countries we state they are – we do not offer virtual locations. At the moment, NordVPN provides more than 3000 servers in 59 countries. Full location list can be found at nordvpn.com/servers.
1. No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data contents, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity. It is not possible to match a user to data points that we never possess.
2. Express VPN International Ltd. is a BVI (British Virgin Islands) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach.
3. To protect our customers’ privacy, we do not monitor or log any user activity on our network. We do however reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time.
5. As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices. User privacy and anonymity are always preserved.
6. Legally our company is only bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. As a general rule, we reply to law enforcement inquiries by informing the investigator that we do not possess any data that could link activity or IP addresses to a specific user. Regarding a demand that we log activity going forward: Were BVI law enforcement ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.
7. We do not believe in restricting or censoring any type of traffic. ExpressVPN allows all traffic, including BitTorrent and other file-sharing traffic (without re-routing), from all of our VPN servers.
8. ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, there is no way for ExpressVPN or any external party to link payment details entered on our website with any VPN activities.
9. ExpressVPN apps generally default to our recommended protocol for security and performance: OpenVPN UDP. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers.
10. Yes, ExpressVPN protects users from privacy and security leaks in a number of ways (for more info about leak protection, see our Privacy Research Lab). Our “Network Lock” feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios where other VPNs might leak.
11. Our VPN servers are hosted in trusted data centers with strong security practices. The data center employees do not have server credentials, and the server disks are fully encrypted to mitigate risks from physical seizure. Our policy of not collecting activity or connection logs also means that servers do not contain any data that could map users to specific activity.
We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS.
12. ExpressVPN has over 2,000 servers covering 94 countries. For more than 97% of these servers, the physical server and the associated IP addresses are located in the same country — a physical footprint covering every continent save Antarctica, ensuring there are server locations near all users.
For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards for server security, reliability, and speed, we use virtual locations to still make it possible for users to assume IP addresses from those countries. These locations represent less than 3% of ExpressVPN’s server count, and the specific countries are published on our website here.
1. No logs are retained that would allow the correlation of the user’s IP address to a VPN address. The session database does not include the origin IP address of the user. Once a connection has been terminated the session information is deleted from the session database.
2. The name of the company is PrivActually Ltd which operates out of Cyprus.
3. Real abuse is mitigated by meatware [humans]. User traffic is not monitored or inspected in any way. TCP/IP sessions are not limited individually, but by server, to 10 million established connections. Packet floods are dealt with by using adaptive packet rate limiters at the switch port level and kick in at 90k pps. The number of concurrent connections is limited by the VPN backend software.
4. There is no visitor tracking mechanism, not even passive ones analyzing the web server logs. IPredator runs its own mail infrastructure and does not use third party products like GMail. Neither do we use data hogs like a ticket system to manage support requests. IPredator sticks to a simple mail system and deletes old data after three months from the mailboxes.
5. Requests are evaluated according to the legal frameworks set forth in the jurisdictions the service operates in and we react accordingly. After receiving a request its validity is verified. DMCA takedown abuse using fake credentials seems to be all the rage these days.
6. A canary is maintained to indicate the current legal state of affairs. In case of a court order that forces us to enable log activity we would rather shut down the service than comply.
7. BitTorrent and other file-sharing traffic is allowed.
8. PayPal, Bitcoins, Payza, and Payson are fully integrated. Other payment methods are available on request. An internal transaction ID is used to link payments to the payment processor. We do not store any other data about payments associated with the user’s account. The systems dealing with payments have no connection to the part of the infrastructure that handles VPN connections. Frontend proxies are used to make sure user IP addresses do not show up in any of the backend systems.
9. IPredator provides config files for various platforms and clients that enforce TLS1.2 on supported systems. Ideally, the client negotiates ECDHE-RSA-AES256-GCM as a suite for the control and AES256 for the data channel. For further protection, detailed setup instructions and howtos are provided to our users.
10. Netsplice, IPredator’s cross-platform VPN client, has native support for various types of kill switches. You can kill a program, just put it to sleep, shutdown your machine or wipe your hard disk … it is up to you. Users can use this page to check for a number of leaks, not just DNS leaks.
11. We own every server, switch, and cable we use to provide the VPN service up to our uplink network. The machines are located in Sweden due to the laws that allow us to run our service in a privacy-protecting manner. If the situation should change we are able to move operations to a different country. The core for any privacy service is trust in the integrity of the underlying infrastructure. Everything else has to build upon that, which includes the DNS servers.
