Kryptografisch signierte Bestätigung dessen, was wir speichern und NICHT speichern. Inklusive Live-Zählung der noch vorhandenen Nutzer-IPs und deren Alter. Unabhängig per Ed25519 verifizierbar.
Vier Spalten im untenstehenden Inventar haben Namen, die neben einer "No-Logs"-Aussage überraschend wirken könnten. Wir erklären sie hier, statt sie zu verstecken — Verstecken würde den Zweck dieser Seite zunichtemachen.
vpn_support_tickets.log_data — Opt-in-Debug-Bundle, das ein Benutzer freiwillig beim Einreichen eines Support-Tickets anhängt. Wird durch die include_logs-Boolean in derselben Zeile gesteuert. Wird niemals für VPN-Datenverkehr geschrieben — nur wenn der Benutzer im Support-Formular auf "Logs einbeziehen" klickt.vpn_users.test_password — Klartext-Passwort für App Store- und Google Play-Review-Konten (Apple und Google benötigen einen funktionierenden Test-Login, um App-Updates zu genehmigen). Eine Datenbank-CHECK-Constraint (chk_test_password_only_for_test) macht es physisch unmöglich, diese Spalte in einer Zeile zu setzen, in der is_test_account false ist.vpn_users.notes — Freitextfeld für Betreibernotizen (Rückerstattungskontext, Support-Folgemaßnahmen). Niemals für andere Benutzer sichtbar; nur für Level-9-Admins lesbar. Auskunftsersuchen nach DSGVO umfassen dieses Feld.vpn_subscriptions.raw — Die exakte Webhook-Payload, die wir von Stripe / Apple / Google für jedes Abonnement-Ereignis erhalten. Wörtlich gespeichert, damit wir Abrechnungsstreitigkeiten abgleichen können. Enthält keine Informationen über das hinaus, was der Zahlungsanbieter bereits über dieselbe Transaktion hat.Das exakte JSON-Dokument, das durch den obigen SHA-256 gehasht wird. Jeder kann es neu kanonisieren und verifizieren.
{
"schema": "nexun-infra-report-v3.2",
"central": {
"api_git_sha": "unknown",
"api_version": "unknown",
"db_schema_updated": null,
"db_schema_version": "unknown",
"deploy_environment": "production",
"db_schema_fingerprint": null
},
"node_count": 20,
"countries": [
"AT",
"BE",
"CA",
"CH",
"CY",
"DE",
"ES",
"FI",
"FR",
"GB",
"IT",
"JP",
"NL",
"SE",
"SG",
"TR",
"US"
],
"nodes": [
{
"ipv4": "89.31.123.33/32",
"name": "at-vie-01",
"country": "AT",
"wg_pubkey": "rB8b7zHJI5prJmB4APuKeQBYd+mCVucryC+kGE8rX3w="
},
{
"ipv4": "46.183.187.95/32",
"name": "be-bru-01",
"country": "BE",
"wg_pubkey": "eJqhqji1Mu2cBZX54E7CYp1K7iuaEcxsHbPhWWAOr2s="
},
{
"ipv4": "188.190.17.109/32",
"name": "ca-mtl-01",
"country": "CA",
"wg_pubkey": "6CUQWjkF/bcySmPinSUcnZqNTYAd4l9T10/Nhv1zMgs="
},
{
"ipv4": "188.190.4.244/32",
"name": "ch-zrh-01",
"country": "CH",
"wg_pubkey": "Sw0sMVgIa/6tN2UC+r4/Az0c/ennbCju4IxeYSLyFgA="
},
{
"ipv4": "134.255.210.43/32",
"name": "cy-lca-01",
"country": "CY",
"wg_pubkey": "v7C43JKgX+wXweYjt98Za8Sg4Pu7bK7m6Y1f5z/YgRk="
},
{
"ipv4": "91.98.226.199/32",
"name": "de-nbg-01",
"country": "DE",
"wg_pubkey": "YyXuQJMw1s/mBOoW8aujUJxM58ErIGOX9NOWne2ug0c="
},
{
"ipv4": "91.98.114.199/32",
"name": "de-nbg-02",
"country": "DE",
"wg_pubkey": "gNY0N91ZPmJlItVI8fOA92EVykhcOYaRVlMChRnIB2g="
},
{
"ipv4": "192.71.213.98/32",
"name": "es-sev-01",
"country": "ES",
"wg_pubkey": "+ws+rM/bzrwWGHHoGeuB2ElOg6DIfkFt+7iuEaoOqzI="
},
{
"ipv4": "89.167.29.38/32",
"name": "fi-hel-01",
"country": "FI",
"wg_pubkey": "HXtUTHhCrVAy59Yp1QqA0RvE1fgmBrTejmFpw0TRrRs="
},
{
"ipv4": "94.232.247.139/32",
"name": "fr-par-01",
"country": "FR",
"wg_pubkey": "qqSL2ZBFgtEb9wUyWxV/ZP08D+h7EI/aQtm0lEPJ4zE="
},
{
"ipv4": "188.190.5.133/32",
"name": "gb-lon-01",
"country": "GB",
"wg_pubkey": "yL9hozWPX8r5rPblmuYUTbQX4mNQ9nnCE9Ln+4Lujjw="
},
{
"ipv4": "192.121.46.152/32",
"name": "it-mil-01",
"country": "IT",
"wg_pubkey": "p6ZDOFYZTYjWcW38F2FALo0KzYezX3XSB95mSZGWf0s="
},
{
"ipv4": "213.111.178.162/32",
"name": "jp-tky-01",
"country": "JP",
"wg_pubkey": "0dPB4vXK7IYcCLebX1sBZwon5XqiIkFcY2KYzSxghhQ="
},
{
"ipv4": "152.53.106.102/32",
"name": "nl-ams-01",
"country": "NL",
"wg_pubkey": "4/swlcyg9DjPX4Rl7BZRqO0UxaaDzUXQQrD2MkJH1Bc="
},
{
"ipv4": "193.182.145.120/32",
"name": "nl-ams-02",
"country": "NL",
"wg_pubkey": "lKMHb+gSneCRHZxnuadwalr9QykyOJZM75H0SY0PqS4="
},
{
"ipv4": "45.151.73.98/32",
"name": "se-sto-01",
