An Audit Found That DuckDuckGo’s VPN Doesn’t Track User Activity
DuckDuckGo’s main focus is privacy, so it’s no surprise that the company makes its own VPN, as long as you pay for it. Now, there are plenty of VPNs out there, and the best ones usually require fees, but it would seem at first glance that DuckDuckGo’s offerings were as solid a choice as any other similar service. Of course, the question of privacy and security always arises whenever you use a service like this: how well does this VPN actually work? Is the company behind this secretly accessing my browsing data when I use the app?
DuckDuckGo appears to have confidence in this area: The company hired independent cybersecurity firm Securitum to conduct an audit of its “no-logs” policy, meaning that no user data, including activity, timestamps or metadata, is recorded or stored on the company’s output servers, on the infrastructure used when transferring data outside of the company’s servers to the user. Securitum conducted its audit from October 2025 to January of this year, sending two of its senior security consultants to study DuckDuckGo’s engineering team.
Secutirum Report Reveals DuckDuckGo Complies With Its No-Logs Policy
As a result of its investigation, Securitum determined that DuckDuckGo VPN appears to be a safe choice, at least based on the domains surveyed. Securitum has confirmed that DuckDuckGo does not track or record user activity on its output servers, after examining random live output servers and finding no evidence of activity tracking. He found that DuckDuckGo does not record connection metadata attributable to the user, such as DNS traffic, and although it uses caching for better performance, the data is still purged after a “standard” 24-hour period. Furthermore, this cache is not designed in such a way that it can be accessed once the data is destroyed.
The audit found that DuckDuckGo VPN does not inspect or record users’ network traffic on its VPN servers, and that the “Scam Blocker” feature is designed to run locally on the user’s device, not on DuckDuckGo’s servers. The VPN also does not monitor the sites or servers you access, which is an essential part of any VPN. Securitum offered some constructive criticism of DuckDuckGo here, recommending that the company use “enhanced file integrity,” something DuckDuckGo has already implemented following the recommendation. The VPN does not use servers shared with other companies or service providers, and this no-logging policy applies to all servers and regions. So no matter where in the world you use DuckDuckGo VPN, the same rules should apply.
Auditors also found that, by design, it should be difficult to change log-related configurations. In fact, they found that “no engineer can unilaterally change logging configurations or push unapproved code.” Finally, Securitum found that DuckDuckGo’s VPN and subscription APIs use separate authentication tokens, which ensures that authorization accounts do not connect to individual users or VPN connections.
What do you think of it so far?
This report does not mean that DuckDuckGo VPN is perfect
Securitum’s audit looks rosy, but all of this should be taken with a grain of salt. The conclusion specifically states that DuckDuckGo “fully complies with the privacy commitments outlined in its No-Logs policy,” which is great, but doesn’t mean the VPN is perfect. There might still be some weaknesses here compared to other VPNs. All we know is that the audit found that DuckDuckGo’s VPNs comply with its no-logging policy.
Still, it’s useful context for anyone using this VPN. You can browse with DuckDuckGo VPN. Rest assured that the company does not store your browsing data on its servers, even when you travel.
