Come and look inside our filing cabinet.
Every VPN says “no logs”. Very few will let you open the drawers. Here’s ours: pull each one out and see what we hold on you. Then read the 131-control independent audit that says the same thing, in someone else’s words.
The evidence room
Seven drawers. Six of them are the data other companies build businesses on. Open any of them.
Someone else’s report card on us
We didn’t grade this. Between 3 March and 10 April 2026, CyberNexis Ltd tested our production servers, backend APIs and every client app against 131 controls, then wrote it all down.
Three ways your data usually leaks
A no-logs policy only matters at the moment someone comes looking. Pick a scenario and watch it play out against an empty cabinet.
What the audit told us to fix
A transparency page that only quotes the flattering lines isn’t transparency. CyberNexis found no server-side logging of user activity — and also handed us a list. Here it is.
Client apps could leave session tokens and config data in local storage after closing. Fixed during the assessment — re-testing confirmed nothing sensitive remained in app cache or logs.
RemediatedSession data is handled in memory, but the auditor recommends encrypting persistent storage on VPN nodes as defence-in-depth against physical or low-level access.
In progressOur clients included third-party analytics and telemetry components. The auditor asked us to define, minimise and document exactly what they can collect.
In progressFile-integrity monitoring is in place, but a fully centralised alerting framework for unauthorised configuration changes is still being built out.
In progressStatuses are ours, not the auditor’s: CyberNexis reported the findings, we report the progress. The next independent assessment re-tests all of it.
The running tally
What we’ve been asked for, and what we handed over. The second number can only ever be zero — you’ve seen the drawers.
Figures here are placeholders for launch and must be replaced with your real, verified numbers and update date before publishing. If this statement ever disappears or stops being updated, treat that as a signal in itself.
No-logs questions
What does “no-logs” actually mean at LunoVPN?
Who audited the no-logs policy, and when?
What information do you actually keep?
What happens if a government asks for my data?
What if a server is seized or breached?
Did the audit find anything you had to fix?
Why should I trust the report rather than your marketing?
Don’t trust us. Check us.
Open the drawers, read the report, then decide. That’s how it should work.
