Security Efforts

Your security is our priority

We are always working hard to make sure you are protected online. Our efforts are led by a team of 170+ tech experts, including programmers, security specialists, and IT architects. Here’s what we’re doing to give you the most secure VPN experience.

Our 2020 security roadmap

Partnering with cybersec thought leaders

We’ve partnered with VerSprite, a leading US cybersecurity consulting firm, to help improve our service. To follow up on the promise, we are building an Advisory Security Council of international cybersec experts.

70%

Bug bounty program

Helped by our community, we run a continuous bug bounty program to catch potential vulnerabilities.

100%

Infrastructure security audit

We successfully completed a second no-log policy assurance engagement, performed by PricewaterhouseCoopers AG (PwC) Switzerland. We will invite VerSprite to scour NordVPN’s apps for any vulnerabilities to follow up on our 2019 efforts.

60%

Higher security standards for vendors

Together with VerSprite, we set security standards for the datacenters we work with and make sure they comply with them. We have also begun to build a network of collocated servers, owned exclusively by NordVPN.

90%

Diskless servers

We are planning to upgrade to RAM servers, creating a centralized network where no data is stored locally.

90%

Protecting our infrastructure

Servers

Only specified traffic types are allowed to prevent unauthorized access;
We use bastion boxes to withstand attacks. These special-purpose servers generally only host a single application while limiting all others to reduce possible threats;
IP whitelisting only allows access to servers from specific IPs;
Our server deployment and provisioning are automated with Ansible and SaltStack.

VPN security

Secure encryption protocols (OpenVPN, IKEv2/IPsec, WireGuard) and hashes;
Strong server authentication protocols used by our apps;
Advanced client-side features, like Threat Protection and the automatic Kill Switch;
Specialized servers for more security, such as Onion Over VPN and Double VPN servers.

Backend CRM and billing

Our backend systems are firewalled and use IP whitelists with reverse proxies;
We require browser-based certificates for client authentication;
HTTPS requests are decoded and validated before being passed downstream;
Secure Shell (SSH) employed with bastion boxes.

Key security measures

Internal penetration testing
Our professional penetration testing team constantly probes the NordVPN infrastructure for weaknesses. These experts simulate real-world attacks to expose and patch up vulnerabilities.
Bug bounty
We are continuously running a bug bounty program on HackerOne for ethical hackers to report security flaws for monetary reward. We encourage our community to analyze NordVPN’s website, apps, and services.
Third-party audits
NordVPN completed a second test of its no-logs policy in 2020, and an app security audit in 2019. Next year, we’re planning to audit our infrastructure — hardware, software, back-end architecture, source code, and internal procedures.

Internal penetration testing

Our professional penetration testing team constantly probes the NordVPN infrastructure for weaknesses. These experts simulate real-world attacks to expose and patch up vulnerabilities.

Bug bounty

We are continuously running a bug bounty program on HackerOne for ethical hackers to report security flaws for monetary reward. We encourage our community to analyze NordVPN’s website, apps, and services.

Third-party audits

NordVPN completed a second test of its no-logs policy in 2020, and an app security audit in 2019. Next year, we’re planning to audit our infrastructure — hardware, software, back-end architecture, source code, and internal procedures.

External security partner VerSprite
NordVPN has partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. VerSprite will be performing a comprehensive penetration test, examining our intrusion handling, and providing us with vendor risk assessments.
NordLynx protocol
We have recently deployed NordLynx, a technology built around WireGuard®, which is the fastest VPN protocol on the market. Despite being the fastest, WireGuard® has some security drawbacks. Since we couldn’t compromise our customers’ privacy, we developed a custom double NAT (Network Address Translation) system to ensure top-notch security around unparalleled speed capabilities.

External security partner VerSprite

NordVPN has partnered with VerSprite, a global leader in cybersecurity consulting and advisory services. VerSprite will be performing a comprehensive penetration test, examining our intrusion handling, and providing us with vendor risk assessments.

NordLynx protocol

We have recently deployed NordLynx, a technology built around WireGuard®, which is the fastest VPN protocol on the market. Despite being the fastest, WireGuard® has some security drawbacks. Since we couldn’t compromise our customers’ privacy, we developed a custom double NAT (Network Address Translation) system to ensure top-notch security around unparalleled speed capabilities.

Comprehensive security through our products

NordVPN

NordVPN is the world’s most trusted online security solution, used by over 14 million internet users worldwide. It offers next-generation encryption with advanced privacy solutions to ensure secure access to all your favorite online resources.

NordPass

NordPass is a next-gen password manager built with your security in mind. Through advanced cryptography and zero-knowledge architecture, NordPass protects your online accounts while fully respecting your privacy.

NordLocker

NordLocker is an easy-to-use file encryption tool. Anything encrypted with the app can be safely stored or shared with others, making sure that your confidential data is safe in the event of theft or breach.

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security.

Lessons we’ve learned

Credential stuffing

In November 2019, a hacker uploaded about 2,000 email and password combinations matched to NordVPN accounts. These credentials were obtained from other breaches that had nothing to do with NordVPN.

Our security team is always investigating stolen credentials lists to protect NordVPN users. We use rate-limiting and smart detection systems, and will also implement two-factor authentication (2FA) soon.

Third-party data center breach

In March 2018, a single server we rented from a third-party Finnish data center was compromised. The breach occurred due to the data center’s negligence that we didn’t know about.

The intruders did not obtain any user activity logs, identities, usernames, or passwords. As soon as we learned of the breach, we terminated the server and thoroughly audited our network. To prevent similar incidents, we encrypt the hard disk of each new server alongside other protective measures.

NordVPN impersonators

Scammers cloned our site at nord-vpn.club, offering a Windows version of our app which secretly contained the Win32.Bolik.2 trojan virus. This trojan would monitor user activity and steal banking details.

We promptly blacklisted the site and took it down. We also published detailed guidance on how to protect yourself from similar scams in the future.

The responsibility of a market leader

NordVPN is one of the biggest providers in a versatile and highly competitive VPN market. We are recognized by the most influential IT experts, but we are also an appealing target for gossip.

Our main goal is to provide NordVPN users with the best VPN service possible — we have been successfully following it from the start. To put the record straight, NordVPN's co-founder Tom Okman had a thorough interview with TechRadar.

Earning your trust

VPN Trust Initiative

In December 2019, NordVPN became a founding member of the VPN Trust Initiative. Led by the i2Coalition, the organization aims to give VPNs a unified voice in U.S. internet policy, focusing on stronger consumer digital security.

Our promise

We do not collect traffic logs and cannot be compelled to by anyone else.
We never willingly provide user data, private keys, personal information, or access to a third party.
We cannot be (and have never been) compelled to modify our systems to allow third party access.
We confirm that we have full control over our infrastructure.

Our latest updates

Warrant Canary

We, NordVPN, confirm that we take full control of our infrastructure. We have never willingly disclosed any user data or provided any access to user traffic to any third party. We do not collect user traffic logs and have never been compelled to do so by any third party. We have not disclosed any private keys or any information of our users, and we have not been forced to modify our system to allow access or data leakage to a third party of any kind.

As of 2022-02-15 we state the following:

We have NOT received any National Security letters;
We have NOT received any gag orders;
We have NOT received any warrants from any government organization.

We are 100% committed to our zero-logs policy – we never log the activities of our users to ensure their ultimate privacy and security.

Noticed anything suspicious?

If you detected anything unusual with our service, please email support@nordvpn.com immediately.