vpn

Is CyberGhost Safe? Security, Privacy & Audit Analysis

Is CyberGhost safe? Independent audit results, encryption protocols, jurisdiction analysis, kill switch testing, and no-logs policy verification.

VPN.com Editorial Team · ·9 min read

Is CyberGhost Safe? Encryption, Audits, and Logging Explained

CyberGhost earns a trust score of 85/100. It uses AES-256 encryption, operates under Romanian jurisdiction outside 14 Eyes alliances, and publishes quarterly transparency reports. An independent audit by Deloitte in 2022 confirmed its no-logs policy. CyberGhost routes traffic through 11,500+ servers across 100 countries with built-in leak protection.

Jurisdiction: Why Romania Matters

CyberGhost operates under CyberGhost S.R.L., headquartered in Bucharest, Romania. Romania has no mandatory data retention laws for VPN providers. The country rejected the EU Data Retention Directive twice, in 2009 and 2014.

Romania sits outside the 5 Eyes, 9 Eyes, and 14 Eyes intelligence-sharing alliances. This means foreign agencies cannot compel CyberGhost to hand over user data through partner agreements. Romanian authorities need a valid court order to request information from any company.

Even with a court order, CyberGhost states it cannot provide what it does not store. The company’s parent organization is Kape Technologies, based in the UK. However, CyberGhost’s data processing stays in Romania under Romanian law. Kape also owns ExpressVPN, Private Internet Access, and ZenMate.

CyberGhost Audit History

Deloitte Romania completed an independent audit of CyberGhost’s no-logs infrastructure in 2022. The auditors examined server configurations, internal policies, and data handling processes across CyberGhost’s entire network. Deloitte confirmed that the server setup matched CyberGhost’s public no-logs claims.

This audit followed the Type 1 SOC framework, evaluating whether controls existed and were properly designed. Deloitte found no evidence that CyberGhost stored connection logs, browsing activity, or traffic data. The audit report confirmed that servers operated in RAM-only mode.

Before Deloitte, CyberGhost had not undergone a formal third-party audit. The company relied on quarterly transparency reports starting in 2011 to demonstrate its commitment. These reports detail the number of law enforcement requests received and how CyberGhost responded to each one.

CyberGhost publishes these transparency reports on its website every 3 months. Each report shows that zero data requests have been fulfilled because no identifiable data exists. A second Deloitte audit would strengthen long-term trust, but no follow-up has been announced publicly.

CyberGhost No-Logs Policy: What Gets Stored

CyberGhost’s privacy policy explicitly states it does not log browsing history, traffic destinations, or DNS queries. It also does not store connection timestamps, session durations, or assigned IP addresses. The policy covers all 11,500+ servers across its network.

What CyberGhost does NOT store:

  • Browsing activity or visited websites
  • Downloaded file names or torrent data
  • Original IP addresses or assigned VPN IP addresses
  • Connection timestamps or session length
  • DNS queries or traffic volume per session

What CyberGhost does collect:

  • Anonymous, aggregated connection attempts for troubleshooting (no user identification)
  • Account email address and payment information for subscription management
  • Approximate device type for app improvement analytics

CyberGhost uses anonymous tokens for authentication on its servers. This system breaks the link between your account credentials and your VPN session. The company cannot match a specific user to a specific server connection at any given time.

RAM-only servers add another layer. These servers write nothing to hard drives, and every reboot wipes all session data completely. Physical seizure of a server yields zero usable information about past connections.

Encryption Standards and Protocols

CyberGhost uses AES-256-GCM encryption as its default cipher across all applications. This is the same encryption standard that the U.S. government uses for classified information. Breaking AES-256 would require computational power that does not exist today.

CyberGhost supports 4 VPN protocols across its apps:

  • WireGuard: Default on most platforms. Uses ChaCha20 encryption. Averages 15-30% faster speeds than OpenVPN.
  • OpenVPN (UDP/TCP): Uses AES-256-GCM. UDP offers faster speeds. TCP works better on restricted networks.
  • IKEv2/IPsec: Preferred on iOS and mobile devices. Handles network switching efficiently between Wi-Fi and cellular.
  • L2TP/IPsec: Legacy option. Available but not recommended for primary use.

Each protocol implements Perfect Forward Secrecy through ephemeral key exchanges. This means each session generates a unique encryption key. Compromising one session key does not expose past or future sessions.

