PureVPN Trust Center

The trust of more than 3 million users aspires PureVPN to be the very best. Here’s a look at how we work to earn your trust at PureVPN.

trust center

Defending our infrastructure from security breaches

Your online security is always a priority at PureVPN. Check out the security practices we follow, and the validation/testing practices we employ to keep your data secure at all times.

Account and access control

PureVPN’s infrastructure is equipped with a strong authentication mechanism at every level. Our VPN servers’ access is maintained via a centralized access manager, where the access request is assessed and, if approved, issues time-bound access with a one-time password (OTP). Our code repo is also authorized via Multi-Factor Authentication. IP whitelisting is mandatory for any access to our infrastructure.

Application software security

Our engineering process entails security assessment from Epic / Grooming phase until it goes live. The code review process follows the ‘four-eye’ principle where a review is performed by multiple teams prior to merging in release and master branches. A security scanning tool for static code assessment is integrated into continuous integration (CI) process and identified bugs are fixed prior to rollout in production. Additionally, a reputable third party is brought on to perform application security assessments using advanced testing methodologies.

To ensure that there is no traffic leakage from the VPN tunnel, PureVPN has developed open-source tools to test the leakages. These are readily available on our website.

The components of client-side applications running in privilege mode for required functionality, like adding firewall rules, etc., are secured using memory protection, strong authentication, and allowing only permissible actions to non-privileged users.

Continuous vulnerability management

We have implemented an automated vulnerability management program wherein weekly scans are performed and reported vulnerabilities are fixed. Any ad hoc vulnerability reported at random is tested and fixed across the infrastructure in minimal time. Our employees are subscribed to CVE announcements for all in-production software to support the Vulnerability Management Program. Additionally, policy compliance scans are also scheduled to continuously monitor security baseline configurations.

Network monitoring and defense

We have implemented an intrusion detection and prevention system on our infrastructure and cloud assets to mitigate attacks and get alerted of potentially malicious events in a timely fashion. Traffic is routed via a Web Application Firewall to mitigate platform attacks like DDoS, web application attacks, and so on.

Penetration testing

PureVPN has implemented a penetration testing program in multiple folds. Employees are assigned to penetrate our infrastructure and apps during engineering streams. A reputable third-party firm is then brought onboard to test all platforms.

Secure configuration of assets

At PureVPN, the deployment of applications and infrastructure is fully automated, removing the human element from the process. International security benchmarks are part of the security baseline configuration enforced at PureVPN. Hardened images are deployed using an automated configuration management tool.

All firewalls are configured to deny traffic by default and only authorized protocols and intended traffic is allowed after the change assessment process.

Where applicable, the dedicated workstation is used to access production systems hardened for specific tasks. This enables us to provide the best services to our users with embedded quality and security assurance. All services and operations run under the least privileged model to reduce the attack surface.

Monitoring agents are part of the configuration baseline to ensure automated compliance and integrity of critical files.

We have segregated web architecture. Our website servers do not host any data nor do they have any direct access to databases. Interaction is built using best practices by implementing API gateways with limited exposure to only intended data views. Attack surface is further reduced by allowing limited consumer interaction with business logic.

Endpoint security

Users are not authorized to export any consumer’s personally identifiable information. A device security policy is applied on user systems with predefined hardened images.

Endpoint security control is implemented to mitigate the spread of malware and attacks on host systems. Strict URL monitoring is implemented to ensure that even potentially malicious sites are blocked.

Systems are patched periodically via an automated tool. Host-based network firewalls, intrusion detection and prevention systems, security baseline benchmarking, application control, restricted removable storage access, privilege ID control, and continuous host monitoring via centralized solution are key highlights of endpoint security.

Security awareness and training

All staff, including employees and contractors, are part of the PureVPN security awareness program right from the time they join the company till they advance for opportunities outside PureVPN. We ensure that all our employees and contractors understand security requirements at PureVPN and that cybersecurity is a crucial part of their work philosophy.

Since we deal with global customers, we make it a point that our employees, suppliers, and contractors understand the importance of cybersecurity measures to protect their data. We always screen our employees and contractors against human and technical security requirements, including security clearance of employees, and third-party security compliance certificates for vendors and partners.

Meeting your high standards of online privacy

How can we share data if we don’t retain any, right? Being a no-log service, we do not keep any data that can later be shared with anyone else.

