X-VPN Completed the Independent No-Logs Assessment

We’re pleased to share that X-VPN has completed an independent assurance engagement, confirming that we do not collect, store, or track your connection data, nor log your online activities.

We have always believed that privacy protection should not be just a promise written on a webpage. That’s why we underwent an independent assurance to verify our No-Logs Policy. Read on — we’re glad to share the details with you.

Key Points from the Assurance Report

We commissioned one of the Big Four accounting firms in Singapore to conduct an independent assurance engagement on the statements in X-VPN’s Privacy Policy relating to the processing of user data, as well as the corresponding practices supporting those statements. The Big Four audit firm performed this engagement in accordance with the International Standard on Assurance Engagements (ISAE) 3000 (Revised). 

Through inquiries with relevant personnel and a review of X-VPN’s IT system configuration and supporting IT operations, this independent assurance confirmed the following key points:

• We do not collect, store, or log any traffic data, including user or destination IP addresses, browsing activity, websites visited, VPN server information, DNS queries, downloaded content, or connection timestamps.
• We process only the minimum account and billing information required to provide the service: a user-provided email address (not required to be verified), password stored as salted, one-way hashes (e.g., bcrypt), order ID, and order history. No additional personal information is required to create or use an account.
• We collect only aggregated, non-identifiable performance metrics (e.g., CPU usage, memory consumption, and service availability) and do not collect personally identifiable information.
• User-traffic and activity logging are disabled by design: system and service outputs are redirected to a null sink (/dev/null), and controls are in place to prevent log generation or retention in production environments.
• All VPN servers run entirely in RAM-only mode, meaning all data exists only in volatile memory and is never written to or cached on any physical storage. When a server is powered off, restarted, or redeployed, all data in memory is instantly and permanently erased, ensuring a true and verifiable no-log environment.
• Production servers are deployed and managed through a predefined automation system (THA), which enforces and continuously validates the no-logs baseline configuration in production environments.
• All code changes are managed through a version-controlled CI/CD pipeline, subject to multi-level review and automated security scanning designed to validate privacy-related controls.
• Database access is protected using encrypted transmission (modern TLS) and through mutual authentication and an IP whitelist with continuous monitoring.
• The Privacy Policy is maintained to accurately reflect system operations and data processing practices, and the review, update, and publication processes are traceable and verifiable.
• The DPO Group operates with independence and traceability, providing ongoing oversight over privacy governance aligned with the no-logs principles.

Based on the procedures performed and the evidence obtained, the Big Four auditing firms verified our compliance with the No-Logs Policy. 

Two observations were identified from the procedures performed. However, these observations did not change the audit conclusion and were promptly addressed. Users who would like to learn more may refer to the relevant sections of the full report.

Due to the technical nature of the report and relevant disclosure requirements, we cannot publicly share excerpts from the report. However, users can access the full report by logging into their X-VPN account. 

What This Means for X-VPN Users

This independent assurance demonstrates that X-VPN’s statements regarding user data processing have been verified by an independent third party based on system configurations, operational procedures, and supporting controls. 

When you use X-VPN, we do not retain activity records that could be used to reconstruct how you use the service, identify your online behavior, or reveal information that could be linked back to your personal identity. This can give you greater confidence that your privacy is protected while using our service.

Why Independent Verification Matters

We do believe that user trust must be built on a foundation of transparency and accountability.

This independent third-party verification helps us demonstrate, in a more rigorous way, how we implement these principles in our system design, operational processes, and governance mechanisms. This is not only about testing our own standards, but also about how we respond to our users’ long-standing expectations regarding privacy protection.

In other words, we aim to ensure that all our users feel their trust is genuinely valued and their privacy is effectively protected through a more transparent, rigorous, and verifiable approach. We firmly believe that trust, privacy, and security should not be optional extras sought by only a select few users, but rather fundamental safeguards that every user should receive when using a VPN service.

A Milestone, Not the Finish Line

This independent assurance is an important milestone for X-VPN — but it is not the destination. Trust is not built by a single assurance engagement, and privacy protection does not end with one completed project. It should be reflected in how we advance governance, address concerns, and demonstrate to users that these commitments are being consistently fulfilled in every step X-VPN takes.

Looking ahead, X-VPN will continue to advance compliance and security governance. As these efforts mature, we will gradually expand our scope to include additional audits, and publicly share audit findings where appropriate. We will also continue to incorporate long-standing concerns raised by users and the public into our governance and disclosure frameworks, responding with transparent communication and substantial improvements. 

What we hope users see is not just one audit result, but an X-VPN that continues to earn trust through action.