Security Practices

This page describes TuxlerVPN Mobile’s documented security posture. It explains what we currently implement and is explicit about what we have not yet completed. The intent is to give a plain, factual description of the controls we rely on, not to imply controls we do not have. Authoritative sources include Privacy Policy §7 (“Data Security”) and the EULA.

This document also covers the topic previously placeholdered as “Operational Data Handling”, that is, how operational signals are kept distinct from user-traffic content. That separation is described under “Application security” and “What we have not yet done” below. The dedicated placeholder route has been retired in favour of this consolidated page.

Cryptography and protocols

• VPN tunnel. TuxlerVPN Mobile uses the WireGuard protocol via Android’s VpnService API. WireGuard is a modern open-source VPN protocol with a small attack surface and well-reviewed cryptography. Source: Privacy Policy §2.6, §7.
• Web and API traffic. All communication between the TuxlerVPN Mobile app and our servers, and between visitors and the website, uses HTTPS / TLS. Cleartext traffic is disabled in the Android app and certificate validation is enforced. Source: Privacy Policy §7.
• Sensitive data in transit. Encrypted at the transport layer, not transmitted in cleartext.

Application security

• The TuxlerVPN Mobile Android app is distributed exclusively through Google Play, which provides app-signing and tamper-detection at the platform level. Source: EULA §1.
• The app contains no advertising SDK, no attribution SDK, and no general-purpose analytics SDK other than the Sentry crash reporter described in Privacy Policy §2.4. Source: Privacy Policy §1, §2.8.
• Operational telemetry is structurally separated from user-traffic content: the VPN tunnel itself is not introspected, traffic content is not logged, and crash reports do not include the contents of VPN traffic, your name, email, IP address, HTTP headers, or advertising identifier (Privacy Policy §2.4, §2.6). The Sentry SDK is further configured to send data only when an actual crash occurs — session-tracking pings, breadcrumbs (UI taps, connectivity changes, system events, app/Activity lifecycle, low-memory and configuration changes), screenshot attachments, and view-hierarchy attachments are all explicitly disabled (Privacy Policy §2.4).
• The website at tuxlervpn.app does not currently use analytics, advertising, or social-media tracking cookies. Only strictly-necessary cookies are set, and no third-party cookies are placed on visitors’ devices (Privacy Policy §2.7). No third-party analytics or ad SDKs are loaded.

Infrastructure security

• Web hosting. The public website is hosted by a third-party web hosting provider with the standard DDoS mitigation that hosting provider offers.
• Backend services. Third-party cloud-infrastructure providers operate the servers behind apivpn.tuxlervpn.app under standard data-processing agreements. Source: Privacy Policy §4.
• Access controls. Access to systems holding user data is restricted to authorised personnel and is reviewed (Privacy Policy §7).
• Network controls in the app. Cleartext traffic is disabled and certificate validation is enforced (Privacy Policy §7).

Data minimisation as a security control

Reducing the amount of data we hold reduces the impact of any incident. The relevant practices, drawn from the Privacy Policy, are:

• VPN-session data is discarded on disconnect (§2.6, §8).
• The Standard tier requires no account, no email, no name, no phone number, and no government identifiers (§2, §2.8).
• Premium subscription billing is handled by Google Play. TuxlerVPN Mobile does not store or process your full payment details (§2.2).
• Crash reports do not include your name, email, advertising identifier, or VPN traffic content (§2.4).

Incident response

• Security inquiries should be sent to [email protected].
• For coordinated vulnerability disclosure, see Vulnerability Disclosure.
• We perform regular security reviews of application code and infrastructure (Privacy Policy §7).
• Incidents affecting personal data will be reported in line with applicable breach-notification laws, for example, Articles 33 and 34 of the GDPR for affected EU users, and applicable state and federal laws for affected US users. We will also notify users where applicable. Source: Privacy Policy §7 (“If we become aware of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.”).

What we have not yet done

We commit to honest disclosure of our security maturity. The following are not in place at the time of this writing:

• External audit or certification. TuxlerVPN Mobile has not completed an independent external security audit (such as SOC 2, ISO 27001, or a published third-party penetration test). We plan to commission one when our user base reaches a scale that justifies the engagement.
• Bug-bounty programme. TuxlerVPN Mobile does not currently offer a monetary bug-bounty programme. We acknowledge contributors publicly with their permission via the Hall of Fame on our Vulnerability Disclosure page.
• Open-source app code. The Android app is closed-source today.

These items are intended as roadmap, not as current commitments. We will update this page when any of them changes.

Reporting a security issue

Email [email protected]. The full coordinated-disclosure policy, including scope, safe-harbour terms, and target remediation timelines, is on the Vulnerability Disclosure page.

Related documents

• Privacy Policy: what data we collect and how we secure it.
• Logging & Retention Data: what we retain and for how long.
• Vulnerability Disclosure: how to report a security issue.
• Law-Enforcement Request Policy: how we evaluate legal process.
• Transparency Report: our reporting framework and quarterly-cadence commitment, with first counts published after launch.

Updates

This page is reviewed when our security posture changes. Last reviewed: 5 May 2026.