Corporate accountability
Question 1: What is the public facing and full legal name of the VPN service and any parent or holding companies?
NymVPN is operated by Nym Technologies SA, a Swiss company headquartered in Neuchâtel, Switzerland. The company is privately owned by its co-founders, Harry Halpin and Alexis Roussel, with no parent or holding companies. Other co-founders are minority stakeholders of the company.
Neither Nym Technologies SA, Harry Halpin, Alexis Roussel have ownership or economic stakes in other VPN companies. Harry Halpin was previously President of the Board of the LEAP Encryption Access Project (a centralized VPN for human-rights activists), a position which he left.
NymVPN is solely operated by Nym Technologies SA, without involvement from any other company or partner.
Question 2: Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?
No.
Question 3: What is the service’s business model (i.e., how does the VPN make money)?
NymVPN generates revenue exclusively through VPN subscriptions, which include both dVPN and mixnet access. We do not engage in selling user information, and we do not use customer data (if any) for any purposes other than operating the VPN service.
We are considering making enterprise versions of our mixnet for potential partners. Nym Technologies SA has received a small amount of revenue from integration of the mixnet with other projects, including:
- a grant from the ZCash Community Grants Program, to integrate the mixnet with ZCash wallets;
- R&D grants from the Next Generation Internet program of the European Commission, to enable better mixnet packet formats and anonymous credential technology.
Data-logging practices
Question 4: Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated? If so, what data?
- User Device: During the alpha phase and for debugging purposes, some connection data may be recorded in the app logs and stored on the user’s device. These logs are regularly deleted. As the NymVPN apps become more stable, Nym aims to make these logs less verbose. Users can review the data via the Settings > Logs menu in their NymVPN app (note: These logs are stored locally on the user device and are not shared with Nym or any third parties).
- Nym Technologies SA: Users have the option to voluntarily share anonymized crash reports (via Sentry) to help improve NymVPN. These reports are designed to ensure they do not contain any identifying information about individual users. By design, no other data about the user’s online activities is accessible to Nym Technologies SA.
- Node operators: NymVPN is a decentralized VPN, with servers operated by independent operators. By design, entry gateway operators may have access to a user’s IP address (but not their online activity), and exit gateway operators may view online activity (but cannot link it to a user’s IP address). According to our Node Operators and Validators Terms and Conditions, operators commit not to 'collect, monitor, record, log, store, retain, or pass on to any third party Nym Node information or any information or data relating to the activities of end users of NymVPN or the VPN Services'.
For more details, please refer to our Apps Privacy Statement.
Question 5: Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?
See question 4.
DNS lookups: NymVPN does not operate a DNS service. As a result, DNS lookups are handled by the default DNS provider or the one configured by the user.
Question 6: Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?
NymVPN is operated by Nym Technologies SA, a Swiss company, and adheres to Swiss legislation. We maintain legal counsel to deal with any law enforcement requests.
By design, as a decentralized VPN service, NymVPN does not hold any data related to users’ online activities. While NymVPN does have access to users’ payment data, these are not correlated to their VPN accounts through “zk-nyms”-based onboarding (zero-knowledge proofs).
As Nym is decentralized, it is possible that requests for data from law enforcement and courts will go to decentralized nodes in our network.
Security practices
Question 7: What do you do to protect against unauthorized access to customer data flows over the VPN?
Auditing: NymVPN is committed to providing best-in-class privacy and security benefits to its users. The NymVPN codebase is fully open source, licensed under GPLv3 and the Apache Software company, and is available for anyone to audit. In July 2024, NymVPN and other core Nym technologies were audited by the reputable pen-testing company Cure53. Nym Technologies has also undergone several other security audits related to its mixnet and cryptography.
Bug bounty / vulnerability disclosure program: As of December 2024, NymVPN is planning a vulnerability disclosure program for security researchers to report issues to be launched in Q1 2025. This program will go live once the Cure53 audit findings have been addressed and released.
Cryptographic protocols: Guided by top security, privacy, and cryptography experts, NymVPN relies on state-of-the-art cryptographic protocols, notably including (for the mixnet mode):
- AES128 for secure communication between clients and entry nodes, as well as for encryption of the Sphinx header;
- BLAKE3 for key derivation in Sphinx packet format;
- Lioness for encryption of Sphinx payload.
And (for the WireGuard-based mode):
- ChaCha20 for symmetric encryption;
- Poly1305 for authentication;
- BLAKE2s for hashing.
Software updating: NymVPN end-user apps and operator binaries are updated regularly or as required to ensure patching and security improvements.
Server control and physical security: By design, Nym Technologies SA does not operate the VPN servers, instead relying on independent node operators. Nym Technologies SA also ensures the use of modern, securely managed internal tools and enforces strict employee security policies, including Multi-Factor Authentication.
Question 8: What other controls does the service use to protect user data?
See question 7.
Context
Following discussions at the RightsCon human rights conference in 2018, the Center for Democracy and Technology (CDT, a reputable nonprofit organization dedicated to advancing civil rights and civil liberties in the digital age) and prominent VPN vendors recognized a significant lack of trust and transparency within the VPN industry.
In response, the CDT developed a list of 8 standardized questions focused on (1) corporate accountability, (2) data logging practices, and (3) security practices, allowing VPN providers to demonstrate their commitment to trustworthiness and a positive reputation.
In our commitment to full transparency regarding our product and operations, we are sharing our responses to the 8 questions in the Signals of Trustworthy VPNs questionnaire.
Last updated: December 4, 2024
