Cryptografisch ondertekende attestatie van wat we WEL en NIET opslaan. Inclusief live telling van bewaarde IPs en hun leeftijd. Onafhankelijk verifieerbaar via Ed25519.
Vier kolommen in de onderstaande inventaris hebben namen die naast een "geen logs"-claim verrassend kunnen lijken. We leggen ze hier uit in plaats van ze te verbergen — verbergen zou het hele doel van deze pagina ondermijnen.
vpn_support_tickets.log_data — Opt-in debug-bundel die een gebruiker vrijwillig meestuurt bij een supportticket. Gekoppeld aan de include_logs boolean op dezelfde rij. Wordt nooit geschreven voor VPN-verkeer — alleen wanneer de gebruiker bewust op "logs meesturen" klikt in het supportformulier.vpn_users.test_password — Plaintext-wachtwoord voor App Store- en Google Play-reviewaccounts (Apple en Google eisen een werkende testlogin om app-updates goed te keuren). Een database-CHECK-constraint (chk_test_password_only_for_test) maakt het fysiek onmogelijk om deze kolom in te vullen op een rij waar is_test_account false is.vpn_users.notes — Vrij tekstveld voor operator-notities (refund-context, support-follow-ups). Nooit zichtbaar voor andere gebruikers; alleen leesbaar voor level-9 admins. Inzageverzoeken onder de AVG bevatten dit veld.vpn_subscriptions.raw — De exacte webhook-payload die we ontvangen van Stripe / Apple / Google voor elk subscription-event. Letterlijk opgeslagen zodat we billing-disputes kunnen reconciliëren. Bevat geen informatie buiten wat de betalingsprovider zelf al over dezelfde transactie heeft.Het exacte JSON-document dat door bovenstaande SHA-256 is gehasht. Iedereen kan opnieuw canoniseren en verifiëren.
{
"schema": "nexun-infra-report-v3.2",
"central": {
"api_git_sha": "unknown",
"api_version": "unknown",
"db_schema_updated": null,
"db_schema_version": "unknown",
"deploy_environment": "production",
"db_schema_fingerprint": null
},
"node_count": 20,
"countries": [
"AT",
"BE",
"CA",
"CH",
"CY",
"DE",
"ES",
"FI",
"FR",
"GB",
"IT",
"JP",
"NL",
"SE",
"SG",
"TR",
"US"
],
"nodes": [
{
"ipv4": "89.31.123.33/32",
"name": "at-vie-01",
"country": "AT",
"wg_pubkey": "rB8b7zHJI5prJmB4APuKeQBYd+mCVucryC+kGE8rX3w="
},
{
"ipv4": "46.183.187.95/32",
"name": "be-bru-01",
"country": "BE",
"wg_pubkey": "eJqhqji1Mu2cBZX54E7CYp1K7iuaEcxsHbPhWWAOr2s="
},
{
"ipv4": "188.190.17.109/32",
"name": "ca-mtl-01",
"country": "CA",
"wg_pubkey": "6CUQWjkF/bcySmPinSUcnZqNTYAd4l9T10/Nhv1zMgs="
},
{
"ipv4": "188.190.4.244/32",
"name": "ch-zrh-01",
"country": "CH",
"wg_pubkey": "Sw0sMVgIa/6tN2UC+r4/Az0c/ennbCju4IxeYSLyFgA="
},
{
"ipv4": "134.255.210.43/32",
"name": "cy-lca-01",
"country": "CY",
"wg_pubkey": "v7C43JKgX+wXweYjt98Za8Sg4Pu7bK7m6Y1f5z/YgRk="
},
{
"ipv4": "91.98.226.199/32",
"name": "de-nbg-01",
"country": "DE",
"wg_pubkey": "YyXuQJMw1s/mBOoW8aujUJxM58ErIGOX9NOWne2ug0c="
},
{
"ipv4": "91.98.114.199/32",
"name": "de-nbg-02",
"country": "DE",
"wg_pubkey": "gNY0N91ZPmJlItVI8fOA92EVykhcOYaRVlMChRnIB2g="
},
{
"ipv4": "192.71.213.98/32",
"name": "es-sev-01",
"country": "ES",
"wg_pubkey": "+ws+rM/bzrwWGHHoGeuB2ElOg6DIfkFt+7iuEaoOqzI="
},
{
"ipv4": "89.167.29.38/32",
"name": "fi-hel-01",
"country": "FI",
"wg_pubkey": "HXtUTHhCrVAy59Yp1QqA0RvE1fgmBrTejmFpw0TRrRs="
},
{
"ipv4": "94.232.247.139/32",
"name": "fr-par-01",
"country": "FR",
"wg_pubkey": "qqSL2ZBFgtEb9wUyWxV/ZP08D+h7EI/aQtm0lEPJ4zE="
},
{
"ipv4": "188.190.5.133/32",
"name": "gb-lon-01",
"country": "GB",
"wg_pubkey": "yL9hozWPX8r5rPblmuYUTbQX4mNQ9nnCE9Ln+4Lujjw="
},
{
"ipv4": "192.121.46.152/32",
"name": "it-mil-01",
"country": "IT",
"wg_pubkey": "p6ZDOFYZTYjWcW38F2FALo0KzYezX3XSB95mSZGWf0s="
},
{
"ipv4": "213.111.178.162/32",
"name": "jp-tky-01",
"country": "JP",
"wg_pubkey": "0dPB4vXK7IYcCLebX1sBZwon5XqiIkFcY2KYzSxghhQ="
},
{
"ipv4": "152.53.106.102/32",
"name": "nl-ams-01",
"country": "NL",
"wg_pubkey": "4/swlcyg9DjPX4Rl7BZRqO0UxaaDzUXQQrD2MkJH1Bc="
},
{
"ipv4": "193.182.145.120/32",
"name": "nl-ams-02",
"country": "NL",
"wg_pubkey": "lKMHb+gSneCRHZxnuadwalr9QykyOJZM75H0SY0PqS4="
},
{
"ipv4": "45.151.73.98/32",
"name": "se-sto-01",
"country": "SE",
"wg_pubkey": "DzlHzKokPfwgHY5MW3m4NyaG0t+woDsPx5fq/o26vg0="
},
{
"ipv4": "134.255.211.80/32",
"name": "sg-sgp-01",
"country": "SG",
"wg_pubkey": "PZso2RS10IUl3Xn4SVJqwuyc2dJADnC96cE++FTg5XE="
},
{
"ipv4": "94.131.123.3/32",
"name": "tr-ist-01",
"country": "TR",
"wg_pubkey": "9I/7RLbYZRWVSRPlwcmn+OnQXKdcAjIr6W3d9q2RYRs="
