ProtonVPN No-Logs Audit 2026: What 4 Securitum Reports Found

Four independent no-logs audits, all conducted by Securitum, the same European security auditing firm, have now verified ProtonVPN’s no-logs policy across 2022, 2023, 2024, and August 2025. The August 2025 audit, the most recent at the time of writing in 2026, concluded that “no instances of user activity logging, connection metadata storage, or network traffic inspection” exist that would contradict the no-logs claim. A separate SOC 2 Type II audit was completed in July 2025 for operational security. All four Securitum reports plus the SOC 2 attestation are publicly downloadable without an account or signup.

So the short answer to “does ProtonVPN keep logs in 2026” is no, and that answer is backed by the strongest evidence trail in the VPN industry. But the audits are only part of the privacy picture. The 2021 French activist incident at ProtonMail, the still-pending Swiss VUPF surveillance ordinance, ProtonVPN’s contested decision to use full-disk encryption rather than RAM-only servers, and Proton’s preemptive infrastructure moves outside Switzerland all change how you should evaluate the no-logs guarantee. I read all four Securitum audit reports, the SOC 2 Type II attestation, ProtonVPN’s full privacy policy, the relevant Swiss court filings, and the VUPF consultation documents so you do not have to. Here is what they actually say.

Four Consecutive Securitum No-Logs Audits, 2022 to 2026

ProtonVPN has been audited every year since 2022 by Securitum, an established European security auditing firm. The most recent audit in August 2025 examined production VPN servers, DNS query handling, session timestamps, network traffic inspection, aggregate log correlation, and configuration files. The auditor verified that automated alerts catch unauthorized configuration changes, meaning even a rogue employee could not silently enable logging without being detected.

ProtonVPN also completed a SOC 2 Type II audit in July 2025 for operational security. All audit reports are publicly downloadable from the ProtonVPN transparency page without requiring a signup or paid account.

The audit cadence matters more than the result of any single year. Annual audits create ongoing accountability that one-time audits cannot. A provider that passes once might change practices later. Four consecutive years of the same conclusion from the same auditor, with the full report (not a marketing summary) published publicly, builds genuine confidence. Other major consumer VPNs including NordVPN, ExpressVPN, and Mullvad also publish audits at regular intervals through firms like Deloitte, KPMG, Cure53, and Assured AB. ProtonVPN’s differentiator is the consistency of same-auditor, same-scope, year-over-year reports across the full 2022 to 2025 window plus a SOC 2 Type II layered on top, all downloadable without a marketing-gated signup.

What ProtonVPN Actually Logs (and Does Not Log)

ProtonVPN’s privacy policy is specific about what they do not collect. Here is the exact breakdown based on their published policy and the August 2025 Securitum audit findings.

The last login timestamp is the only connection-related data ProtonVPN stores. It overwrites with each new login, meaning only the most recent timestamp exists at any time, not a history. This is minimal compared to VPN providers that store connection logs “for 15 minutes” or “24 hours” before supposedly deleting them.

The 2021 French Activist Incident: What Actually Happened

In 2021, French police requested the IP address of a climate activist associated with Youth For Climate. France sent the request through Europol to Swiss authorities, who issued a legally binding court order to Proton.

ProtonMail complied because Swiss law does compel email providers to log data under criminal investigation orders. Proton handed over the activist’s IP address linked to their ProtonMail account.

This sparked legitimate outrage. Proton had previously marketed ProtonMail with claims like “we don’t log your IP.” They removed that language and updated their privacy policy afterward.

This distinction is critical and most competitor articles either conflate ProtonMail and ProtonVPN or mention the incident without explaining the legal difference. ProtonMail can be forced to log. ProtonVPN, as of 2026, cannot. These are different products with different legal treatment under Swiss telecommunications law.

Why Switzerland Matters (and Why It Might Not for Long)

ProtonVPN’s Swiss jurisdiction has been its strongest privacy argument. Switzerland is not a member of the European Union. It is not part of the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence-sharing alliances. Article 13 of the Swiss Federal Constitution explicitly guarantees the right to privacy. And the Swiss Supreme Court ruled in 2010 that IP addresses are personal information.

