Trust Center

Built without
logs.

Most VPNs promise not to log. HexVPN can't — our servers don't have disks. Here's exactly how that works, and what we don't keep.

Warrant canary — last verified May 18, 2026

Data requests received

since launch

Logs handed over

we couldn't if we tried

Gag orders served

canary remains intact

Third-party trackers

on this site and in our apps

How we built it

Privacy as infrastructure, not a promise.

Three structural choices that make logging impossible — not just disallowed.

tmpfs

Stateless RAM-only servers

Every HexVPN server boots from a read-only image. Runtime state — sessions, routing tables, DNS caches — lives entirely in RAM. On reboot, all of it evaporates. By physics, not by policy.

HexGuard

HexGuard tunnel encryption

ChaCha20-Poly1305 authenticated encryption with Curve25519 key exchange. Perfect forward secrecy means a captured session can't be decrypted later, even if the server key leaks.

blocked

No third-party tracking in our apps

The HexVPN apps ship without any third-party analytics, fingerprinting, or attribution SDKs — just code we wrote and audited. Our marketing site uses standard analytics for advertising; full disclosure in our Privacy Policy.

Architecture

When a server reboots, your session disappears.

There are no disks. There are no log files. There's nowhere for data to land. Every server boots from a read-only image, holds your tunnel in RAM for the duration of your session, and forgets everything when the next boot cycle starts.

Read-only boot image Signed, reproducible, immutable

State persistence None — all RAM (tmpfs)

Average reboot interval ~24 hours, rolling

Time from reboot to clean < 200ms

What we don't know

All of this stays yours.

×Your IP address ×Sites you visit ×DNS queries ×Connection timestamps ×Bandwidth used ×Browser fingerprints ×Apps you run ×Files you transfer ×Search queries ×Geographic location ×Device hardware ×Network operator

Warrant Canary

No government data requests. No gag orders. No backdoors.

As of May 18, 2026, HexVPN has not received any data requests, gag orders, secret subpoenas, or requests to insert surveillance or backdoors of any kind. If this notice disappears or stops being updated, treat it as a signal.

SHA-256 · 9f2b 8a1e d4c0 6f7a · last verified May 18, 2026

View signed proof →

Security

How we keep it solid.

Architecture is the foundation. Practices are how we maintain it.

Independent security audit

Annual penetration test by an external firm. Latest report from Q1 2026 — no critical findings.

Coordinated disclosure

security@hexvpn.co · PGP key on file · 90-day standard window before public release.

Encrypted DNS resolvers

DNS queries between client and our resolver are encrypted (DoH/DoT). Your ISP and any network operator on the path can't see what you look up.

Memory-safe protocol

HexGuard is written in Rust. The entire class of buffer-overflow and use-after-free vulnerabilities that have plagued OpenVPN and IPsec is impossible by construction.

Geographic distribution

Servers across 4 continents in multiple legal jurisdictions, all subject to the same architecture.

Secure boot chain

Servers boot from signed read-only images. Tampering is detectable on every reboot cycle.

Privacy you can verify.

Read our policy. Audit our claims. Then trust the system, not the promise.

Built withoutlogs.