Norton VPN has announced the completion of its second independent annual privacy audit.
The provider, looking to become one of the best VPNs, had its no-logs policy and commitment to user privacy confirmed via a third-party review.
It has also reduced the amount of user data it retains, as well as eliminating connection timestamps.
Finally, Norton VPN will now release quarterly updates to its Transparency Report, an improvement on the half year updates it previously provided.
Privacy impact – "None"
Norton VPN had its no-logs policy assessed by the independent cybersecurity firm, VerSprite. The test took place between June 9, 2025, and June 27, 2025. A validation retest was performed between August 25 and 26, 2025.
Norton VPN's privacy impact score was rated as "None" – the highest privacy categorization possible.
This score takes into account the number of security issues, observations, and technical gaps in privacy policies VerSprite noted. It also considers the likelihood of data exposure and the criticality of the assets and data at risk.
VerSprite reviewed the following:
- IP shuffle infrastructure
- Privacy policy
- Deployment scripts
- Log retention
- Supporting services configuration
- Edge server analysis
You can examine the assessment in more detail by reading VerSprite's full report.
It was confirmed that Norton VPN doesn't collect or store browsing history, DNS requests, or user IP addresses, and its practices correlate with what is stated in its privacy policy. Norton VPN's privacy policy states: "we collect minimal data, anonymize information where possible, and delete it as soon as possible."
Its infrastructure was confirmed to be secure. Configurations, components, and logs were consistent between the staging environment and sample servers, demonstrating ongoing privacy engineering and not just one-time compliance.
VerSprite used real-world threat models, including PASTA (Process for Attack Simulation and Threat Analysis), to simulate potential attacks on Norton VPN's systems.
Potential Privacy Concerns Addressed
Two potential privacy concerns were noted by VerSprite during its initial assessment. In some cases, "stored data may reveal details about accessed resources and VPN client usage patterns." Although individual VPN users "could not generally be directly identified from the observed log information."
Under "specific error conditions," VerSprite found that the VPN client's IP address could be logged.
This event overlapping with the first was deemed a "rare event" but data could be correlated in a way that users, and their associated traffic, could be identified.
This could be a serious privacy concern. However, Norton VPN swiftly rectified the issue and during re-testing, VerSprite confirmed the changes were successful.
"We're not just saying 'we don't track you' – we're proving it," said Jon Mah, Technical Director at Norton. "Our no-log policy is baked into every technical layer of how the Norton VPN service runs."
Improved data practices
Norton VPN confirmed that it has reduced its data retention to the "absolute minimum needed for a reliable service." It also confirmed it has "eliminated connection timestamps entirely."
The provider said it can see how many times a user connects over a 24-hour period, but it can't see when or for how long.
"Being transparent about how we handle user data isn’t just a best practice – it’s a responsibility," said Himmat Bains, Norton VPN Product Lead.
"We’re one of the very few VPN providers that openly publish our data retention policies, and that’s something we take pride in. Recently, we’ve taken this a step further by reducing our retention periods and removing connection timestamps entirely."
"Our commitment is clear: to collect only what’s absolutely necessary to provide a fast, secure, and reliable VPN experience."
Finally, Norton VPN said its Transparency Report will now be updated quarterly rather than half-yearly. Many reputable VPN providers have Transparency Reports, which detail the number of data requests a provider receives from government institutions.
Norton VPN's Transparency Report was last updated on August 27, 2025 and shows it received nine data requests between April and June of this year.
However, thanks to its no-logs policy, Norton VPN has no data to share. The provider states "customer data cannot be provided simply because it does not exist."
The news of Norton VPN's successful no-logs audit is welcomed. It further bolsters the provider's desire to become a top-class VPN and follows its feature drive of the last year.
Tom's Guide readers can get their hands on an exclusive Norton VPN deal. The two-year plan works out at $2.50 per month.
Follow Tom's Guide on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