For VPN providers specifically, Swiss law currently does not require logging. ProtonVPN cannot be legally compelled to collect data that it does not already possess. If a court orders them to hand over browsing logs and those logs do not exist, there is nothing to hand over. This was proven in the 2019 case mentioned above.

However, there is a significant development that most review sites have not covered.

This is worth watching closely. If the VUPF update passes, ProtonVPN’s core privacy advantage, Swiss jurisdiction, could flip from a strength to a liability. Proton’s preemptive infrastructure relocation suggests they take this threat seriously. For users choosing ProtonVPN specifically because of Swiss law, this development should factor into your decision.

How ProtonVPN Compares to Other VPN Logging Policies

Every major VPN provider claims “no logs.” The difference is in the details: audits, jurisdiction, incidents, and server architecture. Here is how ProtonVPN stacks up against the competition based on the same kind of security analysis I apply to password managers.

ProtonVPN and Mullvad have the cleanest records. NordVPN’s 2018 Finnish server breach did not expose user data (confirmed by post-incident audit), but it raised questions about their infrastructure security at the time. ExpressVPN’s situation is more concerning. Their former CIO was linked to Project Raven, a UAE surveillance program, which created lasting trust issues despite the company’s clean audit record.

The RAM-Only Debate

NordVPN, ExpressVPN, Mullvad, Surfshark, and CyberGhost all run RAM-only (diskless) servers. The idea: if a server is seized, cutting power erases everything because RAM does not persist without electricity. No disks means no data to recover.

ProtonVPN takes a different approach. They use traditional disk-based servers with full-disk encryption (FDE). Their argument: RAM-only does not offer “huge advantages over full disk encryption as long as there are truly no logs.” If there is nothing to log, there is nothing to recover from either RAM or disk.

Both approaches have merit. RAM-only is better as a defense against physical server seizure. If someone physically takes a server, they get nothing. FDE requires the encryption keys to be unrecoverable, which adds a layer of trust. In practice, the difference matters only in extreme threat scenarios. For the vast majority of users, both approaches provide equivalent protection.

Where ProtonVPN does have a genuine advantage is that they own and operate all Secure Core servers directly. Third-party hosted servers, which most VPN providers rely on for their wider networks, introduce supply chain risk regardless of whether they run on RAM or disk.

ProtonVPN’s Security Features That Protect Your Browsing

Beyond the no-logs policy, ProtonVPN has specific technical features that prevent your browsing data from leaking.

Secure Core (double-hop routing): Routes your traffic through Proton-owned servers in Switzerland, Iceland, or Sweden before reaching the exit server. Even if an exit server is compromised, the attacker sees the Secure Core server’s IP, not yours. This is similar to how zero-knowledge encryption works for password managers: multiple layers of protection so no single point of failure exposes your data.

Kill switch: Blocks all network traffic if the VPN connection drops. ProtonVPN includes a “permanent kill switch” option that prevents any connection outside the VPN even during system boot-up, meaning your real IP never leaks, even during restarts.

DNS leak prevention: All DNS queries are encrypted and routed through ProtonVPN’s own DNS servers inside the VPN tunnel. Your ISP never sees which domains you resolve. I tested this across multiple servers using ipleak.net, zero leaks detected.

NetShield (paid plans): DNS-level blocker for ads, trackers, and malware. Since early 2026, NetShield blocks 6x more trackers than before by blocking subdomains in addition to root domains. This reduces the tracking data that advertising networks collect about your browsing patterns.

Open-source apps: ProtonVPN was the first major VPN provider to open-source all of its apps across every platform: Windows, macOS, iOS, Android, and Linux. The code is on GitHub and has been independently audited by security researcher Ruben Santamarta. Open source means anyone can verify that the app does what it claims.

ProtonVPN Pricing (2026)

ProtonVPN offers one of the most generous free VPN plans available. Here is the full pricing breakdown as of May 2026.

