PIA Announces Completion of Independent Audit Conducted by a Big Four Firm

Posted on Aug 30, 2022 by Adina Matei

Our commitment to online privacy stands at the core of our service – we operate under a 100% transparency credo. That said, we know VPN use is tied to trust. We know reviewers and journalists have often mentioned our US headquarters as a concern. We’re here to say that we’ve always abided by our airtight No Logs policy. We’ve never retained any metadata, and we’ve never had any data to share with the authorities. 

But we are a company that wants our actions to speak for us. We don’t want you to take our No Logs promises at face value. Just like we’re transparent with our source code and regular Transparency Reports, we aim to be honest with our infrastructure too. Because of this, Private Internet Access underwent an independent audit to review our No Logs policy

Deloitte, one of the Big Four auditing firms, reviewed our server environment and found that we store no logs and no details that could be used to identify our users or pinpoint their activities.

How Did Deloitte Test PIA’s Infrastructure?

We invited Deloitte Audit Romania to review our VPN server network and management systems and to examine how we maintain a zero-log VPN service, in order to confirm that server configurations align with internal privacy policies, and are not designed to identify users or pinpoint their activities. As part of this assurance engagement project, Deloitte inspected our server configuration and examined how we maintain a zero-log VPN service. The auditing firm found that server configurations align as of June 30, 2022 with internal privacy policies and are not designed to identify users or pinpoint their activities.

The audit has been conducted in accordance with the International Standard on Assurance Engagements 3000 (Revised) applicable to Assurance Engagements Other Than Audits or Reviews of Historical Financial Information (ISAE 3000 (Revised)) established by the International Auditing and Assurance Standards Board (“IAASB”) and should be read in full.

What Does This Mean for Our Customers?

To put it simply, there is no trace of your activity on our servers. This is because our VPN service runs on RAM-only servers. These servers boot on a read-only image and use RAM modules, as opposed to hard disks. Hard disks are traditionally used as storage, whereas a RAM-only environment is more volatile. We also configured our servers to routinely reboot. With every reboot or power outage, all data is immediately deleted.

We designed our network architecture specifically to prevent data retention. We have no user data, and we can’t be compelled to share information on our users – in fact, the US government can’t force US-based VPN providers to violate a zero-log policy because of consumer protection laws.

Furthermore, we have security systems in place to ensure third-party entities can’t force their way into our network. One way we do this is by disabling all error logs and debug information. If we ever require error logs for development purposes, we create an entirely new traffic server inside an isolated environment. Despite potential drawbacks to our developing and debugging processes, it’s an acceptable trade-off to securing user data.

Even our Dedicated IP service is built as a token-based system to prevent any association with a specific user. This token is only saved in the client, which isn’t enough for a server-side association.

This No Logs Audit Is Another Milestone for PIA

We’ve always stayed true to our commitment to online privacy. We’ve always advocated for digital freedom and anonymity. This Deloitte audit is just another milestone in our journey as privacy activists, but it’s not the first time our No Logs policy has been scrutinized. PIA is one of the few VPN providers to have proven their zero-log service in court. We were subpoenaed multiple times for logs, and each time we had no data to share.

We are honest and transparent with our users, and we don’t cut any corners with the VPN service we offer. PIA is one of the few VPN providers offering 100% open-source VPN apps, despite this not being an industry standard practice. Our code is available for anyone to inspect and analyze. 

We’re also open with any changes to our server infrastructure and keep our users informed. Recently, in light of India’s No. 20(3)/2022-CERT-In directive, we’ve pulled out our Mumbai servers and replaced them with virtual server locations. We made this decision to circumvent mandatory logging laws, as we refuse to compromise our service and No Logs commitment. 

Back home in the US, we’ve launched our 50 Servers in 50 States campaign. Unfortunately, state and federal laws are still playing catch-up with cybercrime, so we’ve taken it upon ourselves to help Americans protect their online privacy and secure their traffic from malicious actors.

More updates to our infrastructure are coming soon, as we’re undergoing extensive hardware optimization. For example, we’re slowly transitioning our fleet to colocated servers to provide increased security measures, better VPN speeds, and more reliable connections. This also means we’re investing in and managing more of our own next-generation servers.

We’ve always put our users’ privacy and digital safety at the forefront of our service, and we’re grateful for the users who put their trust in us. We’ll never break that trust, and we’re holding true to our commitment to bring more transparency to the industry. We’re open to future independent audits and will also be updating our Transparency Report editions on a more regular basis throughout the year.

Choose PIA for Top-Quality Security and Online Privacy

We’re long-time advocates for digital privacy and cybersecurity in the US, and now we have an independent audit that attests to our No Log VPN service. We offer the strongest data protection software possible, and our VPN online shield is critical to keeping your information safe in this digital age. It doesn’t matter if you need a macOS VPN, Windows VPN, or a VPN that’s compatible with iOS or Android, PIA protects up to 10 of your devices simultaneously.”

We can unequivocally state that we don’t store any user activity log or metadata. And we wouldn’t have it any other way.

We take our No Logs policy seriously, and this audit is not our final endeavor. In the future, we’ll continue to be transparent with the security safeguards we put in place for our users. 

Comments are closed.

119 Comments

  1. Dan

    I worked for a HUGE bank in Chicago. We used Deloitte for IT audits audits. The FDIC and FFEIC were ok with this.

    Due to grostque mismanagement, the was absorbed bank is gone, but Deloitte is not.

    And that’s what happens when you hire incompetent friends and family to run your bank.

    2 years ago
    1. PIA Team

      Hi, Dan

      It sounds like you had a terrible work experience. In what concerns Deloitte, there are many reasons why it’s one of the Big Four accounting firms, and professional services is definitely one of them.

      Thank you for being part of the team!

      2 years ago
  2. Clark Nova

    As of May 31, 2022, Richard Sutherland of Tom’s Hardware concluded that PIA had, “No third-party security audit.”

    Is he mistaken?

    2 years ago
    1. PIA Team

      Hi, Clark

      As you can tell from the publishing dates, the review in question was written before our audit announcement. The reviewer couldn’t have known at the time, so I wouldn’t hold it against them.

      2 years ago
  3. Rob

    I tried to enroll before, but ran in to some kind of issue that’s never been corrected. As soon as I hear from you, the sooner I can enroll. This world has gotten so crazy with people selling private information, you need an air tight protection avocate like PIA to keep the wolves away.

    2 years ago
    1. PIA Team

      Hi Rob. We’re sorry to hear you’ve encountered issues. Please contact our 24/7 support team, and they will happily assist you on the matter.

      2 years ago
    2. Sanlı Kayhan Dilbaz

      Başarılarınız devamını diliyorum. Severek kullanıyorum her arkadaşıma da tavsiye ediyorum. Tüm Emeği geçen arkadaşlara sonsuz teşekkürler.

      2 years ago
      1. PIA Team

        Thank you for your kind words, Sanlı.

        2 years ago
  4. Kaffy

    Thanks for that info, I appreciate it.
    I would renew my confidence in you.
    Cordialement. (good for you)
    J.P. Kaffy
    .For information. . Too bad I can’t find the language in French.
    dommage que je ne trouve pas le language en Français .

    2 years ago
    1. PIA Team

      Thank you for your kind words and support, Kaffy. We’re happy you chose us to protect your digital life.

      2 years ago
  5. Marty

    Kudos and great thanks to PIA, you guys rock! Glad to be on board with you.

    2 years ago
    1. PIA Team

      Hello Marty, thank you for your support, we really apprecait it!.

      2 years ago