Corporate VPN vs Personal VPN: What Your Employer Can Actually See

#Two different things with the same name

You can tell how much experience someone has with this by whether they treat the control as binary. It isn't.

The word "VPN" means two completely different things depending on context:

Consumer privacy VPN (Mullvad, ProtonVPN, NordVPN, etc.): routes your internet traffic through a server the provider operates, hiding your traffic from your ISP and hiding your IP from the sites you visit. The goal is to increase your privacy.

Corporate VPN (Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient, Zscaler ZTNA, etc.): routes your work traffic through your employer's network infrastructure, giving you access to internal resources (intranet, databases, code repos) and. Critically. Giving your employer visibility into everything you do while connected.

Same word. Opposite privacy implications.

Millions of remote workers in 2026 run a corporate VPN on their work laptops, sometimes 24/7, sometimes without understanding what it does. Many assume it's for their privacy. It's not. It's for your employer's visibility, their security, and their compliance obligations.

This post walks through what corporate VPNs do, what they can see, the specific technologies your employer may be using to monitor your traffic. And what this means for personal activity on work devices.

#What corporate VPNs do

The "VPN" in "corporate VPN" stands for the same "Virtual Private Network" as consumer VPNs. A encrypted tunnel between your device and a remote server. But the architecture and purpose are entirely different.

#Traffic routing

When you connect to a corporate VPN, your traffic goes through your employer's infrastructure. Your employer can:

• See the destination of every network connection (the IP address or hostname your device tries to reach)
• See the size and timing of every connection (how much data flows)
• See DNS queries (the domain names you resolve)
• Inspect traffic content (with SSL inspection. See below)
• Block traffic based on policies (content filtering, time-of-day rules, application-specific blocks)
• Apply data loss prevention (detecting attempts to upload sensitive data externally)

The design. The corporate VPN's purpose is exactly this visibility. Your employer needs it for security (detecting attacks, preventing data exfiltration), compliance (HIPAA, PCI DSS, SOX logging requirements). And operational reasons (optimizing network traffic, troubleshooting).

#SSL inspection (the big one)

Modern corporate networks use SSL inspection (also called TLS interception, HTTPS inspection, or man-in-the-middle inspection). The mechanism:

1. Your employer installs their own root certificate on your work device.
2. When you visit an HTTPS site, the traffic goes through a corporate proxy.
3. The proxy intercepts the connection, decrypts the HTTPS traffic, inspects the content, then re-encrypts it with a certificate signed by the employer's root CA.
4. Your browser sees a valid certificate (signed by the installed root), so no security warnings appear.

Effect: your employer can read the content of your HTTPS traffic as cleartext. Every website you visit. Every search query. Every email (unless the email service pins its own certificates, which most don't). Every Slack message. Every Google Doc content. Everything.

SSL inspection is deployed at approximately 60-80% of US enterprises with corporate VPNs (per various surveys). Some companies do it for security reasons (detecting C2 traffic, malware downloads, data exfiltration). Some do it because their compliance framework requires it. Some do it because their security vendor sells it as a feature and IT turned it on.

#Split tunneling vs full tunneling

Full tunneling: all your device's internet traffic goes through the corporate VPN, even when you're visiting Facebook or personal websites. Your employer sees all of it.

Split tunneling: only traffic to corporate resources goes through the VPN. Internet traffic to external sites goes directly via your local ISP. Your employer sees only the corporate-bound traffic.

Which is deployed: varies widely. Security-conscious enterprises often use full tunneling. Performance-conscious enterprises use split tunneling. Many use mixed policies (full tunneling during specific activities, split tunneling otherwise).

You can check by looking at your VPN client settings or by testing. Visit a site like ipinfo.io with and without the VPN connected and compare IPs.

#Always-on / zero-trust architectures

Newer architectures have moved beyond traditional VPN models:

• Zero Trust Network Access (ZTNA): Zscaler, Cloudflare Access, Netskope, etc. Every request is authenticated, not the VPN connection.
• Software-Defined Perimeter (SDP): similar concept, per-application access
• SASE (Secure Access Service Edge): the cloud-based evolution combining networking + security

In these architectures, there may not be a discrete "VPN" to connect to. Your device is always authenticated, always inspected, always monitored. The monitoring is continuous.