1. No logs or timestamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no logging policy we run a default shared IP configuration across all servers. Because there are no logs kept and multiple users sharing a single IP address, it is not possible to match any user with an IP and time stamp.
2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.
3. We utilize a number of highly customized scripts to monitor network performance and limit simultaneous connections through a radius-based authentication server.
4. We use anonymized Google Analytics data to optimize our website and Sendgrid for transactional email. TorGuard’s 24/7 live chat services are provided through Livechatinc’s platform. Customer support desk requests are maintained by TorGuard’s own private ticketing system.
5. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log and no time stamp policy and shared IP network – we are unable to forward any requests to a single user.
6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our shared IP network configuration and the fact that we do not hold any identifying logs or time stamps. TorGuard’s network was designed to operate with minimum server resources and is not physically capable of retaining such logs. There is no on/off switch to log activity so it would be impossible to comply with such a request. No, this has never happened.
7. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block, re-route, or limit any types of traffic across our network.
8. We currently offer over 200 different payment options. This includes all forms of credit card, PayPal, Bitcoin, cryptocurrency (e.g. Litecoin, Ethereum, Monero + many more), Alipay, WeChat Pay, UnionPay, 100+ Gift Card brands, and many other worldwide local payment options. No user can be linked back to account usage or IP assignments because we maintain zero logs across our network.
9. For best security, we advise clients to use OpenVPN and select the cipher option AES-256-GCM, with 4096bit RSA and SHA512 HMAC. We use TLS 1.2 on all servers with perfect forward secrecy enabled. For faster speeds and “obfuscated” Stealth VPN access, we suggest using OpenConnect SSL VPN with cipher option AES-256-GCM. TorGuard offers a wide range of VPN protocols, including OpenVPN, iKEV2, IPsec, SSTP, OpenConnect/AnyConnect, Stunnel, and Shadowsocks.
10. TorGuard’s VPN software provides strict security features by automatically disabling IPv6 and blocking any potential DNS or WebRTC leaks. We offer a full connection kill-switch that safeguards your VPN traffic against accidental disconnects and can hard kill your interfaces if needed, and an application kill-switch that can terminate specific apps if the VPN connection is interrupted for additional safety.
11. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by TorGuard staff. By default, the TorGuard VPN app uses private no log DNS on each VPN endpoint. The TG also app allows clients to modify their VPN session with a custom DNS entry of their choosing.
12. TorGuard currently maintains thousands of servers in over 55 countries around the world, and we continue to expand the network each month. All servers are physically located in the stated country of origin and we do not use any virtual locations.
1. No, we do not record or store any logs related to our services. No traffic, user activity, timestamps, IP addresses, number of active and total sessions, DNS requests, or any other kind of logs are stored. System logs are disabled. Anonymity of our users is very important to us as described in our Terms of Service.
2. The registered company name is Netbouncer AB and we operate under Swedish jurisdiction where there are no data retention laws that apply to VPN providers.
3. Our servers are running using Blind Operator mode which means we took extra security steps to ensure that we cannot monitor any traffic at all. Abuses like incoming DDoS attacks are usually mitigated with UDP filtering on the source port used by an attacker.
4. No, we do not rely on and refuse to use external third-party systems. We run our own email infrastructure and encourage people to use PGP encryption. Ticketing support system, website analytics (Piwik, with anonymization settings) and other tools are hosted in-house on open-source software. We have plans to replace some of these tools by solutions developed by ourselves.
5. We politely inform the sender party that we do not keep any logs and are unable to identify a user.
6. In the case that a valid court order is issued, we will inform the other party that we are unable to identify an active user or past user of our service while running as a Blind Operator, which is preventing live analysis of traffic. In that case, they would probably force us to handover physical access to the server, which is fine since they would have to reboot to gain any kind of access, and since we are running diskless in RAM – all data will be lost. So far, we have never received any court order and no personal information has ever been given away.
7. Yes, BitTorrent, peer-to-peer and file-sharing traffic is allowed and treated equally to any other traffic on all of our locations. We strongly believe in net neutrality.
