“No logs” is one of the most overused phrases in VPN marketing. Every provider claims it. What separates the credible ones from the rest is independent verification. NordVPN has submitted to six consecutive no-logs audits since 2018. We read the reports and explain what they actually confirm.
What NordVPN claims
NordVPN’s privacy policy states it does not log:
- User IP addresses
- Browsing or DNS query history
- Traffic or content of sessions
- Connection timestamps
- Bandwidth usage per session
- Session duration
What it does collect: aggregate analytics about connection load across server clusters (not tied to individual users), and account-level information like email address and payment data necessary to manage the subscription.
The distinction matters. Many VPNs that claim “no logs” still collect metadata like connection timestamps or total bandwidth. NordVPN’s policy explicitly excludes these.
Six independent audits: what each one covered
NordVPN has commissioned independent no-logs audits at regular intervals since 2018. The auditing firms have varied: PwC Luxembourg conducted the first four assessments; Deloitte Lithuania conducted the fifth and sixth.
The sixth audit, completed December 12, 2025, is the most recent. Deloitte’s team reviewed NordVPN’s server infrastructure, configuration files, deployment processes, and privacy-relevant settings across standard VPN servers, Double VPN servers, Onion Over VPN servers, and obfuscated servers. Interviews with NordVPN staff were also part of the methodology.
Deloitte’s conclusion: NordVPN’s IT systems and supporting operations are designed and implemented in line with its no-logs statement.
This is not a blanket endorsement of NordVPN as a company. Audits assess a specific set of systems during a specific time window. What they do confirm is that, at the time of assessment, the technical infrastructure did not store the data NordVPN claims it doesn’t store.
The 2018 server breach: what actually happened
In 2018, an unauthorized party accessed one NordVPN server in Finland. The breach became public in 2019, and NordVPN was criticized for not disclosing it immediately.
The breach involved a single server that had been rented from a third-party datacenter. The attacker exploited an insecure remote management system left active by the datacenter provider, not a flaw in NordVPN’s software.
What was exposed: the server’s configuration files and private keys for expired TLS certificates. No user data, no traffic logs, no connection records. Because NordVPN doesn’t log these, there was nothing to take.
The incident is worth knowing about because it raised real questions about NordVPN’s oversight of third-party infrastructure. In response, NordVPN moved to colocated servers they own and control. Their current infrastructure uses RAM-only servers, which wipe all data on reboot and prevent physical storage of logs even if a server is seized.
RAM-only servers: what they mean in practice
NordVPN has completed a full migration to RAM-only servers across its network. Traditional VPN servers write data to hard drives, which means that even if a provider claims not to log, a server seizure could potentially recover residual data.
RAM-only servers store nothing on disk. All operating data lives in memory and is erased entirely when the server restarts. If a server is physically seized by authorities, there is nothing to recover. This is the technical implementation of a no-logs policy, not just a policy statement.
Mullvad pioneered this approach. NordVPN, ExpressVPN, and ProtonVPN have all since adopted it. It represents a meaningful shift in how the “no logs” claim is enforced.
Panama jurisdiction: what it means legally
NordVPN is incorporated in Panama. Panama has no mandatory data retention laws and is not part of any intelligence-sharing alliance (not Five Eyes, not Nine Eyes, not 14 Eyes).
This means that even if a government agency wanted to compel NordVPN to start logging user data, they would need to go through Panamanian courts. Panama has no data retention requirements to enforce, and no international agreement obligating it to cooperate with foreign surveillance requests.
In practice, jurisdiction matters most in two scenarios: a government trying to get historical logs (nothing to get, given the no-logs policy and RAM servers), or a government trying to force future logging. Panama’s legal environment makes the second scenario significantly harder than it would be for a US or EU-based provider.
What the audits don’t cover
Audits have limits. A Deloitte assessment conducted over a five-week window tells you about NordVPN’s systems during that period. It does not tell you:
- What happens between audits
- Whether NordVPN’s ownership (Nord Security, based in Lithuania) could be compelled to change its practices under EU jurisdiction
- Whether the audit scope covers every server in every country
These are not hypothetical concerns. NordVPN’s parent company, Nord Security, is a Lithuanian company. Lithuania is an EU member state. If EU authorities pressured Nord Security directly rather than NordVPN’s Panama entity, the legal picture becomes less clear.
This is not a reason to distrust NordVPN. It is a reason to understand what the audits actually prove versus what they don’t.
How NordVPN compares to other audited providers
| VPN | Auditor | Audits completed | Jurisdiction |
|---|---|---|---|
| NordVPN | PwC, Deloitte | 6 | Panama |
| ProtonVPN | SEC Consult | 2 | Switzerland |
| Surfshark | Cure53 | 2 | Netherlands |
| Mullvad | Cure53 | 2 | Sweden |
| ExpressVPN | KPMG | 1 | British Virgin Islands |
NordVPN’s audit frequency is the highest in the industry. More audits means more opportunities for an external firm to catch a discrepancy between policy and practice. Six consecutive clean assessments across two different audit firms is a meaningful track record.
Our assessment
NordVPN’s no-logs claim is among the most thoroughly verified in the VPN industry. Six audits, two audit firms, RAM-only infrastructure, and a Panama jurisdiction with no mandatory retention requirements. The 2018 breach revealed a third-party infrastructure problem, not a logging problem, and the server migration since then has addressed the root cause.
The honest caveat: no audit is perfect, and Nord Security’s Lithuanian parent company creates a theoretical EU jurisdiction risk that Panama incorporation doesn’t fully eliminate. For the overwhelming majority of users, NordVPN’s privacy infrastructure is more than adequate.
For users in genuinely high-risk situations who need the absolute maximum in privacy guarantees, Mullvad remains the stronger choice: no account email, cash payment, court-tested no-logs policy.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
NordVPN does not keep logs in any meaningful sense. Six independent audits, RAM-only servers, and Panama jurisdiction back this up. The 2018 breach is worth knowing about but did not involve user data. For most users, NordVPN's privacy posture is solid. If you need the maximum possible anonymity, Mullvad is a notch above.
The skimmer’s verdict for the search query: NordVPN’s no-logs claim carries multiple PwC and Deloitte audits, a RAM-only fleet, Panama jurisdiction and a 2018 incident that produced architecture rather than victims. On the evidence hierarchy this site uses, that file sits in the top tier, and nothing in it has required revision in years of retesting.
(Evidence file current at this update; audit reports are linked from NordVPN’s own trust center for readers who want the primary documents behind the summary above.)
Keep reading: How to Verify a VPN’s No-Log Policy: What Actually Counts as Proof and NordVPN Review 2026: Still the Best After Six Audits?.