#What your employer sees

Practical enumeration of what's typically visible:

#Visible to IT in corporate VPN environments

• Every domain you visit (via DNS logs)
• Every URL (if HTTPS inspection is enabled)
• Every search query (if HTTPS inspection)
• Email content (if work email is accessed through corp VPN)
• Chat messages (Slack, Teams, Discord, etc. Content visible with HTTPS inspection)
• File uploads and downloads (often logged)
• Cloud service usage (Office 365, Google Workspace, Dropbox, Box)
• Video call participation (who you called, duration. Content usually not recorded but metadata captured)
• VPN connection times (start/end, duration)
• Source location (IP address of where you connected from)

#Typically visible with additional tools

• Clipboard activity (if DLP tool is deployed)
• Screen content (if productivity monitoring is active. See our workplace monitoring post)
• Keystroke data (in some monitoring deployments)
• Installed software (via asset management tools)
• Personal device location (if you use work apps on personal devices with MDM)

#Generally not visible (even through corporate VPN)

• Certificate-pinned app content. Some apps (Signal, WhatsApp, various banking apps) pin their own certificates and won't fall back to the employer's CA. SSL inspection fails. Traffic can't be read, but the app's connection is visible as going to specific IPs.
• End-to-end encrypted messaging content. Signal content is never accessible even if the network is inspected.
• Devices you don't route through the VPN (personal phone on LTE, your home WiFi when VPN is disconnected).

#What this means for personal activity

The core rule: personal activity on work devices or through corporate VPNs is visible to your employer.

#Specific scenarios

Scenario 1: Personal email on work laptop

You log into Gmail through Chrome on your work laptop. Corporate VPN is connected. HTTPS inspection is enabled.

Your employer can see:

• You logged into Gmail
• Your Gmail account email address
• Emails you read (sometimes content, sometimes metadata depending on config)
• Emails you composed (draft content)
• Emails you sent and their recipients
• Attachments uploaded or downloaded

Recommendation: never access personal email from work devices. Use a personal device on a personal network.

#Scenario 2: Personal medical searches

You have a health concern. You search for symptoms on your work laptop while connected to corporate VPN.

Your employer can see:

• Your search query
• The medical information sites you visited
• Inferred: you've a specific health concern

This has affected employment decisions in documented cases. If your employer is going through layoffs, having a chronic illness indicator in your network logs could affect your position on the list.

Recommendation: health searches, mental health searches, legal questions. All on personal devices.

#Scenario 3: Job searching from work

You're unhappy at your job. You start interviewing. You use your work laptop because it's always available.

Your employer can see:

• LinkedIn Premium job searching
• Visits to LinkedIn Learning courses on interview skills
• Time spent on Glassdoor, Indeed
• Emails to recruiters
• Potentially: offer letters received

Many employers have explicit triggers that flag job-search patterns. Some act on them (accelerated layoff, reduced role).

Recommendation: all job searching from personal devices on personal networks.

#Scenario 4: Political, religious, or controversial content

You browse political content, religious content, content about reproductive health, LGBTQ-related content, or anything else that's personal.

Your employer can see it. Large organizations have been sued repeatedly for using personal browsing history in employment decisions. Most cases settle confidentially.

Recommendation: personal content on personal devices.

#Scenario 5: Financial activity

Banking, investment management, looking at your 401(k), managing personal crypto.

Your employer can see the domains and often the content. A domestic abuse survivor planning financial escape via work laptop has had their efforts exposed. A whistleblower documenting evidence has had the process monitored.

Recommendation: financial activity on personal devices.

#Scenario 6: Side business / moonlighting

You have a side business or freelance work. You do some of the work from your work laptop because of convenience.

Your employer can see:

• Emails to your side business clients
• Files created or modified
• Time spent on side business websites
• Invoicing, contracts, income

Many employment contracts prohibit side work. Even where they don't, your employer knowing you've a profitable side business can affect treatment.