8. As of now, we propose a variety of payments options including anonymous methods such as Bitcoin, Bitcoin Cash, Litecoin, Monero, Ethereum and some other cryptocurrencies (through CoinPayments) and cash money via postal mail. We also offer PayPal, credit cards (VISA, MasterCard and American Express through Paymentwall) and Swish. We do not store sensitive payment information on our servers, we only retain an internal reference code for order confirmation.
9. We recommend our users to use our new WireGuard servers available on Linux, some routers (LEDE/OpenWRT), and soon on Android.
– Data channel cipher: CHACHA20 with POLY1305 for authentication and data integrity
– Authenticated key exchange: Noise Protocol Framework’s Noise_IKpsk2, using Curve25519, Blake2s, and CHACHA20-POLY1305, a formally verified
Otherwise, we recommend OpenVPN with default configuration available in UDP and TCP modes. These settings offer the highest grade of security achieved through OpenVPN on all of our servers:
– Data channel cipher: AES-256-GCM (OpenVPN 2.4) or AES-256-CBC with HMAC-512 for authentication and data integrity (OpenVPN 2.3)
– Control channel cipher: TLS v1.2 using TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
– Authenticated key exchange: Diffie-Hellman method and Perfect Forward Secrecy (DHE) using a RSA key with a 4096 bit key size, re-keying every 120 minutes (can be lowered)
– Additional auth key: RSA with a 2048 bit key size
– Additional crypt key: RSA with a 2048 bit key size
10. We offer a new custom open-source VPN application called azclient, for all desktop platforms (Windows, macOS and Linux), with source code released on Github under the GPLv2 license, currently supporting OpenVPN. Our client is developed by a security expert and designed with ease of installation and use in mind, allowing users to connect to the VPN servers with only a few clicks. We plan to add a kill switch and DNS leak protection features to the client in the future.
11. We physically own all of our hardware, in all of our locations, including bare metal dedicated servers and switches, brought and installed on our own, co-located in closed racks on different data centers around the world meeting our strict security criteria, using dedicated network links and carefully chosen providers for maximum network quality and throughput. We host our own non-logging DNS servers in different locations and provide DNSCrypt support for DNS requests encryption.
12. As of now, we operate across five locations including Canada, Spain, Sweden, United Kingdom and the United States. Moldova is planned later this
year, as indicated on our roadmap. There are no virtual locations.
2. Registered name of the company is Server Management LLC and we operate under US jurisdiction.
3. A single subscription can be used simultaneously for three connections. Abuses of service usually means using non-P2P servers for torrents or DMCA notices. Also, our no-log policy makes it impossible to track who downloaded/uploaded any data from the internet using our VPN. We use iptables plugin to block P2P traffic on servers where P2P is not explicitly allowed. We block outgoing mail on port 25 to prevent spamming activity.
4. We use live chat provided by tawk.to and Google Apps for incoming email. For outgoing email we use our own SMTP server.
5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the datacenter or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which makes it impossible to track who downloaded any data from the internet using our VPN.
6. HideIPVPN may disclose information, including but not limited to, information concerning a client, in order to comply with a court order, subpoena, summons, discovery request, warrant, statute, regulation, or governmental request. But due to the fact that we have a no-logs policy and we use Shared IPs, there won’t be anything to disclose excepting billing details. This has never happened before.
7. This type of traffic is welcomed on our German (DE VPN), Dutch (NL VPN), Luxembourg (LU VPN) and Lithuanian (LT VPN) servers. It is not allowed on US, UK, Canada, Poland, Singapore and French servers as stated in our TOS – the reason for this is our agreements with data centers. We also have specific VPN plan for torrents.
8. Currently, HideIPVPN accepts following methods: PayPal, Bitcoin, Credit & Debit cards, JCB, American Express, Diners Club International, Discover. All our clients billing details are stored in WHMCS billing system.
9. SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems.
10. Yes, our free VPN apps have both features built in.
11. We don’t have physical control on our VPN servers. Servers are outsourced in premium data-center with high-quality tier1 networks.
12. At the moment we have VPN servers located in 10 countries – US, UK, Netherlands, Germany, Luxembourg, Lithuania, Canada, Poland, France and Singapore. As you can see number of available locations is steadily growing.
1. No, we don’t keep any logs. We have developed our system with an eye on our customers’ privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.
2. Hide.me VPN is operated by eVenture Limited and based in Malaysia with no legal obligation to store any user logs at all.
