Signals of Trustworthiness

Part I. Corporate Accountability & Business Model

  1. The public facing name is IVPN. The Legal name of the company is IVPN Limited.
    IVPN Limited has no parent or holding companies.
    There are no other companies or partners directly involved in operating the IVPN service.

  2. Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?

    No.

  3. What is the service’s business model (i.e., how does the VPN make money)? For example, is the sole source of the service’s revenue from consumer subscriptions?

    100% of revenue is generated from selling VPN consumer subscriptions.

    Part II. Privacy: Logging/Data Collection Practices and Responding to Law Enforcement

  4. Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated? If so what data? (including data from Client / VPN app, APIs, VPN gateways).

    No.

  5. Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?

    No.

  6. Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?

    Yes, please see Law Enforcement Legal Process Guidelines and transparency report.

    Security controls to protect data in the event of unauthorized physical access to servers

    If an adversary gains physical access to a server its prudent to assume that they will gain access to the unencrypted data stored on the server. As VPN servers are not under the direct physical control of IVPN they have been designed with the expectation that they will be compromised. To protect the privacy of IVPN customers the following controls are implemented:

    • No logs relating to the customer connection or network activity generated by an IVPN user are created or stored. This includes not creating any temporary or in-memory logs.
    • No storage of information relating to an IVPN user’s account i.e. authentication credentials are not stored locally.
    • 24/7 monitoring of all servers to alert IVPN of any suspicious activity or if a server is taken offline. If a server is offline and there no evidence from the data center that it is a hardware fault then procedures are followed to revoke the certificates on the server to prevent a potential MITM attack.

    Part III. Security Protocols and Protections

  7. What do you do to protect against unauthorized access to customer data flows over the VPN?

    Administrative controls

    • Implementation of an Information Security Management System (ISMS) based on ISO 27001.
    • Background screening of all employees.
    • Mandatory information security training.
    • Vetting of data centers where servers are hosted.
    • Patch management policy to ensure consistent and rapid resolution of vulnerabilities.
    • VPN servers do not store any logs relating to the customer connection or network activity generated by the customer. VPN gateways do not store any information relating to a users account e.g. authentication credentials.

    Technical controls

    • Enforcement of 2FA for system access to all servers.
    • Access control using a private company VPN with RSA 4096 certificates for authentication.
    • Mandatory Access Controls (SELinux).
    • Firewalled IPMI.
    • Full disk encryption (LUKS) requiring password entry at boot.
    • Configuration management software to enforce consistent configuration and security controls based on CIS Benchmarks.
    • 24/7 systems monitoring and alerting of suspicious system activity using host-based integrity protection.

    Customer connections

    • Customer VPN connections are secured using OpenVPN with RSA-4096 / AES-256-GCM keys.
    • Full mesh multi-hop network – IVPN customers can choose to connect to any location in the IVPN infrastructure and have their VPN traffic exit in any other location. To enable this functionality, secure VPN tunnels are established between every server in the IVPN network. This makes it significantly more difficult for an adversary to gain access to a server as the servers would be in multiple jurisdictions. In addition, should the exit server be compromised the adversary would not be able to trace an IVPN customer’s connection other than to the entry VPN server.
  8. What other controls does the service use to protect user data?

    • IVPN accepts anonymous payments using cash since 2010. Customers are also able to pay anonymously using Bitcoin if they are able to source Bitcoins anonymously.
    • All VPN servers are built using Open Source software e.g. CentOS, OpenVPN, StrongSWAN etc.
    • Vulnerability disclosure process.
    • Warrant canary.
    • IVPN is a transparent organisation with published information about staff on the website and Linkedin profiles.
    • In-depth privacy guides for IVPN customers.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.