Cryptographically signed attestation of what we DO and DO NOT log. Includes live count of retained user IPs and their age. Independently verifiable via Ed25519.
Four columns in the inventory below have names that may look surprising next to a "no-logs" claim. We explain them here rather than hide them — hiding would defeat the point of this page.
vpn_support_tickets.log_data — Opt-in debug bundle that a user voluntarily attaches when filing a support ticket. Controlled by the include_logs boolean on the same row. Never written for VPN traffic — only when the user clicks "include logs" in the support form.vpn_users.test_password — Plaintext password for App Store and Google Play review accounts (Apple and Google require a working test login to approve app updates). A database CHECK constraint (chk_test_password_only_for_test) makes it physically impossible to set this column on any row where is_test_account is false.vpn_users.notes — Free-text field for operator notes (refund context, support follow-ups). Never exposed to other users; only readable by level-9 admins. Subject access requests under GDPR include this field.vpn_subscriptions.raw — The exact webhook payload received from Stripe / Apple / Google for each subscription event. Stored verbatim so we can reconcile billing disputes. Contains no information beyond what the payment provider already holds about the same transaction.The exact JSON document hashed by the SHA-256 above. Anyone can re-canonicalise and verify.
{
"schema": "nexun-infra-report-v3.2",
"central": {
"api_git_sha": "unknown",
"api_version": "unknown",
"db_schema_updated": null,
"db_schema_version": "unknown",
"deploy_environment": "production",
"db_schema_fingerprint": null
},
"node_count": 21,
"countries": [
"AT",
"BE",
"CA",
"CH",
"CY",
"DE",
"ES",
"FI",
"FR",
"GB",
"IT",
"JP",
"NL",
"SE",
"SG",
"TR",
"US"
],
"nodes": [
{
"ipv4": "89.31.123.33/32",
"name": "at-vie-01",
"country": "AT",
"wg_pubkey": "rB8b7zHJI5prJmB4APuKeQBYd+mCVucryC+kGE8rX3w="
},
{
"ipv4": "85.208.109.114/32",
"name": "at-vie-02",
"country": "AT",
"wg_pubkey": "SfXdH5hpFATtiGlCWhbKDalURk7q/wf2qQGXA6dNZlc="
},
{
"ipv4": "46.183.187.95/32",
"name": "be-bru-01",
"country": "BE",
"wg_pubkey": "eJqhqji1Mu2cBZX54E7CYp1K7iuaEcxsHbPhWWAOr2s="
},
{
"ipv4": "188.190.17.109/32",
"name": "ca-mtl-01",
"country": "CA",
"wg_pubkey": "6CUQWjkF/bcySmPinSUcnZqNTYAd4l9T10/Nhv1zMgs="
},
{
"ipv4": "188.190.4.244/32",
"name": "ch-zrh-01",
"country": "CH",
"wg_pubkey": "Sw0sMVgIa/6tN2UC+r4/Az0c/ennbCju4IxeYSLyFgA="
},
{
"ipv4": "134.255.210.43/32",
"name": "cy-lca-01",
"country": "CY",
"wg_pubkey": "v7C43JKgX+wXweYjt98Za8Sg4Pu7bK7m6Y1f5z/YgRk="
},
{
"ipv4": "91.98.226.199/32",
"name": "de-nbg-01",
"country": "DE",
"wg_pubkey": "YyXuQJMw1s/mBOoW8aujUJxM58ErIGOX9NOWne2ug0c="
},
{
"ipv4": "91.98.114.199/32",
"name": "de-nbg-02",
"country": "DE",
"wg_pubkey": "gNY0N91ZPmJlItVI8fOA92EVykhcOYaRVlMChRnIB2g="
},
{
"ipv4": "192.71.213.98/32",
"name": "es-sev-01",
"country": "ES",
"wg_pubkey": "+ws+rM/bzrwWGHHoGeuB2ElOg6DIfkFt+7iuEaoOqzI="
},
{
"ipv4": "89.167.29.38/32",
"name": "fi-hel-01",
"country": "FI",
"wg_pubkey": "HXtUTHhCrVAy59Yp1QqA0RvE1fgmBrTejmFpw0TRrRs="
},
{
"ipv4": "94.232.247.139/32",
"name": "fr-par-01",
"country": "FR",
"wg_pubkey": "qqSL2ZBFgtEb9wUyWxV/ZP08D+h7EI/aQtm0lEPJ4zE="
},
{
"ipv4": "188.190.5.133/32",
"name": "gb-lon-01",
"country": "GB",
"wg_pubkey": "yL9hozWPX8r5rPblmuYUTbQX4mNQ9nnCE9Ln+4Lujjw="
},
{
"ipv4": "192.121.46.152/32",
"name": "it-mil-01",
"country": "IT",
"wg_pubkey": "p6ZDOFYZTYjWcW38F2FALo0KzYezX3XSB95mSZGWf0s="
},
{
"ipv4": "213.111.178.162/32",
"name": "jp-tky-01",
"country": "JP",
"wg_pubkey": "0dPB4vXK7IYcCLebX1sBZwon5XqiIkFcY2KYzSxghhQ="
},
{
"ipv4": "152.53.106.102/32",
"name": "nl-ams-01",
"country": "NL",
"wg_pubkey": "4/swlcyg9DjPX4Rl7BZRqO0UxaaDzUXQQrD2MkJH1Bc="
},
{
"ipv4": "193.182.145.120/32",
"name": "nl-ams-02",
"country": "NL",
"wg_pubkey": "lKMHb+gSneCRHZxnuadwalr9QykyOJZM75H0SY0PqS4="
},
{
"ipv4": "45.151.73.98/32",
"name": "se-sto-01",
"country": "SE",
"wg_pubkey": "DzlHzKokPfwgHY5MW3m4NyaG0t+woDsPx5fq/o26vg0="