"country": "SE",
"wg_pubkey": "DzlHzKokPfwgHY5MW3m4NyaG0t+woDsPx5fq/o26vg0="
},
{
"ipv4": "134.255.211.80/32",
"name": "sg-sgp-01",
"country": "SG",
"wg_pubkey": "PZso2RS10IUl3Xn4SVJqwuyc2dJADnC96cE++FTg5XE="
},
{
"ipv4": "94.131.123.3/32",
"name": "tr-ist-01",
"country": "TR",
"wg_pubkey": "9I/7RLbYZRWVSRPlwcmn+OnQXKdcAjIr6W3d9q2RYRs="
},
{
"ipv4": "188.190.16.182/32",
"name": "us-mia-01",
"country": "US",
"wg_pubkey": "A4tmXlPB/2z6T/IuhelqCcZ2AJ+9sqsCwHT6HAaZPDY="
},
{
"ipv4": "5.78.202.107/32",
"name": "us-pdx-01",
"country": "US",
"wg_pubkey": "INwmofskN+y6fgY89bFEoumxLXUkOqXzbGMjlzOHqkA="
}
],
"log_attestation": {
"claim": "We do NOT log VPN traffic, DNS queries, URLs, destinations, browsing history, or any record of which sites or services any account visits.",
"concession": "Connection metadata (IP / user_agent) is briefly retained for abuse-prevention and connection-debugging, then anonymized: client_ip after 1 day(s), user_agent after 1 day(s), device_name after 1 day(s). The numbers below show this policy in effect.",
"beyond_policy_ips": 0,
"policy_lag_acceptable": true,
"retained_user_ips_bucket": "0",
"retained_user_agents_bucket": "0",
"retained_device_names_bucket": "1-10",
"retained_ips_by_age_bucketed": {
"1_3d": "0",
"3_7d": "0",
"0_24h": "0",
"beyond_policy": 0
},
"oldest_retained_user_ip_age_hours": null
},
"privacy": {
"policy_summary": {
"no_dns_logs": true,
"no_url_logs": true,
"no_browsing_history": true,
"no_destination_logs": true,
"traffic_volume_logging": "bytes-per-pseudonym, hourly, 10-day retention",
"no_destination_metadata": true,
"client_ip_retention_days": 1,
"user_agent_retention_days": 1,
"device_name_retention_days": 1
},
"traffic_accounting": {
"purpose": "Detect runaway bandwidth, abuse, and credential leaks; support per-node capacity planning. The bytes-per-pseudonym view is the minimum operational signal that lets us answer 'which account caused the alert' without ever logging URLs.",
"table_name": "node_traffic_buckets",
"current_state": {
"rows_in_window": 5498,
"most_recent_bucket": "2026-05-25T02:00:00+00:00",
"distinct_pseudonyms": 599
},
"table_present": true,
"retention_days": 10,
"fields_collected": [
"node_id (which server)",
"kind (wg_peer | node_total | proxy_user)",
"identity_hash (WG pubkey OR interface name; never user PII)",
"bucket_hour (UTC, hour-truncated — minute precision is rejected by DB CHECK)",
"rx_bytes (received)",
"tx_bytes (transmitted)"
],
"fields_NOT_collected": [
"destination IP / hostname / SNI",
"URL or HTTP request line",
"DNS query",
"flow tuple (src/dst port)",
"request count / packet count",
"geographic destination",
"minute- or second-level timestamps",
"any payload content"
],
"retention_enforcement": "Daily Celery task app.tasks.retention.prune_timeseries deletes rows where bucket_hour < NOW() - INTERVAL '10 days'. Single source of truth: TRAFFIC_BUCKET_RETENTION_DAYS in app/tasks/retention.py.",
"introduced_in_migration": "076_node_traffic_buckets.sql"
},
"anonymization_activity": {
"runs_total": 7,
"runs_failed": 0,
"window_days": 7,
"runs_success": 7,
"anonymized_per_column_bucket": {
"client_ip": "0",
"user_agent": "0",
"device_name": "11-100"
},
"fully_anonymized_sessions_bucket": "101-1k"
},
"anonymization_coverage": {
"ratio": 1.0143,
"interpretation": "ratio close to 1.0 indicates the daily anonymizer is successfully NULL'ing PII for sessions past the retention window. ratio<1 acceptable during the 24h between runs.",
"eligible_sessions_over_7d_bucket": "10k-100k",
"fully_anonymized_sessions_bucket": "10k-100k"
},
"pii_schema_fingerprint": [
{
"type": "text",
"table": "admin_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "beta_applicants",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "jsonb",
"table": "crypto_invoices",
"column": "raw",
"policy": {
"note": "Stripe/Apple/Google subscription webhook payload, stored verbatim for billing reconciliation. Contains no info beyond what the payment provider has on the same transaction.",
"category": "billing_provider_webhook"
}
},
{
"type": "text",
