# Guideline 5.4 - Legal: VPN App from Individual Developer

**Guideline:** 5.4 · **Store:** Apple App Store · **Risk:** high · **Difficulty:** hard · **Typical turnaround:** 1-3 days

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-54-legal-vpn-app-from-individual-developer

## Description

Apple is rejecting your app because it is a VPN app submitted under an individual developer account. Under guideline 5.4, VPN apps must be submitted by an organization developer account (enrolled as a company or organization, not an individual). This requirement exists because VPN apps handle sensitive user traffic, and Apple wants an identifiable legal entity to be accountable. This rejection is similar to the regulated-field rejection under 5.1.1(ix) — it's an account-level requirement, not an app-level code issue. No amount of changes to the app will resolve it while it remains under an individual account. Additionally, VPN apps must use the NEVPNManager API (Network Extension framework) for their VPN functionality. Apps that implement VPN-like behavior through other means (e.g., proxy configuration, DNS manipulation, or custom tunnel implementations that don't use the Network Extension framework) will be rejected separately under this guideline.

## Common variations

- VPN app submitted under individual developer account
- VPN app must be submitted by an organization
- App does not use NEVPNManager API for VPN functionality
- VPN app missing data usage declaration
- VPN-like functionality implemented without Network Extension framework

## Example rejection email

```
Guideline 5.4 - Legal - VPN Apps

Your app provides VPN services but does not meet the requirements for VPN apps on the App Store.

Specifically:
- Your app is submitted under an individual developer account. VPN apps must be submitted by an organization enrolled in the Apple Developer Program.
- Your app must use the NEVPNManager API for all VPN functionality.

Next Steps:
Please:
1. Enroll in the Apple Developer Program as an organization and resubmit under the organization account.
2. Ensure your app uses the NEVPNManager API (Network Extension framework) for VPN functionality.
3. Clearly declare what user data is collected, how it is used, and how long it is retained in your privacy policy.
```

## Resolution steps

## Quick Assessment
- **Risk level:** High
- **Resolution path:** Account change + technical fix required
- **Typical turnaround:** 2-4 weeks (account change) + 1-3 days (technical fixes)

## The Fix

01. **Enroll as an organization** — Register a legal entity if you don't have one, obtain a D-U-N-S number, and enroll in the Apple Developer Program as an organization. This typically takes 2-4 weeks.

02. **Use NEVPNManager** — Implement VPN functionality using Apple's Network Extension framework and the NEVPNManager API. This is the only approved method. Remove any custom proxy, DNS tunnel, or non-NE VPN implementations.

03. **Add a Network Extension target** — Create a Network Extension target in Xcode for your packet tunnel provider. This requires the Network Extension entitlement from Apple.

04. **Declare data usage** — In your privacy policy and review notes, clearly state: what user data the VPN collects, whether browsing activity is logged, how long data is retained, whether data is shared with third parties, and your data deletion policy.

05. **Request Network Extension entitlement** — If you haven't already, submit an entitlement request to Apple for the Network Extension capability. This is a separate approval process.

## Prevention
- Start with an organization developer account for VPN development
- Use the Network Extension framework from the beginning
- Apply for the Network Extension entitlement early — it can take time
- Prepare a comprehensive data usage declaration before submission

## Before / after examples

**Before:** VPN app submitted under 'Jane Doe' individual account; VPN tunnel implemented using custom socket connections and DNS configuration profiles
**After:** App resubmitted under 'SecureNet Technologies Inc.' organization account; VPN implemented using NEPacketTunnelProvider and NEVPNManager API; Network Extension entitlement granted; comprehensive data usage declaration in privacy policy
**Why it works:** VPN apps require an organization account and the NEVPNManager API. Custom tunnel implementations and individual accounts are both rejected.

## Common questions

**How long does this typically take to fix?**

Typical turnaround is 1-3 days (difficulty: hard). After resubmission, most re-reviews complete within 24-48 hours.

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-54-legal-vpn-app-from-individual-developer*