3. We do not limit or monitor individual connections. To mitigate abuse we deploy general firewall rules on some servers that apply to specific IP ranges. By design, one username can only establish one simultaneous connection.
4. Our landing pages, which are solely used for advertising purposes, include a limited amount of third-party tracking scripts, namely Google Analytics. However, no personal information that could be linked with the VPN usage is shared with these providers. We do not send information that could compromise someone’s security over email.
5. Since we don’t store any logs and/or host copyright infringing material on our services, we’ll reply to these notices accordingly.
6. Although it has never happened, in such a scenario, we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs and there is no way we could link any particular cyber activity to any particular user. In case we are forced to store user logs, we would prefer to close down rather than putting our users at stake who have put their trust in us.
7. There is no effective way of blocking file-sharing traffic without monitoring our customers which is against our principles and would be even illegal. Usually, we only recommend our customers to avoid the US & UK locations for file-sharing but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.
8. We support a wide range of popular payment methods, including all major cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dash, Monero, PayPal, Credit Cards and Bank transfer. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can’t be connected to the user’s VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.
9. After all, modern VPN protocols that we all support – like IKEv2, OpenVPN and SSTP – are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 8192-bit key size and a strong symmetric encryption (AES-256) for the data transfer.
10. Our users’ privacy is of utmost concern to us. Our Windows client has the features such as Kill Switch, Auto Connect, Auto Reconnect etc which makes sure that the user is always encrypted and anonymous.
11. We operate our own non-logging DNS-servers to protect our customers from DNS hijacking and similar attacks. We operate 30+ server locations in 27 different countries. However we do not own physical hardware. There is intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore, we choose all third-party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no unauthorized person can access our servers. Among our reputable partners are Leaseweb, NFOrce, Equinix and Softlayer.
12. Our servers are located in countries all over the world, among the most popular ones are Canada, Netherlands, Singapore, Germany, Brazil, Mexico and Australia. Below is the complete list of countries, alternatively you can view all available locations here.
1. No, not doing so is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. In addition, it is not within our interest to do so as it would increase our liability and is not required by the laws of any jurisdiction that IVPN operates in.
2. Privatus Limited, Gibraltar.
3. We use a few custom scripts (based on PSAD) to proactively detect and alert malicious activity. From a management perspective, we monitor our network using Zabbix. In the almost 10 years we’ve been operating its safe to say we’ve seen almost everything.
4. No. We made a strategic decision from day one that no company or customer data would ever be stored on 3rd party systems. All our internal services run on our own dedicated servers that we setup, configure and manage. No 3rd parties have access to our servers or data.
5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so.
6. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information. If legally compelled to log activity going forward we would do everything in our power to alert the relevant customers directly (or indirectly through our warrant canary).
7. Yes, all file-sharing traffic is permitted and treated equally on all servers. We do encourage customers to use non-USA based exit servers for P2P as any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.
8. We accept Bitcoin, Cash, PayPal and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. When paying with PayPal or a credit card a token is stored that is used to process recurring payments but this is not linked in anyway to account usage or IP-assignments.
9. We provide RSA-4096 / AES-256-GCM with OpenVPN, which we believe is more than secure enough for our customers’ needs.
10. Yes, the IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN etc.
11. We use bare metal dedicated servers leased from 3rd party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless. We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We operate our own network of log free DNS servers that are only accessible to our customers.
12. Please see https://www.ivpn.net/server-locations. We do not offer virtual locations.
1. We don’t keep any logs that can match a user to an IP and timestamp.
2. Windscribe Limited, Ontario (Canada) Corporation.
3. We store the total amount of bytes transferred in a 30 day period. This counter gets reset monthly and there is no historical usage. We block SMTP port 25 to prevent email spamming.
4. Everything is self-hosted including but not limited to email, support desk, and live chat.
5. We notify the sender that the IP address is a VPN node and is shared by hundreds of people at any given moment, so there is no way to trace the activity to any single user.
6. We received multiple subpoenas and court orders requesting subscriber information. Our response was identical to what we send in case of a DMCA related request in every case. We were never ordered to log users (although there were requests), but since we’re in Canada which has no mandatory data retention directives that apply to VPNs, we wouldn’t need to comply.
7. BitTorrent is allowed in all locations as we don’t interfere with the traffic. We request that users don’t do it in Japan and India due to more stringent providers in those regions, but it’s more of a guideline than a rule.