Recommendation: side business entirely on personal devices.

#Practical compartmentalization

The workable rule for most people: separate devices, separate accounts.

#Two-device model

Work device:

• Company laptop
• Company-managed phone (if provided)
• Connected to corporate VPN as required
• Used only for work
• Personal accounts never logged in

Personal device:

• Your own laptop or tablet
• Your personal phone
• Personal email, social media, banking, health, political content
• Personal VPN if you want consumer privacy protection
• Never connected to corporate VPN

The only reliable pattern for separating employer visibility from personal activity.

#Bring Your Own Device (BYOD) concerns

If you use a single personal device for both work and personal activity (via BYOD policy):

• The company's MDM profile sees device-level information
• Work email and chat content go through corporate systems
• Personal content on the same device may be accessible to company IT during incident response
• Corporate VPN (if used) captures whatever traffic routes through it

BYOD nominally gives you control but practically reduces privacy. Avoid BYOD if possible.

#If you only have one device

If you genuinely have only one laptop and it's work-issued:

1. Do personal activity on your personal phone (different device, different network connection)
2. Never do personal activity on the work laptop
3. If you must use the work laptop for personal activity, do it off the corporate VPN and off corporate accounts. Accept that it's still visible to IT with enough effort.

There's no magic that makes personal activity invisible on a corporate VPN. The rule is: personal activity doesn't happen on work infrastructure.

#What you can do to reduce visibility

If you need to use your work device for something personal and can't avoid it, the realistic options:

#Disconnect the corporate VPN first

If split tunneling is configured, traffic to external sites may go directly through your ISP than through corporate infrastructure. But:

• DNS queries may still go through corporate DNS
• Monitoring software on the device (EDR, DLP) sees activity regardless of VPN state
• Some corporate policies require VPN to be connected

#Use personal accounts only

If you must do something personal on a work device:

• Log into personal accounts (personal Gmail, not work Gmail)
• Use incognito/private browsing
• Accept that the domain is visible but the account is separate from your work identity

#Use Tor or a consumer VPN (risky)

Some employees route personal activity through Tor or a consumer VPN on their work laptop. The considerations:

• Running a consumer VPN while connected to corporate VPN is often detected and flagged
• Running Tor is almost always detected and flagged
• This may violate your acceptable use policy
• It's visible as suspicious behavior even if the content is hidden

Generally not recommended. Better to use a personal device.

#The honest answer

If your employer has deployed a corporate VPN with SSL inspection, there's no configuration on your work device that makes personal activity invisible. The infrastructure is designed to see that activity. The only reliable privacy isn't doing the activity on the work device.

#What employers should consider

If you're on the corporate side deciding on VPN / monitoring deployment:

#Disclosure matters

State monitoring statutes (Connecticut, Delaware, New York) require disclosure. Even in states without requirements, disclosure builds trust.

A policy that says "we monitor everything on corporate networks and devices, please don't do personal activity on work resources" is far more respected than silently deploying monitoring and having employees discover it.

#Split tunneling where possible

Full tunneling + SSL inspection is maximum visibility but creates legitimate employee concerns. Split tunneling reduces the privacy conflict without compromising security goals for most use cases.

#Logging appropriate to risk

Logging every URL every employee visits is possible. It's also a massive dataset that creates:

• Storage and operational cost
• Breach risk if the logs are compromised
• Regulatory exposure (employee information is regulated in many jurisdictions)
• Employee privacy expectations

Most organizations should log anomalously (blocked content, high-volume uploads, malware signatures) than exhaustively.

#Productivity scoring is rarely worth the cultural cost

Monitoring tools that derive productivity scores from keystroke rates, active application time, or screenshot analysis create adversarial dynamics with employees. The research consistently shows these tools don't improve productivity. They damage culture.

Avoid if possible. If mandated for specific regulatory reasons, scope narrowly.

#Employee access to monitoring data

Giving employees visibility into what's monitored about them (self-service dashboards, quarterly summaries) turns surveillance into transparency. This is unusual but gaining adoption.