The free plan is genuinely usable for privacy-focused browsing. No data caps, no ads, and the same no-logs policy as paid plans. The limitations of one device, 10 countries, medium speed, and no NetShield are reasonable tradeoffs for a free service. For users who just need basic privacy protection, it is one of the few free VPNs I would actually recommend.

Privacy and Terms Analysis

I read privacy policies so you do not have to. Here is what I found in ProtonVPN’s terms of service and privacy policy.

Data ownership: Proton’s policy explicitly states they do not sell, rent, or monetize user data in any form. Revenue comes entirely from paid subscriptions.

Third-party sharing: ProtonVPN states they will only share data in response to “a legally binding request from competent Swiss authorities.” Foreign governments cannot make direct requests. They must go through Swiss legal channels (typically Europol to Swiss police to Swiss courts). And since ProtonVPN does not log browsing data, there is nothing substantive to share even if ordered to comply.

Data retention: Account data is stored encrypted on Proton-operated servers in Switzerland, Germany, or Norway. Data is deleted within a reasonable period after account deletion.

Payment privacy: You can pay with Proton credits (anonymous) or standard payment methods. The free plan requires only an email address, and you can use a ProtonMail address for that, creating a relatively anonymous account.

Red flags found: None. ProtonVPN’s privacy policy is among the cleanest I have reviewed. The only minor concern is the last login timestamp retention, and they are transparent about both the existence of this data and its purpose.

Pros and Cons

Who Should Use ProtonVPN

ProtonVPN is the right choice for privacy-first users who want a VPN backed by audits and open-source transparency, not marketing claims. If you care about whether your VPN provider can actually prove its no-logs policy, ProtonVPN has the strongest evidence trail in the industry in 2026.

It is also the best option for users who want a free VPN that does not compromise privacy. Most free VPNs monetize through ads or data collection. ProtonVPN’s free tier is subsidized by paid subscribers, the same model as ProtonMail.

For users in the Proton ecosystem (Mail, Drive, Pass), the Proton Unlimited bundle at $7.99/month is excellent value. You get a full privacy suite for less than most standalone VPNs.

Who Should Consider Alternatives

If you need RAM-only server architecture for maximum physical seizure protection, NordVPN or Mullvad are better choices. If you are primarily concerned about streaming geo-restrictions rather than privacy, ExpressVPN and NordVPN have stronger unblocking track records. If you need reliable VPN access in China or other heavily restricted countries, ProtonVPN’s Stealth protocol works but is not as consistent as dedicated censorship-bypass tools.

And if the Swiss VUPF surveillance law passes, everyone using ProtonVPN should reassess. Proton’s preemptive infrastructure moves suggest they are prepared, but the situation is evolving.

Frequently Asked Questions

When was ProtonVPN last audited for no-logs compliance?

The most recent independent no-logs audit was conducted by Securitum in August 2025 and is the fourth consecutive annual audit in the series (2022, 2023, 2024, August 2025). ProtonVPN also completed a SOC 2 Type II operational security audit in July 2025. The next no-logs audit is expected to follow the same annual cadence, with the 2026 report likely published mid-to-late 2026. All four Securitum reports and the SOC 2 attestation are downloadable from ProtonVPN’s transparency page without an account.

Who conducts ProtonVPN’s no-logs audits?

Securitum, an established European security auditing and pentesting firm, has been the independent auditor for all four ProtonVPN no-logs audits since 2022. ProtonVPN’s SOC 2 Type II attestation was conducted by a separate qualified auditor in July 2025.

Where can I download ProtonVPN’s official audit reports?

All four Securitum no-logs audit reports plus the SOC 2 Type II attestation are publicly downloadable from ProtonVPN’s transparency page at protonvpn.com without requiring an account, email signup, or paid subscription. The full reports include audit scope, methodology, findings, and the auditor’s signed conclusion. This level of public transparency is unusual in the VPN industry, where most providers lock audit summaries behind marketing pages.

Does ProtonVPN keep logs of my browsing?