8. Credit cards (Stripe), PayPal, all major cryptocurrencies and various gift cards. As we store no logs of this type, there is nothing to link the payments to.
9. We support OpenVPN and IKEv2. Both are equally secure as we use the strongest encryption possible (GCM-AES-256) with both. We recommend trying IKEv2 first, as it’s faster almost in all cases. If it’s blocked on your network, then you can use OpenVPN which operates on common ports and is a lot harder to block, especially when using Stealth (Stunnel) mode. Our application tries all the protocols automatically and uses the best one for your specific network.
10. Windscribe Firewall is built into our Windows and Mac applications. It blocks all connectivity outside of the tunnel to ensure there is zero chance of any kind of leak, including but not limited to DNS leaks, IPv6 leaks, WebRTC leaks, etc.
A firewall blocks ALL connectivity outside of the tunnel. If the VPN connection drops, there is nothing that needs to be done, and not a single packet can leave the machine, since the firewall will not allow it. In geek terms, it fails closed.
11. All our servers are bare metal machines which are leased from various reputable hosting providers worldwide. As we have servers in over 100 different data-centers, listing them here would create a fairly lengthy list.
Each VPN node we operate has a recursive DNS server running on it, which is only accessible over the tunnel as it listens exclusively on a LAN IP address.
12. We have servers in 50 countries and over 100 cities. The full list is shown here. All our servers are physically where they are claimed to be, as we don’t have any fake/virtual locations.
2. Our registered legal name is Hexville SRL. We’re under Romanian jurisdiction, inside of the European Union.
3. Our tools are developed in-house. To limit the concurrent connections we keep track of the active connections of users. Every user has a limited number of concurrent connections, depending on his subscription. When he connects, we subtract one. When he disconnects, we add one back. Reach zero and the service will not allow the user to connect until he disconnects one of his active instances.
To limit the brute force types of abuses, we monitor the health of the servers and limit the network priority of the obvious DDOS that might be masked through our service. SMTP abuses will also result in temporary port blocking for that service.
5. We designed our system in such a way that DMCA notices cannot be forwarded to our users. A diverse approach is needed to deal with this particular industry issue: from explaining that we don’t host any content to replacing IPs and servers that received multiple strikes.
6. No subpoena has been received by our company. If that happens, we’ll be sure to assist as much as we’re legally obliged. Keep in mind that we don’t have much information to provide.
7. Net neutrality is king. We allow any kind of traffic. P2P included.
8. We use Bitcoins (and many other kinds of virtual currencies: ETH, XRP, DGB, LTC ), PayPal, PerfectMoney and Credit Cards. The sales & billing platform is stored separately of the actual VPN system.
9. We use only OpenVPN protocol, one of the most secure and hard to crack protocols, with AES-256-CBC cipher, TLSv1/SSLv3 DHE-RSA-AES512-SHA, 2048 bit RSA.
On top of the OpenVPN, you can also choose one of the two anti DPI (Deep Package Inspection) protocols: “TOR’s OBFSPROXY Scamblesuit” and “SSL” that mask your VPN connection from your ISP. These protocols come handy in places that actively block VPN connections, like China, Egypt or university campuses.
10. Yes, we have an incorporated kill switch in our client and DNS leak protection.
11. We do use our own DNS and Google DNS for some servers.
Because of the nature of the industry, we consider that replacing servers and blacklisted IPs as fast as possible, having the ability to migrate from one ISP to another, and not existing in a constant physical location is a great plus. That’s why decided to rent the VPN servers.
12. At the time of writing this, we do not offer virtual locations. We offer more than 30 servers in 18 countries and we’re expanding fast. You can find the full list here.
1. We don’t log any individually identifying information. The privacy of our customers is our top priority.
2. Our service is operated by a group of autonomous privacy activists outside of “Fourteen Eyes” or “Enemy of the Internet” countries. Each server is handled within the jurisdiction of the server’s location.
3. There are no tools which monitor our customers but we use techniques which don’t require any logging to prevent the abuse of our service.
4. Our website has been entirely developed by ourselves and thus we don’t rely on external service providers.
5. We reply to takedown notices but can’t be forced to hand out information because of our non-logging policy.
6. This hasn’t happened yet, but if we were forced to identify any of our customers at a specific server location, we would immediately terminate this location. We are not going to log, monitor or share any information about our customers under any circumstances.
