Kaspersky VPN: Transparency and Security
Last updated 10.17.2022
We strive to provide you with the best, most reliable VPN service.
Wherever you are, we want you to be safe and secure while exploring the Internet. And when it comes to choosing a VPN provider, we understand trust is everything. To help you make an informed decision, we have answered some common questions about how Kaspersky VPN works and handles data, and what we’re doing to enhance product security and deliver a better service.
Q: Have law enforcement agencies ever requested any information from your VPN service?
A: No. Kaspersky has never received any inquiries of this nature regarding Kaspersky VPN. Please note that if we did receive such inquiries, we would adhere to our policy on dealing with law enforcement and government requests, where all external requests go through a mandatory legal verification as a first step to ensure the security and privacy of our users, as well as company compliance versus applicable national and international laws. In addition, neither Kaspersky, nor our VPN vendor Aura, monitors or stores any data that ties a user to their online activity, and we would not be able to provide content data (data which users create or send and receive) that law enforcement agencies sometimes want for electronic evidence.
To learn more about our Law Enforcement and Government Requests Report, please follow this link.
We have also published recent statistics on requests received from our users about all our products.
Q: How do you ensure data security?
A: Kaspersky VPN encrypts all data flows with industry-leading encryption algorithms – Advanced Encryption Standard (AES) 256, and the latest ChaCha20-Poly1305. AES-256 is a gold standard encryption that is used worldwide. Numerous big companies such as Google or Facebook, government departments such as U.S. National Security Agency, and many other leading organizations secure their sensitive data with AES-256. The ChaCha20-Poly1305 algorithm is used in connection protocols. It usually offers a superior performance, allowing users to browse and discover all types of digital content faster.
Additionally, our data security controls include, but are not limited to:
- Kaspersky VPN does not store any data, or permit its vendors to store any data, that can tie users to their online activity.
- We only process information for specific, pre-determined purposes that are legitimate with regard to applicable laws, and which are relevant to the functionality of Kaspersky VPN. This includes information about devices used, subscription details, and wireless network specifications. Full details are available at Kaspersky VPN EULA.
- The only scenario where Kaspersky will obtain information about a VPN user (for example, the user’s email address) is when they choose to communicate with us (for example, via chat or email) or choose to provide an email address to register at My Kaspersky. However, even in this case, we cannot link that information to a user’s VPN traffic because we don’t store such traffic.
Q: Where are your VPN servers located?
A: Kaspersky VPN uses servers provided by our partner, and they are located in more than 85 virtual locations around the globe. By the way in our Kaspersky VPN unlimited version, there are even more virtual locations to choose from, as well as faster connections.
- You can access many virtual locations while using Kaspersky VPN, including the USA, UK, Netherlands, Czech Republic, Canada, Germany, Denmark, Spain, France, Sweden, Ukraine, Singapore, Belgium, Poland, Italy, Switzerland, Austria, Brazil, Japan, and many others.
- The servers are managed by our VPN vendor, Aura Growth GmbH and its affiliates, including Pango, located in Switzerland and USA.
- Users of our unlimited VPN version can choose which location to connect to. For users of free version, a location is assigned automatically.
Q: Does the Adaptive Security feature expose my privacy?
A: Adaptive Security helps in risky situations. For example, when a user connects to an unsecure Wi-Fi network or opens a sensitive website (for example a banking or shopping site), the feature suggests enabling encryption.
The user then decides whether they want to accept this suggestion. If they do accept, they give their permission for encryption to be enabled.
To activate Adaptive Security for websites, our app sends anonymous requests to the Kaspersky cloud-based reputation server to get verdicts about sensitive websites. After our app receives a verdict for website, it deletes all data related to the request.
In such instances, we cannot link data to a user’s VPN traffic because we don’t store such traffic.
Q: How do you ensure data integrity?
A: Via the Kill Switch feature.
- When your connection is interrupted, Kill Switch, which is available for users of unlimited version, automatically blocks the device’s access to the Internet until the VPN connection is restored. Using Kill Switch eliminates any risks associated with unprotected connection. Once the Kaspersky VPN service activates Kill Switch, users are notified about this. Users also have the option to de-activate this feature.
- Users of Kaspersky VPN unlimited version can turn on Kill Switch in the settings. When Kill Switch is active, data will only be transferred if the VPN is actively protecting the user’s device.
Q: Do you share data with government agencies?
A: We make every effort to ensure that user data is secure. We never provide any government organizations or third parties with access to the company’s infrastructure, including data infrastructure. We may provide information on such data as well as technical expertise for cybercrime investigations upon request, but no third party can directly or indirectly access our infrastructure or data, and all requests go through mandatory legal verification before being approved, rejected or challenged. We do this to ensure the security and privacy of our users, as well as to ensure our compliance with applicable laws and regulations. If requests do not pass the legal verification, we either reject or challenge such requests. Please check our Law Enforcement and Government Requests Report to learn about Kaspersky’s policy in dealing with requests from law enforcement and governments worldwide.
Q: How do you keep your VPN service safe for users?
A: We apply secure development lifecycle practices during product development. SDLC is an industry-standard procedure that helps us make our products more secure. Additionally, we adhere to the principles of responsible vulnerability disclosure. We will coordinate vulnerability discovery and mitigation with the research community in the event that security flaws are found in Kaspersky VPN.
- Product security in our VPN service is ensured by Kaspersky’s vulnerability management and disclosure program, including our Bug Bounty Program. We also adhere to Ethical Principles in Responsible Vulnerability Disclosure to provide greater transparency on how we cooperate with the research community with regards to vulnerability treatment.
- So far, we’ve received and closed four reports for minor non-critical security flaws in Kaspersky VPN. The description of those flaws and their mitigation is published on the Kaspersky website.
- We have also audited the Aura infrastructure to make sure they meet the highest standards.
- We continuously monitor the quality of Aura services to ensure they meet and maintain their Service Level Agreement (SLA) commitments.
Q: I still have more questions!
A: Kaspersky Transparency Centers provide our enterprise customers and partners with the opportunity for executive briefings on our products, including Kaspersky VPN, as well as our engineering and data management practices.
- We provide both remote and physical access to show you how our products work — including Kaspersky VPN — and which data management practices are applied. Depending on the type of request you have, we have multiple options available at our Transparency Centers, from lightweight executive briefings to in-depth reviews of software development.
- To request remote or physical access to a Kaspersky Transparency Center, and to learn more about the Kaspersky VPN service, visit the Kaspersky Transparency Center website.