PIA Announces Completion of Independent Audit Conducted by a Big Four Firm

Our commitment to online privacy stands at the core of our service – we operate under a 100% transparency credo. That said, we know VPN use is tied to trust. We know reviewers and journalists have often mentioned our US headquarters as a concern. We’re here to say that we’ve always abided by our airtight No Logs policy. We’ve never retained any metadata, and we’ve never had any data to share with the authorities. 

But we are a company that wants our actions to speak for us. We don’t want you to take our No Logs promises at face value. Just like we’re transparent with our source code and regular Transparency Reports, we aim to be honest with our infrastructure too. Because of this, Private Internet Access underwent an independent audit to review our No Logs policy. 

Deloitte, one of the Big Four auditing firms, reviewed our server environment and found that we store no logs and no details that could be used to identify our users or pinpoint their activities.

How Did Deloitte Test PIA’s Infrastructure?

We invited Deloitte Audit Romania to review our VPN server network and management systems and to examine how we maintain a zero-log VPN service, in order to confirm that server configurations align with internal privacy policies, and are not designed to identify users or pinpoint their activities. As part of this assurance engagement project, Deloitte inspected our server configuration and examined how we maintain a zero-log VPN service. The auditing firm found that server configurations align as of June 30, 2022 with internal privacy policies and are not designed to identify users or pinpoint their activities.

The audit has been conducted in accordance with the International Standard on Assurance Engagements 3000 (Revised) applicable to Assurance Engagements Other Than Audits or Reviews of Historical Financial Information (ISAE 3000 (Revised)) established by the International Auditing and Assurance Standards Board (“IAASB”) and should be read in full.

What Does This Mean for Our Customers?

To put it simply, there is no trace of your activity on our servers. This is because our VPN service runs on RAM-only servers. These servers boot on a read-only image and use RAM modules, as opposed to hard disks. Hard disks are traditionally used as storage, whereas a RAM-only environment is more volatile. We also configured our servers to routinely reboot. With every reboot or power outage, all data is immediately deleted.

We designed our network architecture specifically to prevent data retention. We have no user data, and we can’t be compelled to share information on our users – in fact, the US government can’t force US-based VPN providers to violate a zero-log policy because of consumer protection laws.

Furthermore, we have security systems in place to ensure third-party entities can’t force their way into our network. One way we do this is by disabling all error logs and debug information. If we ever require error logs for development purposes, we create an entirely new traffic server inside an isolated environment. Despite potential drawbacks to our developing and debugging processes, it’s an acceptable trade-off to securing user data.

Even our Dedicated IP service is built as a token-based system to prevent any association with a specific user. This token is only saved in the client, which isn’t enough for a server-side association.

This No Logs Audit Is Another Milestone for PIA

We’ve always stayed true to our commitment to online privacy. We’ve always advocated for digital freedom and anonymity. This Deloitte audit is just another milestone in our journey as privacy activists, but it’s not the first time our No Logs policy has been scrutinized. PIA is one of the few VPN providers to have proven their zero-log service in court. We were subpoenaed multiple times for logs, and each time we had no data to share.

We are honest and transparent with our users, and we don’t cut any corners with the VPN service we offer. PIA is one of the few VPN providers offering 100% open-source VPN apps, despite this not being an industry standard practice. Our code is available for anyone to inspect and analyze. 

We’re also open with any changes to our server infrastructure and keep our users informed. Recently, in light of India’s No. 20(3)/2022-CERT-In directive, we’ve pulled out our Mumbai servers and replaced them with virtual server locations. We made this decision to circumvent mandatory logging laws, as we refuse to compromise our service and No Logs commitment. 

Back home in the US, we’ve launched our 50 Servers in 50 States campaign. Unfortunately, state and federal laws are still playing catch-up with cybercrime, so we’ve taken it upon ourselves to help Americans protect their online privacy and secure their traffic from malicious actors.

More updates to our infrastructure are coming soon, as we’re undergoing extensive hardware optimization. For example, we’re slowly transitioning our fleet to colocated servers to provide increased security measures, better VPN speeds, and more reliable connections. This also means we’re investing in and managing more of our own next-generation servers.

We’ve always put our users’ privacy and digital safety at the forefront of our service, and we’re grateful for the users who put their trust in us. We’ll never break that trust, and we’re holding true to our commitment to bring more transparency to the industry. We’re open to future independent audits and will also be updating our Transparency Report editions on a more regular basis throughout the year.

Choose PIA for Top-Quality Security and Online Privacy

We’re long-time advocates for digital privacy and cybersecurity in the US, and now we have an independent audit that attests to our No Log VPN service. We offer the strongest data protection software possible, and our VPN online shield is critical to keeping your information safe in this digital age. It doesn’t matter if you need a macOS VPN, Windows VPN, or a VPN that’s compatible with iOS or Android, PIA protects up to 10 of your devices simultaneously.”

We can unequivocally state that we don’t store any user activity log or metadata. And we wouldn’t have it any other way.

We take our No Logs policy seriously, and this audit is not our final endeavor. In the future, we’ll continue to be transparent with the security safeguards we put in place for our users.