7. BitTorrent and other file-sharing traffic is allowed and treated equally to other traffic on all servers.
8. We offer a wide range of anonymous payment methods like Bitcoin, Dash, Ethereum, Paysafecard and Perfect Money. No external payment processor receives any information because all payments are processed by our own payment interface.
9. We would recommend OpenVPN, available in UDP and TCP mode. We are using AES-256-GCM/CBC for traffic encryption, 4096 bit RSA keys for the key exchange and SHA-512 as HMAC. These settings offer you the highest grade of security available.
10. Our VPN Client provides advanced security features like a Kill Switch, DNS Leak Protection, IPv4/IPv6 Leak Protection, WebRTC Leak Protection and many more.
11. We rent 27 servers in 20 countries and are continuously expanding our server park. During the last year we focused on replacing our 100 Mbit/s servers with high-end dedicated gigabit servers and thus the number of servers slightly decreased. It is impossible to have physical control over all widespread servers but we took security measures to prevent unintended server access. At the moment we are using the nameservers of Quad9 which offer good privacy.
12. Every server is physically located in its specified country and thus we don’t offer virtual locations. You can find our server list at the following link.
1. We do not keep or record any logs. We are therefore not able to match an IP-address and a time stamp to a user of our service.
2. The registered name of our company is “Offshore Security EOOD” (spelled “ОФШОР СЕКЮРИТИ ЕООД” in Bulgarian). We’re a VAT registered business. We operate under the jurisdiction of Bulgaria.
3. To prevent mail spam abuse we block mail ports used for such activity, but we preemptively whitelist known and legit email servers so that genuine mail users can still receive and send their emails.
To limit concurrent connections to 6, we use our in-house developed system that adds and subtracts +1 or -1 towards the user’s “global-live-connections-count” in a database of ours which the authentication API corresponds with anonymously each time the user disconnects or connects to a server. The process does not record any data about which servers the subtracting/detracting is coming from or any other data at any time, logging is completely disabled at the API.
4. We host our own email servers in Switzerland. We host our own Ticket Support system on our servers in Switzerland. The only external tools we use are Google Analytics for our website and Zopim Live Chat.
5. DMCA notices are not forwarded to our members as we’re unable to identify a responsible user due to not having any logs or data that can help us associate an individual with an account. We would reply to the DMCA notices explaining that we do not host or hold any copyrighted content ourselves and we’re not able to identify or penalize a user of our service.
6. This has not happened yet. Should it happen our attorney will examine the validity of the court order in accordance with our jurisdiction, we will then delegate our no logs policy to the appropriate party pointing out that we’re not able to match a user to an IP or timestamp due to not keeping or recording any logs. In our six year history we’ve upheld our reputation and we believe one of the reasons such court orders don’t reach us is our clearly stated no-logs policy.
7. BitTorrent/P2P is allowed on most of our servers but not all of them. Why not? Some servers that we use are not tolerant to DMCA notices, but some of our members utilize them for other activities not related to torrenting. That is why we keep them in our network despite the inability to use P2P/torrents on them. Most of our VPN servers and locations do allow torrents and P2P. We even allow torrenting on server locations that most VPN providers don’t, such as USA and Canada.
8. We accept PayPal, Credit/Debit cards and Webmoney via third party payment processor, plus Bitcoin and Payza. We do not require personal details to register an account with us. In the case of PayPal/Payza/card payments we link usernames to their transactions so we can process a refund. We do take active steps to make sure payment details can’t be linked to account usage or IP assignments. We do not use a recurring payments system.
9. We use AES-256-CBC + SHA256 cipher and RSA4096 keys on all our VPN servers with without exception. We also have Double VPN servers, where for example the traffic goes through Russia and Israel before reaching the final destination.
10. Yes, we provide both KillSwitch and DNS Leak protection for our Windows and Mac apps. Our new Android app already has DNS Leak protection and AdBlocking and within a couple of days will also have KillSwitch in the upcoming new version.
11. We work with reliable and established data centers. Nobody but us has virtual access to our servers. The entire logs directories are wiped out and disabled, rendering possible physical brute force access to the servers useless in terms of identifying users.
12. All our servers are physically located in the stated countries. A list of our servers in 70 countries can be found here.
