Who Audits Your Security Tools? Independent Audit Map — 2026

An independent security audit by a named firm is the strongest verifiable trust signal a privacy tool can offer. This maps which VPNs, password managers and cloud tools have been audited in 2026 — and by whom.

"Audited" only means something with a named firm, a date and (ideally) a published report. This page compiles the independent audits surfaced across our privacy and security studies, organised by tool and by auditing firm — so you can see both who's audited and which auditors recur.

Free to cite and link. Audit records are public but new ones supersede old; confirm the latest audit (firm, date, scope, report) on the vendor's page before relying on it.

By tool

Tool	Category	Auditor(s) & record
NordVPN	VPN	Deloitte — 6th consecutive no-logs engagement (Nov 10–Dec 12, 2025)
ExpressVPN	VPN	KPMG (2019, 2022, 2023, 2025); Lightway by Cure53; also PwC
Surfshark	VPN	Deloitte (2025) — verified the 15-min IP-deletion claim
Proton VPN	VPN	5th annual no-logs audit; apps audited (latest Securitum, Aug 2025); open source
IPVanish	VPN	Leviathan Security (2022); Schellman (2025)
PureVPN	VPN	KPMG "always-on" no-logs audit since 2023, public reports
Mullvad	VPN	Cure53 and Assured AB (multiple)
TunnelBear	VPN	Cure53 — annual independent audits
Windscribe	VPN	Leviathan Security Group (2021, desktop app)
Bitwarden	Password manager	Independently audited (including Cure53)
Proton Pass	Password manager	Cure53 (no critical issues found); open source
NordPass	Password manager	Cure53
RoboForm	Password manager	Secfault Security (report on RoboForm's site)
Tresorit	Cloud storage	Independently audited zero-knowledge architecture
Proton Drive	Cloud storage	Open-source clients, independently audited

By auditing firm

Firm	Audited (in this set)
Cure53	Bitwarden, Proton Pass, NordPass, Mullvad, TunnelBear, ExpressVPN (Lightway)
Deloitte	NordVPN, Surfshark
KPMG	ExpressVPN, PureVPN
Leviathan Security	IPVanish, Windscribe
Schellman	IPVanish (2025)
Securitum	Proton (apps, Aug 2025)
Assured AB	Mullvad
Secfault Security	RoboForm

Key findings

Cure53 is the de facto auditor of open-source privacy tools. It recurs across Bitwarden, Proton Pass, NordPass, Mullvad, TunnelBear and ExpressVPN's Lightway protocol — the single most common name in this set. A Cure53 report is the closest thing the consumer-privacy space has to a standard audit credential.
The Big Four show up for no-logs assurance. Deloitte (NordVPN, Surfshark) and KPMG (ExpressVPN, PureVPN) handle the recurring no-logs "assurance engagements" — a different exercise from a Cure53 code/pentest audit. Both matter; they answer different questions (does the policy hold vs is the code sound).
Cadence beats a one-off. NordVPN (6 consecutive Deloitte), ExpressVPN (KPMG across four years), TunnelBear and Mullvad (annual/repeated Cure53) have recurring audits; a single 2021 audit (Windscribe desktop) is a weaker, ageing signal. Ask when the last audit was, not just whether one exists.
Open source + audit is the strongest combination. Proton (VPN/Pass/Drive), Bitwarden and Mullvad pair public code with independent audits — you can both read the code and see a third party verified it. That's a higher bar than either alone.
Audit ≠ formal certification. A Cure53 pentest is not a SOC 2 or ISO 27001 (see our compliance map). For consumer privacy, the audit is the relevant signal; for enterprise procurement, the formal certification usually is. They're complementary, not interchangeable.

Methodology

Independent audits were compiled from our sourced 2026 privacy and security studies (VPNs, password managers, cloud storage), organised by tool and by auditing firm. A blank does not mean a tool is unaudited, only that an audit wasn't named in the source. This is a trust-signal map, not a security rating; an audit's value depends on its scope, recency and whether the report is published.

Editorial note (verification): Audit firms, dates and scope matter and audits are superseded over time. Confirm the latest audit (firm, date, scope, and whether the full report is public) on the vendor's security page before relying on this. Compiled 2026-06-27.

How to cite

"Who Audits Your Security Tools? Independent Audit Map — 2026", ToolsRanks. https://toolsranks.com/etudes/independent-security-audits-2026
Related: VPN No-Log Audits · Compliance Certifications. Dataset on request.