We don’t keep logs of your VPN activity, as explained in the DuckDuckGo Subscription Privacy Policy. This means we have no way to tie what you do while connected to the DuckDuckGo VPN to you as an individual.
DuckDuckGo recently partnered with independent cybersecurity firm Securitum to conduct a targeted audit of our VPN and supporting infrastructure, specifically validating this no-logs policy. Between October 2025 and January 2026, Securitum performed a deep-dive technical inspection, a source code review of proprietary components, and a live system analysis to verify that DuckDuckGo does not collect or retain user-identifiable data.
We are pleased to share that the audit validated our no-logs policy. You can read the full report here or see below for an overview of the key findings.
Key Findings
- DuckDuckGo VPN does not track or log user activity on its egress servers.
- DuckDuckGo does not log user-attributable connection metadata, such as DNS traffic.
- DuckDuckGo VPN does not inspect or log user network traffic on its VPN servers.
- Information about services (e.g. websites, servers) a user connects to is not monitored or logged.
- DuckDuckGo VPN only uses dedicated servers which are not shared with any other businesses or service providers.
- The No-Logs policy is applied uniformly across all servers and geographic regions.
- DuckDuckGo enforces a formal Change Management process that requires dual control for changes to log-related configurations.
- Active VPN configuration files do not have logging directives enabled.
- DuckDuckGo VPN and Subscription APIs use separate authentication tokens to authorize accounts that are not connected to an individual user or their VPN connection.