DuckDuckGo says privacy is the point of its paid VPN, and a new independent audit offers support for one of the company’s central promises: that it does not keep logs of what users do while connected. For people weighing whether a privacy-focused brand can be trusted with sensitive traffic, that finding matters. It also leaves open a separate question: whether a no-logs policy alone makes a VPN the best choice.
What the audit actually examined
DuckDuckGo hired cybersecurity firm Securitum to review its no-logs policy, focusing on whether the company stores activity data, timestamps, metadata, or other user-attributable records on its egress infrastructure. According to the report, auditors reviewed live servers and found no evidence that DuckDuckGo tracks browsing activity or keeps connection data that could be tied back to an individual user. They also found that the VPN does not inspect user network traffic on its servers.
The report describes a setup designed to reduce the chances of accidental or unilateral changes. Securitum said no single engineer can independently alter logging settings or deploy unapproved code, a governance detail that matters because privacy failures are often caused not only by policy, but by internal access and configuration practices. The audit also found that authentication for the VPN and subscription systems is separated, which helps limit the connection between account identity and VPN sessions.
Why no-logs audits matter — and what they do not prove
A VPN asks users to reroute trust. Instead of handing internet traffic to a local provider, users hand it to the VPN company. That makes independent audits more than a marketing exercise: they are one of the few ways outsiders can test whether a provider’s privacy claims line up with its technical design.
But an audit is not a blanket guarantee. Securitum’s conclusion, as described by DuckDuckGo, is that the company complies with its no-logs commitments. That is narrower than saying the product is flawless, the strongest on the market, or immune to future mistakes. Audits are time-bound reviews of defined systems and policies. They can show that a company appears to be following its stated rules during the review period; they cannot promise that every risk has been eliminated.
The technical details that matter to users
Several findings are more meaningful than they may first appear. Securitum said DuckDuckGo does not log DNS traffic in a user-attributable way, and that its caching system retains data for performance purposes only for a standard 24-hour period before purging it. The report also says the Scam Blocker feature runs locally on the device rather than on DuckDuckGo’s servers, which is relevant because privacy tools can quietly weaken their own claims when filtering or threat checks are processed remotely.
The audit further states that DuckDuckGo does not use servers shared with other businesses or service providers, and that the same no-logs rules apply across regions. Consistency matters in VPN operations because privacy protections can become uneven when infrastructure differs by country or vendor. Securitum did recommend stronger file integrity protections, and DuckDuckGo says it has already made that change, suggesting the review was not purely ceremonial.
How to read this result if you are choosing a VPN
The practical takeaway is modest but useful. If the audit is accurate, DuckDuckGo users have reason to feel more confident that their browsing activity is not being stored on the company’s VPN servers. For travelers, people on public Wi‑Fi, and users who want an added privacy layer from their internet provider, that is a meaningful assurance.
Still, choosing a VPN involves more than asking whether logs are kept. Users may also care about speed, device support, server footprint, transparency around ownership, how often audits are repeated, and how quickly a company responds to security recommendations. DuckDuckGo’s audit strengthens its privacy case. It does not end the comparison with rivals, but it gives the company something many VPN providers still struggle to offer: outside verification of a claim that sits at the core of the product.