Kill Switch and DNS Leak Protection

CyberGhost includes a kill switch on Windows, macOS, iOS, Android, and Linux applications. The kill switch blocks all internet traffic if the VPN connection drops unexpectedly. It activates automatically with no user configuration required.

On Windows and macOS, the kill switch operates at the system level. It modifies firewall rules to prevent any packet from leaving outside the VPN tunnel. Testing with standard leak detection tools shows zero IPv4, IPv6, or WebRTC leaks during connection drops.

CyberGhost also runs its own private DNS servers. Every DNS query routes through encrypted tunnels to CyberGhost-operated resolvers. This prevents ISPs and third parties from seeing which domains you request. No third-party DNS services like Google or Cloudflare handle your queries.

IPv6 leak protection is enabled by default. CyberGhost blocks IPv6 traffic entirely rather than routing it through the tunnel. This approach eliminates a common vulnerability that cheaper VPNs often overlook.

Past Security Incidents

CyberGhost has not suffered a confirmed data breach or server compromise as of early 2025. No user data has been exposed through vulnerabilities in CyberGhost’s infrastructure.

In 2016, concerns emerged when Crossrider (later renamed Kape Technologies) acquired CyberGhost. Crossrider had past associations with adware distribution. CyberGhost addressed this by stating that its operations, team, and infrastructure remained independent in Romania. Kape has since repositioned itself entirely as a privacy and security company.

In 2019, a report surfaced about a data breach at a CyberGhost-linked customer support platform. CyberGhost clarified that only 120 email addresses and support ticket content were potentially affected. No VPN usage data, passwords, or payment information was exposed. The incident involved a third-party support tool, not CyberGhost’s VPN servers.

CyberGhost responded by migrating its support systems and increasing security requirements for third-party tools. The company added 2-factor authentication for internal systems and reviewed all vendor relationships.

Unique Security Features

CyberGhost offers several features that distinguish it from competitors in the 85-trust-score range.

NoSpy Servers: CyberGhost operates a set of premium servers in its own data center in Romania. The company manages these servers exclusively without third-party involvement. NoSpy servers use dedicated uplinks and are physically accessible only to CyberGhost staff.

Content Blocker: Built into the apps, this feature blocks ads, trackers, and malicious domains at the DNS level. It processes blocking before traffic reaches your browser. This reduces data exposure without requiring a separate browser extension.

Dedicated IP Option: Users can purchase a static IP address that only they use. This token-based system assigns the IP without linking it to your account identity. It helps avoid CAPTCHAs and blocklists while maintaining privacy.

Automatic Wi-Fi Protection: CyberGhost detects new or unsecured Wi-Fi networks and connects the VPN automatically. Users can set rules for trusted and untrusted networks. This feature prevents accidental unprotected browsing on public hotspots.

Split Tunneling: Available on Android and Windows, split tunneling lets you route specific apps outside the VPN. You choose which apps use the encrypted tunnel and which use your regular connection.

Frequently Asked Questions

Does CyberGhost Keep Logs?

CyberGhost does not keep logs of browsing activity, connection timestamps, IP addresses, or traffic data. Deloitte confirmed this in a 2022 independent audit. CyberGhost stores only your account email and payment data for billing purposes. Quarterly transparency reports since 2011 show zero fulfilled data requests.

Has CyberGhost Been Hacked?

CyberGhost’s VPN servers have never been breached. A 2019 incident exposed approximately 120 email addresses from a third-party support tool. No VPN credentials, browsing data, or payment information was compromised. CyberGhost migrated its support infrastructure and tightened vendor security after the event.

Is CyberGhost Trustworthy?

CyberGhost scores 85/100 on trust assessments. Romanian jurisdiction protects it from invasive surveillance requests. The Deloitte audit verified its no-logs claims. Kape Technologies ownership raises questions for some users, but CyberGhost maintains operational independence in Romania. Over 38 million users rely on the service globally.

Can CyberGhost See My Data?

CyberGhost cannot see your browsing data, DNS queries, or traffic content. AES-256 encryption protects data in transit. RAM-only servers store nothing permanently. The token-based authentication system prevents CyberGhost from linking sessions to user accounts. Even under a court order, CyberGhost states it has no data to provide.