},
{
"ipv4": "188.190.16.182/32",
"name": "us-mia-01",
"country": "US",
"wg_pubkey": "A4tmXlPB/2z6T/IuhelqCcZ2AJ+9sqsCwHT6HAaZPDY="
},
{
"ipv4": "5.78.202.107/32",
"name": "us-pdx-01",
"country": "US",
"wg_pubkey": "INwmofskN+y6fgY89bFEoumxLXUkOqXzbGMjlzOHqkA="
}
],
"log_attestation": {
"claim": "We do NOT log VPN traffic, DNS queries, URLs, destinations, browsing history, or any record of which sites or services any account visits.",
"concession": "Connection metadata (IP / user_agent) is briefly retained for abuse-prevention and connection-debugging, then anonymized: client_ip after 1 day(s), user_agent after 1 day(s), device_name after 1 day(s). The numbers below show this policy in effect.",
"beyond_policy_ips": 0,
"policy_lag_acceptable": true,
"retained_user_ips_bucket": "0",
"retained_user_agents_bucket": "0",
"retained_device_names_bucket": "1-10",
"retained_ips_by_age_bucketed": {
"1_3d": "0",
"3_7d": "0",
"0_24h": "0",
"beyond_policy": 0
},
"oldest_retained_user_ip_age_hours": null
},
"privacy": {
"policy_summary": {
"no_dns_logs": true,
"no_url_logs": true,
"no_browsing_history": true,
"no_destination_logs": true,
"traffic_volume_logging": "bytes-per-pseudonym, hourly, 10-day retention",
"no_destination_metadata": true,
"client_ip_retention_days": 1,
"user_agent_retention_days": 1,
"device_name_retention_days": 1
},
"traffic_accounting": {
"purpose": "Detect runaway bandwidth, abuse, and credential leaks; support per-node capacity planning. The bytes-per-pseudonym view is the minimum operational signal that lets us answer 'which account caused the alert' without ever logging URLs.",
"table_name": "node_traffic_buckets",
"current_state": {
"rows_in_window": 5498,
"most_recent_bucket": "2026-05-25T02:00:00+00:00",
"distinct_pseudonyms": 599
},
"table_present": true,
"retention_days": 10,
"fields_collected": [
"node_id (which server)",
"kind (wg_peer | node_total | proxy_user)",
"identity_hash (WG pubkey OR interface name; never user PII)",
"bucket_hour (UTC, hour-truncated — minute precision is rejected by DB CHECK)",
"rx_bytes (received)",
"tx_bytes (transmitted)"
],
"fields_NOT_collected": [
"destination IP / hostname / SNI",
"URL or HTTP request line",
"DNS query",
"flow tuple (src/dst port)",
"request count / packet count",
"geographic destination",
"minute- or second-level timestamps",
"any payload content"
],
"retention_enforcement": "Daily Celery task app.tasks.retention.prune_timeseries deletes rows where bucket_hour < NOW() - INTERVAL '10 days'. Single source of truth: TRAFFIC_BUCKET_RETENTION_DAYS in app/tasks/retention.py.",
"introduced_in_migration": "076_node_traffic_buckets.sql"
},
"anonymization_activity": {
"runs_total": 7,
"runs_failed": 0,
"window_days": 7,
"runs_success": 7,
"anonymized_per_column_bucket": {
"client_ip": "0",
"user_agent": "0",
"device_name": "11-100"
},
"fully_anonymized_sessions_bucket": "101-1k"
},
"anonymization_coverage": {
"ratio": 1.0143,
"interpretation": "ratio close to 1.0 indicates the daily anonymizer is successfully NULL'ing PII for sessions past the retention window. ratio<1 acceptable during the 24h between runs.",
"eligible_sessions_over_7d_bucket": "10k-100k",
"fully_anonymized_sessions_bucket": "10k-100k"
},
"pii_schema_fingerprint": [
{
"type": "text",
"table": "admin_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "beta_applicants",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "jsonb",
"table": "crypto_invoices",
"column": "raw",
"policy": {
"note": "Stripe/Apple/Google subscription webhook payload, stored verbatim for billing reconciliation. Contains no info beyond what the payment provider has on the same transaction.",
"category": "billing_provider_webhook"
}
},
{
"type": "text",
"table": "manual_expenses",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "pricing_drift_alerts",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "provider_credentials",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "v_active_users",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_active_users",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_active_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "v_active_users",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "v_connection_history",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "v_vpn_app_events_canonical",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_first_opens",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_app_first_opens",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_auto_switches",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaign_clicks",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaign_clicks",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_campaigns",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_deleted_emails",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "inet",