"table": "manual_expenses",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "pricing_drift_alerts",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "provider_credentials",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "v_active_users",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_active_users",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_active_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "v_active_users",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "v_connection_history",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_vpn_app_events_canonical",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_first_opens",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_first_opens",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_auto_switches",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaign_clicks",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaign_clicks",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaigns",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_deleted_emails",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "inet",
"table": "vpn_device_presence",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_presence",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_presence",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "inet",
"table": "vpn_device_sessions_active",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_nodes",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_nodes_safe",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "vpn_proxy_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_proxy_events",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "vpn_proxy_tokens",
"column": "last_client_ip",
"policy": {
"note": "Last client IP for proxy tokens. Same retention as client_ip (1 day(s)).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_proxy_tokens",
"column": "last_user_agent",
"policy": {
"note": "Last UA for proxy tokens. Same retention as user_agent (1 day(s)).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sales_digest_config",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "vpn_session_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_session_events",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "vpn_sessions",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sessions",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sessions",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "jsonb",
"table": "vpn_subscriptions",
"column": "raw",
"policy": {
"note": "Stripe/Apple/Google subscription webhook payload, stored verbatim for billing reconciliation. Contains no info beyond what the payment provider has on the same transaction.",
"category": "billing_provider_webhook"
}
},
{
"type": "bytea",
"table": "vpn_support_tickets",
"column": "log_data",
"policy": {
"note": "Opt-in debug bundle attached by user to support tickets. Never written for VPN traffic. Bound to include_logs boolean on same row.",
"category": "user_supplied_optional"
}
},
{
"type": "text",
"table": "vpn_user_attributions",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_user_attributions",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "vpn_users",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_users",
"column": "test_password",
"policy": {
"note": "Plaintext password for App Store/Google Play review test accounts only. CHECK constraint enforces is_test_account=true on the same row.",
"category": "review_account_only"
}
},
{
"type": "text",
"table": "vpn_verification_codes",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "warrant_canary_refreshes",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "warrant_canary_statements",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
}
]
},
"checks": {
"no_failed_runs": true,
"nodes_have_pubkeys": true,
"no_ips_beyond_policy": true,
"pii_schema_categorized": true,
"anonymizer_ran_recently": true
},
"summary": {
"overall_pass": true,
"node_count": 20,
"country_count": 17,
"countries": [
"AT",
"BE",
"CA",
"CH",
"CY",
"DE",
"ES",
"FI",
"FR",
"GB",
"IT",
"JP",
"NL",
"SE",
"SG",
"TR",
"US"
],
"anonymization_runs_7d": 7,
"ips_anonymized_7d_bucket": "0"
}
}