00 · INDEPENDENT AUDIT · 2025Audited by Deloitte.
Audited by Deloitte.
Findings published in full.
Annual review of our no-logs and RAM-only claims.
Audit Report · 2025-11
Deloitte LLP · Frankfurt office · 184 pages · 4 findings
From 2025-08 to 2025-11, an independent team from Deloitte's Frankfurt office reviewed our production infrastructure, source code, configuration management, log destinations, and incident response history. The full report (linked above) details scope, methodology, and findings. The summary is below.
01 · FINDINGS
Four total. Zero criticals.
F1INFO
No-logs claim verified
Auditors reviewed running configuration, source code (Bayria's internal monorepo), and log destinations on production POPs. Confirmed: no logs are generated for VPN destinations, DNS queries, session metadata, or IP addresses.
F2INFO
RAM-only POPs verified
Confirmed via boot scripts and live inspection of three randomly-chosen POPs: all VPN POPs boot diskless from PXE. Disk surface confined to control plane in FRA/AMS/NYC.
F3MINOR
Activity log retention scope
Customer-panel activity log retains 90 days of admin actions (password changes, 2FA enrolment). Retention period documented in privacy policy; auditors recommended additional disclosure in onboarding email — actioned.
F4INFO
Vault end-to-end verified
Reviewed client-side Vault encryption code (open source under bayria-org/bayria). Master key derived locally via PBKDF2 + Argon2id. Server stores ciphertext only; no plaintext path exists.