"table": "vpn_device_presence",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_presence",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_presence",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "inet",
"table": "vpn_device_sessions_active",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "vpn_device_sessions_active",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_nodes",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_nodes_safe",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "vpn_proxy_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_proxy_events",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "vpn_proxy_tokens",
"column": "last_client_ip",
"policy": {
"note": "Last client IP for proxy tokens. Same retention as client_ip (1 day(s)).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_proxy_tokens",
"column": "last_user_agent",
"policy": {
"note": "Last UA for proxy tokens. Same retention as user_agent (1 day(s)).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sales_digest_config",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "inet",
"table": "vpn_session_events",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_session_events",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "inet",
"table": "vpn_sessions",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sessions",
"column": "device_name",
"policy": {
"note": "User-supplied device label. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_sessions",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "jsonb",
"table": "vpn_subscriptions",
"column": "raw",
"policy": {
"note": "Stripe/Apple/Google subscription webhook payload, stored verbatim for billing reconciliation. Contains no info beyond what the payment provider has on the same transaction.",
"category": "billing_provider_webhook"
}
},
{
"type": "bytea",
"table": "vpn_support_tickets",
"column": "log_data",
"policy": {
"note": "Opt-in debug bundle attached by user to support tickets. Never written for VPN traffic. Bound to include_logs boolean on same row.",
"category": "user_supplied_optional"
}
},
{
"type": "text",
"table": "vpn_user_attributions",
"column": "client_ip",
"policy": {
"note": "Real client IP. NULL'd by pii_anonymizer after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_user_attributions",
"column": "user_agent",
"policy": {
"note": "Client app UA + OS. NULL'd after 1 day(s).",
"category": "anonymized",
"retention_days": 1
}
},
{
"type": "text",
"table": "vpn_users",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "vpn_users",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "vpn_users",
"column": "test_password",
"policy": {
"note": "Plaintext password for App Store/Google Play review test accounts only. CHECK constraint enforces is_test_account=true on the same row.",
"category": "review_account_only"
}
},
{
"type": "text",
"table": "vpn_verification_codes",
"column": "email",
"policy": {
"note": "User account identifier. Erased on account deletion (/account/delete) per GDPR Art. 17.",
"category": "retained_for_account"
}
},
{
"type": "text",
"table": "warrant_canary_refreshes",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
},
{
"type": "text",
"table": "warrant_canary_statements",
"column": "notes",
"policy": {
"note": "Internal operator notes (refund context, support follow-ups). Visible only to level-9 admins. Included in GDPR Art. 15 access requests.",
"category": "operator_only"
}
}
]
},
"checks": {
"no_failed_runs": true,
"nodes_have_pubkeys": true,
"no_ips_beyond_policy": true,
"pii_schema_categorized": true,
"anonymizer_ran_recently": true
},
"summary": {
"overall_pass": true,
"node_count": 20,
"country_count": 17,
"countries": [
"AT",
"BE",
"CA",
"CH",
"CY",
"DE",
"ES",
"FI",
"FR",
"GB",
"IT",
"JP",
"NL",
"SE",
"SG",
"TR",
"US"
],
"anonymization_runs_7d": 7,
"ips_anonymized_7d_bucket": "0"
}
}