Following a 2024 security audit that examined the infrastructure for vulnerabilities, DuckDuckGo commissioned Securitum to conduct a second review with a different focus: verifying that the VPN actually respects the publicly stated no-logging policy. The analysis, conducted between October 2025 and January 2026, confirmed all nine areas under review.

What the report says

Two consultants from Securitum, a Polish cybersecurity firm, had direct access to proprietary source code, architecture diagrams, and production servers. This wasn’t an external test but rather an in-depth inspection with full cooperation from DuckDuckGo’s technical team.

The bottom line: no trace of user activity logging on servers, no connection metadata tied to individuals, no network traffic inspection. The servers used are dedicated physical machines, not shared with other services, and the configuration is identical across all geographic regions. Even the authentication system is designed to separate subscriber identity from the actual VPN connection itself. The tokens used for the two operations are distinct, and temporary data is deleted once a session ends.

One interesting detail involves the scam-blocking function built into the VPN. The verification happens mostly on the user’s device, and when server-side checking is needed, only a partial domain fragment is sent, insufficient to reconstruct the complete address visited.

The final report, dated March 20, 2026, is available in full PDF from DuckDuckGo’s website. Publishing the complete document rather than just a summary deserves recognition as solid transparency practice.

The problem with buying in Europe

DuckDuckGo’s VPN is part of a single bundled subscription that costs 9.99 dollars per month (or 99.99 annually) in the United States and also includes personal data removal from brokers and identity restoration if your information is stolen. The service is available across the EU as well, but with a meaningful difference in how you purchase it.

US residents can subscribe directly from DuckDuckGo’s website using Stripe, or a prepaid card if they want extra privacy. European residents, including those in Italy, are forced to go through Google Play Store or Apple’s App Store. It’s an odd constraint for a product built specifically to give you more control over your privacy. Le Alternative reviewed the VPN a few months back and covered it in detail.