X-VPN will never sell, use, or disclose any data to any third parties for any purpose.We are committed to transparency, security, and privacy by design, ensuring that your data stays yours, always.
Encrypted Data Transmission
TLS-Based Tunnel Encryption
We secure all VPN tunnels with TLS (Transport Layer Security), employing AES-GCM cipher suites combined with Elliptic-Curve Diffie–Hellman Ephemeral (ECDHE) key exchange. This configuration provides both confidentiality/integrity and forward secrecy for user traffic.
Key Rotation & HKDF Derivation
Encryption keys are rotated regularly—either on a time schedule or upon new session establishment. We leverage the HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
• Extract: Derive a pseudorandom initial key material (IKM) from the shared secret and a salt via HMAC. • Expand: Generate distinct encryption and authentication keys from the IKM using HMAC with context-specific identifiers.
All Phases Encrypted
Every phase, from VPN connection establishment and authentication to traffic billing and user data transmission, is fully encrypted with AES-GCM-256.
Industry Assurance: TLS 1.3 and AES-GCM are widely recognized as the most secure and efficient cryptographic standards in use today. They are endorsed by organizations such as NIST (National Institute of Standards and Technology), and are the foundation of secure communication protocols used across banking, government, and large-scale cloud platforms.
Zero-Retention Packet Handling
Client Side
All VPN traffic is handled in-memory before passing packets to the tunnel. No data is collected or persisted.
Server Side
The server performs in-memory tunnel read or write operations and traffic-size billing, without logging or storing any user data.
Implementation
In-Memory Session Caching
All VPN packet handling and session metadata reside exclusively in volatile RAM on our VPN servers. No traffic payloads or IP-to-client mappings are ever written to disk—only aggregated TX/RX byte counts are briefly held in memory for billing calculations. User traffic data in RAM is automatically purged within 1 second, and all in-memory data is fully erased upon shutdown or reboot, ensuring complete data ephemerality.
Whitelisted Logging via Code Review
We maintain a strict log‐whitelisting policy: every log statement must be explicitly approved in code review. Any attempt to introduce unapproved or sensitive logging is automatically rejected by our CI pipeline.
Centralized Log Governance
All logs from client, API and VPN servers are redirected to a designated directory structure—no ad-hoc or stray log files can exist outside this controlled pipeline.
DNS Handling
We operate our own DNS recursive server. All DNS requests are forwarded to a dedicated process that only handles queries and responses, without any user-identifiable information. As a result, DNS activity cannot be traced back to individual users.
No User Data Stored
No Real IP Storage
Our system does not collect or store users’ real IP addresses at any point.
No Traffic or Content Logging
We do not log browsing activity, DNS requests, or content access. VPN traffic is processed in memory and immediately discarded.
Unknown User-VPN Server Relationship
Our infrastructure does not track or retain which users connect to which VPN servers.
Strict Internal Access Control
Least Privilege
Access to production servers and logs is strictly limited. Even developers can only access separate test clusters.
Dual-Approval Log Access
Requests to view or export production logs require a co-signature from two authorized persons.
SSH-Only Authentication
Administrative access uses SSH key-based login, with password authentication disabled to minimize credential theft risks.
Code Review
All code changes must pass a GitLab Merge Request, reviewed and approved by at least two technical peers before merging. Our CI/CD Pipeline uses mandatory static code analysis tools to automatically scan submissions and Merge Requests, blocking non-compliant code from entering the master branch to maintain security and compliance.
Continuous Compliance
To ensure ongoing adherence to our zero-retention and privacy commitments, X-VPN has implemented a multi-layered Continuous Compliance program that builds on our existing Testing & Validation framework.
Scheduled Code Audits (Quarterly)
We perform comprehensive code audits every quarter. Led by our security engineering team, these reviews target all traffic-handling, logging, and data-processing modules. Findings are logged in our issue-tracking system and must be remediated in the next sprint, with fixes verified through our CI pipeline.
CI Pipeline–Enforced Static Analysis
Every GitLab Merge Request triggers automated static analysis (custom security linters, forbidden-logging detectors). Any introduction of unapproved logging calls or deviations from our secure-coding standards causes the build to fail, preventing non-compliant code from merging.
Internal Training & Accountability Mechanism
We hold regular developer training on privacy requirements and secure-coding best practices. Any policy violations detected during audits or CI runs trigger a formal accountability process—including documented remediation steps and targeted retraining—to close the loop on compliance.
Collaborative External Supervision
Bug Bounty Program
We are dedicated to enhancing our services in partnership with our users. We recognize and reward security researchers who report vulnerabilities with bug bounty, contributing to our safety.
24/7 Feedback Mechanism
Our support team is 24/7 on standby for user feedback, fostering a collaborative supervision that drives our growth.
Bug Bounty Report
We have received privacy and security-related issues reported by security researchers, experts, and users from around the world. These insights helped us grow and provide better services.
Bug Types
Amount
Status
Email Security & Validation
3
Solved
Input Validation & Injection (Client-Side)
3
Solved
Server & Protocol Configuration Issues
5
Solved
Web Security Headers & iframe Settings
3
Solved
Session & Authentication Controls
2
Solved
Reports received from Jan 2025 to June 2025
Our Innovation
We have made significant efforts to protect user data security by deploying RAM-only servers for our online products and implementing zero-trust technology to strictly control internal access.
RAM-Only Servers
• All data is wiped on every reboot, as the VPN server runs entirely in memory.
• No data is ever written to disk, minimizing the risk of leakage or recovery.
• The full software stack is reinstalled each time the server starts.
• All server binaries are centrally managed and verified with hash checks to ensure consistency—we always know exactly what is running on each machine.
• A monitoring system continuously checks the server's health to ensure the VPN service remains stable and operational.
Zero-Trust Access Control
• Access Based on Roles: Employees get only the access they need, based on their job role.
• Ongoing Identity Checks: We constantly verify who is accessing the system to make sure everything is in compliance.
• Secure Communications: All internal communications are encrypted to keep them safe.
• Flexible Security Measures: We adjust security settings automatically based on what employees are doing and their environment.
• Blocking Unwanted Access: We immediately stop unauthorized access attempts and alert on suspicious activities.
X-VPN Transparency Report
We provide a fully transparent report on user data requests from global government and law enforcement. As there are no logs kept, no user data exists, X-VPN simply responded that there's nothing we can do.
Type
Requests Received
Data Provided
Law Enforcement Requests
65
0
DMCA Requests
239,509
0
Civil Court Orders
0
0
Criminal Court Orders
0
0
Gag Orders/Restrictive Orders
0
0
Data requests received from 2017 to June 2025: none resulted in data disclosure.
Our Commitment to Privacy
Your Data, Your Choice
You can use X-VPN without an account. No registration or email is necessary. If you choose to create an account, a virtual email is acceptable. You can also pay with cryptocurrency to maintain your anonymity. All personal information is optional.
No Tracking, No Worries
We never track your activity. No third-party analytics or social widgets are used to analyze user habits. We even developed an innovative anti-tracking feature to help you against unwanted trackers. Browse worry-free, as the internet should be.
Self Hosted, In Control
X-VPN routes all your DNS requests through our secure private DNS servers. Your data never passes through untrustworthy third-party services, ensuring your privacy and security at all times. You maintain complete control.
