DuckDuckGo says an independent audit found its VPN does not collect or retain user-identifiable activity data, giving outside support to one of the company’s central privacy promises. The review, conducted by cybersecurity firm Securitum between October 2025 and January 2026, matters because “no-log” claims are difficult for customers to verify on their own.
Why the audit matters
A VPN routes internet traffic through an encrypted connection and masks a user’s apparent location, but privacy depends heavily on what the provider itself can see and store. If a VPN company keeps detailed records, the service can still become a repository of sensitive information even when it shields traffic from local networks, internet providers, or public Wi-Fi operators.
That is why outside audits have become an important trust signal across the VPN industry. Marketing language about privacy is easy to publish; proving that internal systems are designed to avoid retaining identifiable records is much harder. DuckDuckGo said Securitum carried out a source code review of proprietary components, a technical inspection, and a live system analysis to test whether its no-log policy matched operational reality.
What DuckDuckGo says the review found
According to the company, the audit concluded that its VPN does not track browsing activity and that the no-log policy is enforced as described. DuckDuckGo also released the full report, a useful step because transparency depends not just on a headline claim but on whether outsiders can inspect the scope of the review and the limits of what was tested.
This follows an earlier security audit in 2024 and retests in 2025 that, DuckDuckGo said, confirmed medium-risk or higher vulnerabilities had been addressed. The distinction is important. A security audit asks whether a service is built and maintained safely; a no-log audit asks whether the provider’s privacy claims hold up in practice. Users need both.
Privacy promises are only as strong as the system behind them
For privacy-conscious customers, a no-log audit does not mean a VPN becomes invisible to every form of scrutiny, nor does it guarantee anonymity in all circumstances. A VPN can protect traffic in transit and reduce routine tracking by network intermediaries, but it does not erase the risks posed by browser fingerprinting, account sign-ins, malware, or data voluntarily handed to websites and apps.
Still, independent verification carries weight, especially for a company that sells a broader privacy bundle rather than a standalone VPN alone. DuckDuckGo’s subscription packages the VPN with identity theft protection, data removal, and other security features, positioning the product as a consumer privacy service rather than a single-purpose tool. For buyers comparing such offerings, documented audits are one of the few concrete ways to separate technical assurances from branding.
What readers should look for next
The larger lesson is not limited to one company. Privacy products increasingly ask users to trust promises they cannot directly test, which makes recurring third-party reviews more valuable than one-off declarations. The most credible providers publish audit reports, define what data they do and do not retain, and explain the legal and technical limits of their claims in plain language.
DuckDuckGo’s latest audit strengthens its case with users who place a high value on private browsing. The harder task, for DuckDuckGo and the wider VPN market, is maintaining that trust through repeat audits, clear disclosures, and systems built to minimize data collection from the start.
