Current Reporting Period: January 1, 2025 - June 30, 2025
This report covers all government data requests, law enforcement inquiries, security incidents, and related transparency metrics for the first half of 2025. Previous reports are available at the bottom of this page.
Government & Law Enforcement Data Requests
Total Requests Received
User Data Provided
Legally Invalid Requests Rejected
No Data Available to Provide
Why Zero User Data? Our zero-knowledge architecture means we genuinely don't have access to your encrypted data, browsing history, or VPN activity. Even with a valid warrant, we can't provide what we don't have.
Request Breakdown by Type:
Subpoenas: 3
2 rejected (overly broad), 1 provided basic account info (email, signup date)
Court Orders: 2
Both had no data available to provide
National Security Letters: 0
None received this period
Emergency Requests: 2
1 rejected (insufficient justification), 1 provided minimal account metadata
What We Can (and Cannot) Provide to Authorities
✓ Information We Can Provide:
- Account email address
- Account creation date
- Last login timestamp
- Subscription status and billing country
- IP address used for account creation (if logged)
This is basic account metadata. It tells authorities an account exists but reveals nothing about how it's used.
✗ Information We Cannot Provide:
- Websites visited or VPN browsing history
- Content of encrypted files or vaults
- Passwords stored in password vault
- VPN connection logs or IP addresses assigned
- DNS queries or traffic metadata
This data doesn't exist in our systems. We designed our architecture specifically to avoid collecting it.
Warrant Canary & Gag Orders
Some government data requests come with gag orders preventing us from disclosing them. To address this, we maintain a "warrant canary" - a statement we can remove if we're ever subject to such orders.
Current Warrant Canary Status: Active
Last Updated: October 30, 2025
As of this date, Activate Security has never received any National Security Letters, FISA orders, or other classified requests for user data that we are prohibited from disclosing. We have never been subject to gag orders preventing us from informing users of government data requests.
What to Watch For: If this warrant canary statement is ever removed or becomes outdated, it may indicate we've received a classified request we're legally prohibited from disclosing. We update this statement monthly.
Security Incidents & Vulnerability Disclosures
Data Breaches
Vulnerabilities Found & Fixed
Critical Issues Patched Within 24hrs
Vulnerability Disclosure Timeline (Last 6 Months):
| Date Found | Severity | Issue Type | Time to Fix | User Impact |
|---|---|---|---|---|
| Jun 2025 | Medium | UI Information Disclosure | 3 days | None |
| May 2025 | Low | Dependency Update | 1 day | None |
| Apr 2025 | Medium | Rate Limiting Bypass | 2 days | None |
| Mar 2025 | High | API Authentication Issue | 8 hours | None - Fixed before exploitation |
Full vulnerability disclosure details available 90 days after patch deployment to ensure all users have updated.
Bug Bounty Program Statistics
Reports Submitted
Valid Vulnerabilities
Bounties Paid
Days Avg Fix Time
Severity Breakdown:
User Account & Service Statistics
Account Security
Service Performance
Third-Party Data Breaches Affecting Our Users
Sometimes companies our users have accounts with get breached. Our dark web monitoring detected these breaches affecting Activate Security users this period:
Email addresses and password hashes exposed
38.4M records
Profile information and email addresses
165M records
Phone numbers, account PINs, and addresses
54M records
Email addresses and partial account information
7M records
How We Help: When we detect our users' data in these breaches, we immediately send alerts with specific steps to secure affected accounts. This early warning system has helped prevent identity theft for thousands of users.
How We Notify Users of Security Issues
Transparency isn't just about publishing reports - it's about keeping you informed when issues affect you directly. Here's exactly how we handle user notifications:
Immediate Notifications (Within 1 Hour)
- Service outages affecting functionality
- Security incidents involving user data
- Critical vulnerabilities requiring user action
- Third-party breaches affecting your accounts
Regular Updates (Within 24 Hours)
- Non-critical security patches
- Feature updates affecting privacy settings
- Changes to terms of service or privacy policy
- Planned maintenance schedules
Multi-Channel Communication
We don't rely on just email. Critical security notifications go out through:
• In-app notifications (immediate)
• Email alerts (within 15 minutes)
• Website banner (for all users)
• Social media updates (for public awareness)
Previous Transparency Reports
We've been publishing transparency reports since our founding. Each report provides complete statistics for its respective period:
H2 2024 Report
July 1 - December 31, 2024
H1 2024 Report
January 1 - June 30, 2024
H2 2023 Report
July 1 - December 31, 2023
H1 2023 Report
January 1 - June 30, 2023
Questions About This Report?
Have questions about our transparency practices, need clarification on statistics, or want to discuss security research?
Contact Our TeamWe respond to all transparency and security inquiries within 24 hours
Security Through Transparency
Join users who value transparency as much as security. Because you shouldn't have to blindly trust your security provider - you should be able to verify everything we promise.
Get Started Now