},
{
"ipv4": "134.255.211.80/32",
"name": "sg-sgp-01",
"country": "SG",
"wg_pubkey": "PZso2RS10IUl3Xn4SVJqwuyc2dJADnC96cE++FTg5XE="
},
{
"ipv4": "94.131.123.3/32",
"name": "tr-ist-01",
"country": "TR",
"wg_pubkey": "9I/7RLbYZRWVSRPlwcmn+OnQXKdcAjIr6W3d9q2RYRs="
},
{
"ipv4": "188.190.16.182/32",
"name": "us-mia-01",
"country": "US",
"wg_pubkey": "A4tmXlPB/2z6T/IuhelqCcZ2AJ+9sqsCwHT6HAaZPDY="
},
{
"ipv4": "5.78.202.107/32",
"name": "us-pdx-01",
"country": "US",
"wg_pubkey": "INwmofskN+y6fgY89bFEoumxLXUkOqXzbGMjlzOHqkA="
}
],
"log_attestation": {
"claim": "We do NOT log VPN traffic, DNS queries, URLs, destinations, browsing history, or any record of which sites or services any account visits.",
"concession": "Connection metadata (IP / user_agent) is briefly retained for abuse-prevention and connection-debugging, then anonymized: client_ip after 1 day(s), user_agent after 1 day(s), device_name after 1 day(s). The numbers below show this policy in effect.",
"beyond_policy_ips": 0,
"policy_lag_acceptable": true,
"retained_user_ips_bucket": "0",
"retained_user_agents_bucket": "0",
"retained_device_names_bucket": "101-1k",
"retained_ips_by_age_bucketed": {
"1_3d": "0",
"3_7d": "0",
"0_24h": "0",
"beyond_policy": 0
},
"oldest_retained_user_ip_age_hours": null
},
"privacy": {
"policy_summary": {
"no_dns_logs": true,
"no_url_logs": true,
"no_browsing_history": true,
"no_destination_logs": true,
"traffic_volume_logging": "bytes-per-pseudonym, hourly, 10-day retention",
"no_destination_metadata": true,
"client_ip_retention_days": 1,
"user_agent_retention_days": 1,
"device_name_retention_days": 1
},
"traffic_accounting": {
"purpose": "Detect runaway bandwidth, abuse, and credential leaks; support per-node capacity planning. The bytes-per-pseudonym view is the minimum operational signal that lets us answer 'which account caused the alert' without ever logging URLs.",
"table_name": "node_traffic_buckets",
"current_state": {
"rows_in_window": 6221,
"most_recent_bucket": "2026-05-16T10:00:00+00:00",
"distinct_pseudonyms": 911
},
"table_present": true,
"retention_days": 10,
"fields_collected": [
"node_id (which server)",
"kind (wg_peer | node_total | proxy_user)",
"identity_hash (WG pubkey OR interface name; never user PII)",
"bucket_hour (UTC, hour-truncated — minute precision is rejected by DB CHECK)",
"rx_bytes (received)",
"tx_bytes (transmitted)"
],
"fields_NOT_collected": [
"destination IP / hostname / SNI",
"URL or HTTP request line",
"DNS query",
"flow tuple (src/dst port)",
"request count / packet count",
"geographic destination",
"minute- or second-level timestamps",
"any payload content"
],
"retention_enforcement": "Daily Celery task app.tasks.retention.prune_timeseries deletes rows where bucket_hour < NOW() - INTERVAL '10 days'. Single source of truth: TRAFFIC_BUCKET_RETENTION_DAYS in app/tasks/retention.py.",
"introduced_in_migration": "076_node_traffic_buckets.sql"
},
"anonymization_activity": {
"runs_total": 0,
"runs_failed": 0,
"window_days": 7,
"runs_success": 0,
"anonymized_per_column_bucket": {},
"fully_anonymized_sessions_bucket": "0"
},
"anonymization_coverage": {
"ratio": 0.2044,
"interpretation": "ratio close to 1.0 indicates the daily anonymizer is successfully NULL'ing PII for sessions past the retention window. ratio<1 acceptable during the 24h between runs.",
"eligible_sessions_over_7d_bucket": "10k-100k",
"fully_anonymized_sessions_bucket": "1k-10k"
},
"pii_schema_fingerprint": [
{
"type": "text",
"table": "admin_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "beta_applicants",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "jsonb",
"table": "crypto_invoices",
"column": "raw",
"policy": {
"note": "Stripe/Apple/Google subscription webhook payload, stored verbatim for billing reconciliation. Contains no info beyond what the payment provider has on the same transaction.",
"category": "billing_provider_webhook"
}
},
{
"type": "text",