No. ProtonVPN does not log browsing history, DNS queries, IP addresses, traffic data, connection timestamps, or session durations. This has been verified by four consecutive annual audits from Securitum (2022 through August 2025). The only connection data stored is your last login timestamp for brute-force detection.

Can ProtonVPN be traced back to me?

Under normal circumstances, no. ProtonVPN does not store your IP address or browsing activity. In a 2019 legal case, Swiss authorities ordered ProtonVPN to provide user logs and the company “were unable to comply because such logs did not exist.” Without stored data, there is nothing to trace.

Is ProtonVPN really private in 2026?

Yes. ProtonVPN is one of the most audited and transparent VPN providers in 2026. All apps are open source, four annual Securitum no-logs audits plus a SOC 2 Type II have been completed, and the company is based in Switzerland with strong constitutional privacy protections. The main caveat is the proposed Swiss VUPF surveillance law that could change the legal landscape during 2026.

Did ProtonVPN give user data to police?

ProtonVPN has never provided browsing or connection data to law enforcement because it does not store such data. The 2021 incident involved ProtonMail (their email service), not ProtonVPN. Under Swiss law, email and VPN providers have different legal obligations.

Does ProtonVPN sell my data?

No. ProtonVPN explicitly states they do not sell, rent, or monetize user data. Revenue comes entirely from paid subscriptions. The free plan is subsidized by paid users, not by data collection or advertising.

Is ProtonVPN better than NordVPN for privacy?

For transparency and auditability, yes. ProtonVPN is fully open source, has four consecutive Securitum no-logs audits, and Swiss jurisdiction. NordVPN has RAM-only servers and Deloitte audits but is closed-source and based in Panama. NordVPN had a 2018 server breach (no user data exposed). Neither provider logs browsing data.

Is ProtonVPN’s free plan safe?

Yes. The free plan uses the same no-logs policy, encryption, and security features as paid plans. It is limited to 1 device, 10 countries, and medium speed but does not compromise your privacy. It is one of the only free VPNs I would actually recommend in 2026.

Does ProtonVPN work for streaming?

On paid plans, yes. ProtonVPN Plus supports Netflix, Disney+, Amazon Prime Video, and 90+ other streaming services across multiple countries. The free plan does not include streaming optimization and most services will detect and block it.

What happens to my data if ProtonVPN gets hacked?

Because ProtonVPN does not store browsing logs, a server breach would not expose your browsing history. All servers use full-disk encryption, and Secure Core servers are owned and operated directly by Proton. The 2019 legal case demonstrated that even when compelled, ProtonVPN had no user activity data to provide.

Should I worry about the Swiss surveillance law change?

It is worth monitoring but not an immediate concern. The proposed VUPF update is still in consultation with the Swiss Federal Council. Proton has already begun taking precautionary steps including infrastructure relocation. If it passes, ProtonVPN would need to adapt, but they appear to be planning for that scenario.

Final Verdict

ProtonVPN does not keep logs of your browsing. That claim is backed by four consecutive annual Securitum audits across 2022 to 2025, a SOC 2 Type II attestation, a proven court record, 100% open-source apps, and Swiss legal protections that currently prevent VPN providers from being compelled to log. Among the major VPN providers, ProtonVPN has the most transparent and verifiable privacy posture in 2026.

The caveats are real but manageable. ProtonVPN does not use RAM-only servers, Switzerland’s privacy advantages may erode under proposed VUPF surveillance law changes, and the ProtonMail incident (while legally irrelevant to the VPN) created legitimate trust questions that Proton has been working to address.

My recommendation: if privacy is your primary reason for using a VPN, ProtonVPN is the safest bet in 2026. The combination of audits, open source, Swiss jurisdiction, and a usable free plan is unmatched. Just keep an eye on the VUPF developments, and if you want belt-and-suspenders protection, enable Secure Core routing for the most sensitive browsing.

Written and published by Ashikur Rahman, an SEO operator with over six years building search visibility for law firms and AI tools. Founder of hey-ash.com, editor at CriticNest. I read every privacy policy, audit report, and legal filing referenced in this article personally. Last updated May 16, 2026.