Proton, which provides VPN and secure mail services, has passed its first SOC 2 Type II audit. Completed in July 2025, this comes in addition to annual third-party security audits of Proton VPN’s processes.
SOC 2 Type II is a widely recognized standard for business security. It confirms that robust systems are in place, and that security processes are consistently followed in practice across the organization.
Proton is best known for Proton VPN and Proton Mail, but also provides calendar, storage, password management, and crypto wallet tools. All of these services are covered by Proton’s SOC 2 Type II security auditing.
What is SOC 2 Type II auditing?
The Service Organization Control (SOC) audit framework tests how providers handle sensitive information, covering both control systems and their implementation. Running the audit demonstrates a commitment to data security, and it’s particularly important in areas such as finance, healthcare, and regulated industries where security compliance is critical. In sectors such as these, SOC 2 compliance is a baseline requirement.
The result brings Proton VPN into line with competitors such as NordLayer, NordVPN’s business solution, which has also passed a SOC 2 Type 2 audit and has ISO 27001 certification. Other leading providers like Surfshark and ExpressVPN have not yet run SOC 2 audits, though they do have independent security testing programs which support the claims of their no-logs policies.
Proton’s SOC 2 Type II auditing process was run by Schellman, an independent auditing firm with experience in the technology sector. In preparation, the firm sought to formalize and document its processes and controls across areas including access management, incident response, risk assessment, and system monitoring. Proton reports that this process didn’t involve any larger overhaul of its services, however.
Following this, Schellman inspected how Proton’s security controls are implemented across its infrastructure, running technical reviews, assessing documentation, and interviewing staff. At the end of the process, Proton successfully achieved the standard required for SOC 2 Type II validation.
In a statement, Proton’s Head of Security, Patricia Egger, said, “Proton was built on the idea that privacy is a human right – and trust still has to be earned... Proton’s SOC 2 Type II attestation proves that our security isn’t just technical – it’s operational. We meet strict, independently audited standards for how we handle data, systems, and processes.”
And that matches what we’ve found with Proton’s products. Based on our testing, we rate Proton VPN as one of the best VPNs available, noting that it particularly stands out for its advanced security features.
How does Proton prove its security claims?
Proton has taken a number of steps to prove the security of its systems. All the firm’s apps are open source, meaning that the developer community is free to inspect the codebase and report on any issues or vulnerabilities that could compromise its software. Supporting this, the company has a public bug bounty program that offers rewards of up to $10,000, and the organization also runs regular penetration testing on its services.
In addition, Proton VPN runs an annual third-party audit of its no-logs policy. This is carried out by Securitum, a major security auditing company based in Poland. The third and most recent audit was published in July 2024. Reporting on this, Proton published detailed notes on the questions that Securitum asked and what it found, going beyond the executive summaries that other providers sometimes offer on their audits.
Alongside this, Proton achieved ISO 27001 certification in May 2024. This is an international standard for information security management systems, with best practice standards for managing data security. The firm also has HIPAA support and GDPR and Swiss DPA compliance, meeting further regulatory requirements for business users. We extensively tested the product for our full Proton VPN review and didn’t find any evidence of DNS leaks or issues with the product’s kill switch feature.
Looking ahead, Proton states that it is committed to increasing transparency, to developing its security infrastructure, and to helping businesses better assess its services. In addition, Proton reports that the results of the SOC 2 report are available for customers on request and that its team will be happy to discuss the findings of the audit.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