2. The name of the company is Air and it is located in Italy.
3. We do not use any monitoring or traffic inspection tools. We do associate a connections counter for each account to enforce the limit of five simultaneous connections per account. We also promptly investigate any service (website etc.) running behind our service to prevent phishing and other scams (malware spreading, bot controllers, etc) if we receive a complaint about them. However, checking those services after a complaint or a warning from a third-party does not require any traffic monitoring.
4. Absolutely not.
5. They are ignored.
6. The matter is handled by our law firm which explains to the competent authorities how our system works and why it is not possible to track a user “ex-post” when such identification requires access to traffic logs, which simply do not exist. We have so far not received any order trying to force us to “log activity going forward” and we would not be able to comply for strictly technical reasons.
7. Yes, BitTorrent (just like any other protocol) is allowed on all servers without any re-routing.
8. Nowadays we use Coinpayments, BitPay, PayPal and Avangate. We accept a wide variety of cryptocurrencies and several credit cards. We also planned to accept payments in Bitcoin (and some other cryptocurrency) directly in late 2018, with no need for any third party payment processor, which anyway does not require any personal data to complete a transaction.
We do not keep any information about account usage and/or IP address assignments, so there can’t be any correlation with any payment. As usual a customer needs to consider that any payment via a credit card or PayPal will be recorded for an indefinite amount of time by the respective financial companies. We also accept cryptocurrencies inherently designed to provide a strong layer of anonymity.
9. We recommend only and exclusively OpenVPN. A proper configuration must include TLS mode, Perfect Forward Secrecy, 4096 bit Diffie-Hellmnn keys, and at least 2048 bit (preferably 4096 bit) RSA keys. About the channels ciphers, AES-256 both on the Control Channel and the Data Channel is an excellent choice, while digests like HMAC SHA (when you don’t use an AED cipher such as AES-GCM) for authentication of packets are essential to guarantee integrity (preventing for example injection of forged packets in the stream), both on the Control and the Data channels.
Our service provides all of the above. About Elliptic Curve Cryptography, since it is finally of public domain that at least one random number generator (Dual_EC_DRBG) had a backdoor, and that an NSA program did exist with the aim to implement backdoors in some curves and then have exactly those curves recommended by NIST, momentarily we would suggest to drop ECC completely, just to stay on the safe side and according to Bruce Schneier’s considerations.
10. Yes, of course. They are integrated in our free and open source software “Eddie” released under GPLv3. Anyway, usage of our software is not mandatory to access our service, so we also provide guides to prevent any kind of traffic leaks outside the VPN “tunnel” on a variety of systems.
11. The VPN server management is never outsourced. Even the IPMI, which has proven to be the source of extremely dangerous vulnerabilities, is patched and access-restricted by the AirVPN core management persons only. The Air company does not own datacenters. Owning a datacenter would put Air in a vulnerable position in the scenario described in your question number 6 (second part: court order to start logging traffic).
12. We do not offer “virtual” locations. No IP address geo-location trick, hidden re-routing or any other trick is ever performed. We do not use Virtual Servers at all. Currently, we have physical (bare metal) servers really located in the following countries: Austria, Belgium, Bulgaria, Canada, Czech Republic, Germany, Hong Kong, Japan, Latvia, Lithuania, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.
1. Trust.Zone doesn’t store any logs. All we need from users is just an email to sign up. No first name, no last name, no personal info, no tracking, no logs.
2. Trust.Zone is under Seychelles jurisdiction and we operate according to the law in Seychelles. There is no mandatory data retention law in Seychelles. In our jurisdiction, a foreign court order would not be enforceable and since we don’t store any logs, there is nothing to be taken from our servers. The company is operated by Extra Solutions Ltd.
3. We have no usage restriction on our service. As we don’t have any logs, we can’t track any user online activity. Trust.Zone doesn’t use any third party tools on the website. The single restriction we have is three simultaneous connections per user.
5. If we receive any type of DMCA requests or Copyright Infringement Notices – we ignore them. Why? Trust.Zone is under Seychelles offshore jurisdiction. There is no mandatory data retention law in Seychelles. Since we don’t store any logs, there is nothing to be had from our servers.
6. A court order would not be enforceable because we do not log information and therefore there is nothing to be had from our servers. Trust.Zone is a VPN provider with a Warrant Canary. Trust.Zone has not received or has been subject to any searches, seizures of data or requirements to log any actions of our customers.