"table": "manual_expenses",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "pricing_drift_alerts",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "provider_credentials",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "v_active_users",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_active_users",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_active_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "v_active_users",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "v_connection_history",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_vpn_app_events_canonical",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_first_opens",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_first_opens",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_auto_switches",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaign_clicks",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaign_clicks",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaigns",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_deleted_emails",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "inet",
"table": "vpn_device_presence",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_presence",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_presence",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "inet",
"table": "vpn_device_sessions_active",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_nodes",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_nodes_safe",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "vpn_proxy_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_proxy_events",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "vpn_proxy_tokens",
"column": "last_client_ip",
"policy": {
"note": "Last client IP for proxy tokens. Same retention as client_ip (1 day(s)).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_proxy_tokens",
"column": "last_user_agent",
"policy": {
"note": "Last UA for proxy tokens. Same retention as user_agent (1 day(s)).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sales_digest_config",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "vpn_session_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_session_events",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "vpn_sessions",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sessions",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sessions",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "jsonb",
"table": "vpn_subscriptions",
"column": "raw",
"policy": {
"note": "Stripe/Apple/Google subscription webhook payload, stored verbatim for billing reconciliation. Contains no info beyond what the payment provider has on the same transaction.",
"category": "billing_provider_webhook"
}
},
{
"type": "bytea",
"table": "vpn_support_tickets",
"column": "log_data",
"policy": {
"note": "Opt-in debug bundle attached by user to support tickets. Never written for VPN traffic. Bound to include_logs boolean on same row.",
"category": "user_supplied_optional"
}
},
{
"type": "text",
"table": "vpn_user_attributions",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_user_attributions",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "vpn_users",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_users",
"column": "test_password",
"policy": {
"note": "Plaintext password for App Store/Google Play review test accounts only. CHECK constraint enforces is_test_account=true on the same row.",
"category": "review_account_only"
}
},
{
"type": "text",
"table": "vpn_verification_codes",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "warrant_canary_refreshes",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "warrant_canary_statements",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
}
]
},
"checks": {
"no_failed_runs": true,
"nodes_have_pubkeys": true,
"no_ips_beyond_policy": true,
"pii_schema_categorized": true,
"anonymizer_ran_recently": false
},
"summary": {
"overall_pass": false,
"node_count": 21,
"country_count": 17,
"countries": [
"AT",
"BE",
"CA",
"CH",
"CY",
"DE",
"ES",
"FI",
"FR",
"GB",
"IT",
"JP",
"NL",
"SE",
"SG",
"TR",
"US"
],
"anonymization_runs_7d": 0,
"ips_anonymized_7d_bucket": "0"
}
}