We build privacy
like infrastructure.
HexVPN is a small team of engineers and operators who believe a VPN should be invisible, fast, and incapable of betraying you — not by promise, by physics.
A VPN that can't lie to you.
Every VPN says it doesn't keep logs. Most of them lie, by accident or on purpose. We don't have a clean way to prove any of them are telling the truth — until you change the architecture.
HexVPN runs on stateless, RAM-only servers. When one reboots — which happens daily — every trace of every session evaporates. Not because we promise it does, but because there's nowhere for it to live. That's the entire product thesis: privacy as a property of the system, not a marketing claim.
Everything else we build flows from that. The HexGuard tunnel uses ChaCha20-Poly1305 because it's the fastest VPN protocol on the planet. The apps are native because cross-platform shells leak telemetry. The pricing has no asterisks because nothing erodes trust like asterisks. Welcome — we're glad you're here.
Bootstrapped. No incentive to compromise.
HexVPN is funded entirely by founder savings and customer subscriptions. No venture capital, no debt, no acquirers waiting in the wings. The only people we answer to are the ones paying for the tunnel.
That choice was deliberate. VPN companies with investors eventually have to monetize the one thing they shouldn't: you. Bootstrapping means we don't have an exit pressure that turns into a data pressure. The architecture stays the architecture.
From one tunnel to a global network.
We've shipped a lot in 18 months. Here's the timeline — including what's next.
Idea + first prototype
OriginA single-server WireGuard tunnel, hacked together in an apartment. The whole product fits in 200 lines of Go.
Stateless architecture
Re-architect every server to boot read-only from RAM. No disks. The "no logs" claim becomes a property of the system.
HexGuard tunnel
Custom protocol layer on top of WireGuard primitives. ChaCha20-Poly1305 throughout. Reproducible builds.
Public beta
Mac and Windows apps go out to ~500 invited users. Account portal, 10-device cap, email-code sign-in.
v1.0 — public launch
Native apps everywhere. iOS, macOS, Windows. Android and Linux in flight. CLI for the engineers.
AI threat protection
Real-time domain + IP reputation. Block malware, phishing, ad networks at the tunnel layer — never on-device.
How we think about trust.
Six rules we keep returning to when the easy thing and the right thing diverge.
If we can't prove it, we don't claim it.
Our "no-logs" isn't a promise. It's an architecture you can audit — and a warrant canary we sign in plain English.
Speed is a privacy feature.
A VPN that slows you down is a VPN you turn off. HexGuard is built for gigabit performance from day one.
Architecture before policy.
Anyone can write a privacy policy. Only the architecture decides what your provider could log if they wanted to.
Encryption that ages well.
ChaCha20-Poly1305 + Curve25519. Modern, fast, and chosen because they'll still be safe in ten years.
Native everywhere.
Real apps for real platforms. Mac feels Mac. iOS feels iOS. We don't ship the same Electron blob five times.
Pricing without asterisks.
One plan. Real numbers. A 30-day money-back guarantee, not a "pro-rated upon written request" clause.
30+ locations.
4 continents. 1 architecture.
Every HexVPN POP runs the exact same stateless image, in jurisdictions chosen for privacy posture and routing performance. No mystery providers, no rented "shared" boxes. When a server boots, it's the same OS, the same crypto, the same nothing-to-log.
Come build it with us.
We're hiring engineers who care about the kind of code that runs for ten years without a rewrite. Drop us a note — even if there's no open role listed.