No-log policy

PureVPN is a no-log certified VPN service provider, where customer privacy is a priority. We do not keep any customer VPN data (VPN IP, or activities performed while connected to PureVPN server, etc.). Our customer success agents, who provide customer support, access the data via bastion host using whitelisted IPs (an additional security measure). Multi-Factor Authentication is implemented for logging into the web application. Limited PII is required for using our service – we do not ask for any payment information – this information is only available to the payment processor.

Privacy-friendly jurisdiction

PureVPN specifically chose the British Virgin Islands as its headquarters because there are “no mandatory data retention laws” there. We are, therefore, not legally obliged to store user data or share it with anyone.

GDPR compliant

General Data Protection Regulation (GDPR) came into effect back in 2018. As per GDPR rules, businesses are required to secure their users’ personal data, while clearly highlighting their privacy policies. Further, businesses require consent from users to share their data with third parties. Failure to comply with GDPR rules results in major penalties. PureVPN has been a GDPR-compliant VPN brand since 2018 when the regulations first came into effect.

Quantum-resistant encryption keys

PureVPN now offers Quantum-Resistant Encryption Keys, which adds another layer of protection to your data. With PureVPN, you are completely safe online as the keys are generated using the power of quantum computers. This makes the keys inherently resistant to cyber threats and protects users from the key brute forcing capability of quantum computers. The feature has been rolled out for our users in the US, UK, Australia, Germany, Canada, and the Netherlands. Meanwhile, we are actively working to make this feature available for everyone.

Earning your trust through transparency

How do we manage your data? One word: transparently. In this section, we delve deeper into how exactly we secure your data to give you the confidence in our operations.

Privilege access monitoring

Customer privacy is paramount at PureVPN. We make sure that even authorized access to servers is strictly monitored and controlled. Stringent controls and technology are in place to confine privilege access on VPN servers and monitor the privileged use to ensure that only authorized activities can be performed by the administrators, compliant with PureVPN’s privacy policy.

Access Management solution is implemented to enforce time-based access, which is provided after multiple stages of approvals. A dedicated function is established for continuous monitoring of privileged activities on servers; like conforming an approved list of software and baseline configuration to ensure that any changes which may affect customer privacy must not remain undetected.

Transparency report

PureVPN has a strict no-log policy in place. This means that our users can rest assured that their data always remains secure and private. Being in a privacy-friendly jurisdiction, PureVPN is not expected to handle many data-sharing requests in the first place. But even if or when a request for user’s data is made, PureVPN does not have a system in place that can retain the relevant data of users, making it impossible to share it with any third party.

PureVPN periodically releases transparency reports in order for our users to see how exactly we handle their data. You can check out these periodic transparency reports here.

Always-on no-log audit

We’ve already completed three successful no-log policy assurance audits from two of the most reputable auditing firms. Moreover, we are the only VPN brand with an always-on no-log audit status from KPMG. This agreement allows KPMG, one of the big-four IT auditing firms, to perform a surprise audit of PureVPN’s servers at any time to check if we are complying with our privacy policy.

So far, we’ve already been audited twice by KPMG and once by Altius IT, all of them certifying that PureVPN complies with its no-log policy.

Warrant canary

PureVPN follows a strict no-log policy that is regularly audited and certified by reputable auditing firms, including KPMG. We can’t share any data if we don’t have it, right? Since we’re based in the British Virgin Islands, we are not bound by any mandatory data-retention laws that force us to record your data.

As of 01/07/2022
  • We have not received any court orders
  • We have not received any subpoenas
  • We have not received any emergency disclosure reports

We remain 100% committed to our No-Log Policy, and our always-on audit agreement with KPMG certifies that we don’t go back on our word.

trust center

You trust us!

Your privacy is our priority

trust center

Always-On No-Log Certified

PureVPN is the first and only VPN service with an always-on audit commitment with KPMG. This means that KPMG can perform a surprise audit of PureVPN servers at any time and check if PureVPN is complying with its Privacy Policy.

trust center

Member of i2Coalition’s VPN Trust Initiative

In a continuous effort to raise and bolster users’ trust and confidence in our services, we have become an esteemed member of the Internet Infrastructure Coalition (i2Coalition) and its VPN Trust Initiative (VTI). VTI is an industry-led consortium of VPN leaders focused on improving the digital safety of consumers. It works by building, understanding, and strengthening trust with VPN users, and mitigating any risks they might face.

We need your Input

Help us help you into making PureVPN the product that fits all of your needs and requirements.