#The regulatory landscape (employee side)

Beyond what we covered in our workplace monitoring post:

#Attorney-client privilege

Communications with your personal attorney are privileged. Routing them through a corporate VPN may compromise privilege. If you're consulting an attorney about employment matters, medical issues, or personal legal questions, use a personal device and personal account.

#Union organizing

In US labor law, union organizing activities can't be subject to employer retaliation. Monitoring data can create the basis for retaliation even if unintentional. Employees should:

• Conduct organizing activities on personal devices
• Use encrypted messaging for organizing communications
• Know their rights (NLRB Section 7 protections)

#Journalism and source protection

If you're a journalist, source communications must never go through employer-visible infrastructure. Use Signal on a personal device, burner devices, secure drop tools.

#Whistleblower protections

SOX, Dodd-Frank, and various federal/state whistleblower laws protect employees who report wrongdoing. But legal protection after retaliation is different from preventing retaliation. Document evidence on personal devices. Consult counsel before using work systems to communicate with investigators.

#Specific technical patterns

#The HTTP/3 / QUIC escape

Some services use HTTP/3 / QUIC for transport. QUIC is UDP-based and harder to intercept than TCP-based HTTPS. Many corporate SSL inspection systems don't handle QUIC well. Services using QUIC may partially bypass inspection. Though not in ways that reliably protect personal activity.

#WebSocket persistence

Some tools use persistent WebSocket connections. These are visible as connections but content encryption can be complex to inspect in some SSL inspection configurations. Not a reliable privacy measure.

#DNS over HTTPS / DoH

Some browsers default to DNS over HTTPS, which can bypass corporate DNS logging. Corporate networks increasingly block or proxy DoH. Chrome and Firefox both have DoH configuration options. Your employer may have enforced policies disabling them.

#ECH (Encrypted Client Hello)

Newer TLS feature that hides the initial "Server Name Indication" (SNI) in HTTPS connections. Makes it harder for network observers to know which specific site you're visiting. Increasingly deployed by major services but not universal. Corporate SSL inspection can still defeat it.

Technical cat-and-mouse patterns that don't reliably provide personal privacy on work infrastructure.

#For Valtik clients

Valtik's workplace privacy consultations serve both sides:

For employees: confidential consultations to understand what your employer can see, what the risk is. And what defensive practices make sense. Particularly relevant for:

• Employees in high-risk industries (journalists, attorneys, healthcare workers handling sensitive personal cases)
• Employees in organizations with known aggressive monitoring
• Employees in situations requiring strict work/personal separation (domestic abuse survivors, employees planning transitions)

For employers: monitoring program design that achieves security and compliance goals without unnecessarily invasive employee surveillance. Typical deliverables:

• Monitoring policy review
• Technical configuration review (SSL inspection, DLP, logging)
• Employee communication and disclosure framework
• Alternative architectures (split tunneling, ZTNA with narrower logging)

Reach out via https://valtikstudios.com.

#The honest summary

Corporate VPN and personal VPN are opposite tools with the same name. Corporate VPN is for your employer's visibility. Personal VPN is for your privacy. Running personal activity through a corporate VPN is the same as writing your personal diary on company letterhead and leaving it on your manager's desk. Your employer can, and sometimes does, read it.

The effective defense is compartmentalization. Work activity on work devices. Personal activity on personal devices. Never cross the streams.

If your household has one device and you work remotely, get a second device. A $400 tablet or refurbished laptop is less than the cost of one month of cyber insurance. It's a foundational investment in your privacy.

#Sources

1. Cisco AnyConnect Documentation
2. Palo Alto GlobalProtect
3. Fortinet FortiClient
4. Zscaler Zero Trust Exchange
5. Cloudflare Access ZTNA
6. HTTPS Inspection Technical Overview. SANS
7. EFF Workplace Privacy
8. Electronic Communications Privacy Act Analysis
9. NLRB Section 7 Rights
10. ACLU Workplace Privacy Guidance