7. We don’t restrict any kind of traffic. Trust.Zone does not throttle or block any protocols, IP addresses, servers or any type of traffic whatsoever.
8. All major credit cards are accepted. Besides, Bitcoin, PayPal, Webmoney, Alipay, wire transfer and many other types of payments are available. To stay completely anonymous, we highly recommend using anonymous payments via Bitcoin.
9. Trust.Zone uses the highest level of data encryption. We use a protocol which is faster than OpenVPN and also includes Perfect Forward Secrecy (PFS). The unique feature of Trust.Zone VPN is that you can forward your VPN traffic via ports – 21(FTP) 22 ( SCP, SFTP ), 80 (HTTP), 443 (HTTPS) or 1194 (OpenVPN), most of which can’t be blocked by your ISP. Trust.Zone uses AES-256 Encryption by default. We also offer L2TP over IPsec which also uses 256bit AES Encryption.
10. Trust.Zone supports a kill-switch function. We also own our DNS servers and provide users with using our DNS to avoid any DNS leaks. Trust.Zone has no support for IPv6 connections to avoid any leaks. We also provide users with additional recommendations to be sure that there are no any DNS leaks or IP leaks.
11. We have a mixed infrastructure. Trust.Zone owns some physical servers and we have access to them physically. In locations with lower utilization, we normally host with third parties. But the most important point is that we use dedicated servers in this case only, with full control by our network administrators. DNS queries go through our own DNS servers.
12. We are operating with 150+ servers in 30+ countries and still growing. The most popular Trust.Zone locations are France, Australia, US, Canada and UK. The full map of the server locations is available here.
1. We don’t keep any logs.
2. CactusVPN Inc., Canada
3. We restrict our services with up to five devices per package for VPN connection and to unlimited devices for SmartDNS service as long as all of them have the same IP address. Abuse of services is regulated by our Linux firewall and most of the datacenters we hire servers from provide additional security measures for servers attacks.
5. We did not receive any official notices yet. We will only respond to a local court order.
6. If we have a valid order from Canadian authorities we have to help them identify the user. Bus as we do not keep any logs we just can’t do that. We did not receive any orders yet.
7. BitTorrent and other file-sharing traffic is allowed on Netherlands, Germany, Switzerland and Romanian servers.
8. PayPal, Visa, MasterCard, Discover, American Express, Bitcoin & Altcoins, Alipay, Qiwi, Webmoney, Boleto Bancario, Yandex Money and other not so popular payment options.
9. We recommend users to use SoftEther with ECDHE-RSA-AES128-GCM-SHA256 cipher suite.
10. Yes, our apps include Kill Switch and Apps. Killer options in case a VPN connection is dropped. Also they include DNS Leak protection.
11. We use servers from various data centers.
12. USA, UK, France, Germany, Canada, Netherlands, South Korea, Australia, Poland, Japan, Switzerland, Singapore, Romania.
1. ShadeYou VPN does not keep any logs. To use our service only a username and e-mail are required. No personal or real data is required.
2. We are incorporated as DATA ACCENTS LP and operate under the United Kingdom jurisdiction.
3. Limits of concurrent connections are regulated in real time on the server side by our own developed tools without any logs kept.
4. We are using Google Analytics as a tool which allows us to improve our website and bring our users better experience. Also, we are using SiteHeart online support. But none of these tools track / hold personal information.
6. There are no any special steps since we have no logs to share and analyze. It means we can’t help with identifying the active or past user of our service. Logging activity is not acceptable for our service. We had different cases but we can guarantee that none of our users were compromised.
7. BitTorrent and any other file-sharing traffic is allowed mostly on all our servers. There are only a few exceptions (such as when traffic is limited on the servers).
8. ShadeYou VPN uses payment systems including PayPal, Perfect Money, Webmoney, Qiwi, Yandex Money, Easy Pay, Ligpay, UnionPay, AliPay, MINT, CashU, Ukash also accept payments via Visa, Master Card, Maestro and Discover. Of course, Bitcoin is available. Important note: we do not store billing information which is required to improve users safety.
9. We strongly recommend using OpenVPN since it is the safest and uses the strongest encryption (TLS Protocol with 4096-bit key length and AES-256-CBC crypto-algorithm).
10. We support “Kill switches” and DNS leak protection using our desktop client