“We have a strict no-logs policy” appears in the marketing of virtually every VPN. It’s the single most common and least meaningful claim in the industry. Writing a no-logs statement costs nothing. Verifying it is a different matter.

Here’s how to assess whether a VPN’s no-logs claim is worth anything.

Step 1: Read the privacy policy carefully

The specific language in a privacy policy reveals a lot about what a VPN actually logs.

Watch for qualifying phrases like “we do not log browsing activity” (excludes connection metadata), “we may collect anonymized diagnostic data” (may be de-anonymizable), or “we do not store personally identifiable information” (metadata can still be stored, just not linked to an identity).

A credible no-logs policy explicitly enumerates every data category and confirms none are stored: no IP addresses, no connection timestamps, no DNS queries, no bandwidth data per session, no session duration.

Vague language (“we respect your privacy,” “we are committed to protecting your data”) is not a no-logs policy. It’s marketing.

Step 2: Check for an independent audit

An independent audit is where a third-party security firm examines the VPN provider’s actual server infrastructure and configurations to verify that the no-logs claims are technically implemented.

What makes an audit credible:

  • Conducted by a recognized security firm (Deloitte, PwC, KPMG, Cure53, SEC Consult)
  • The audit report is publicly available, at least in summary form
  • The audit covered server infrastructure, not just the privacy policy text
  • The audit was recent (within the last 18 months)

What doesn’t count:

  • A “security audit” that only reviewed the apps, not the servers
  • An audit by an unknown firm with no published methodology
  • An audit that’s years old with no follow-up

Current audit status of major providers: NordVPN has been audited six times (PwC, then Deloitte), ProtonVPN by KPMG, Surfshark by Cure53, Mullvad by Cure53, ExpressVPN by PwC. Private Internet Access has no formal audit but has a court-tested track record.

An audit is a controlled assessment. A legal challenge is the real test. Has the provider been served with a court order or law enforcement request? Did they have data to produce?

Known real-world tests:

  • Mullvad (2023): Swedish police raided the office with a warrant. Left with nothing. No data existed.
  • Private Internet Access (multiple): Subpoenaed by US courts twice. Nothing produced.
  • NordVPN (2018): Server breach revealed no user data was stored. Confirmed what the audit said.
  • ExpressVPN: An employee was implicated in a UAE hacking case in 2021. No user data was accessed, though the incident raised questions about insider risk.

A clean legal track record is more convincing than any audit. A provider that has survived a real request with nothing to hand over has proven the policy works.

Step 4: Understand the technical infrastructure

RAM-only servers are the strongest technical implementation of a no-logs policy. They store nothing on disk: all data lives in memory and is wiped completely on reboot. If a server is seized, there is nothing to image or recover.

Providers that have completed full RAM-only migrations: NordVPN, ExpressVPN, Surfshark, ProtonVPN (Secure Core). Mullvad uses a mix depending on server type.

The absence of RAM-only servers doesn’t automatically mean a provider is logging, but it means that even a genuine no-logs policy doesn’t have the technical backstop that prevents data recovery from a seized drive.

Step 5: Research the ownership

Who owns the VPN matters for no-logs verification. A small independent company has less complex organizational exposure than a large holding company with multiple subsidiaries and board obligations.

Two major consolidations to know about:

  • Kape Technologies owns ExpressVPN, CyberGhost, PIA, and ZenMate. Kape was previously in the adware business.
  • Nord Security owns NordVPN, Surfshark, and Atlas VPN. The parent company is Lithuanian, inside the EU, even though NordVPN itself is Panama-incorporated.

This doesn’t mean their products are insecure, but ownership structure affects the full picture of who might be able to access or be compelled to produce data.

The red flags checklist

Avoid any VPN that matches several of these:

  • No independent audit (or an audit that’s more than two years old)
  • Privacy policy uses vague language without enumerating specific data categories
  • Based in a country with mandatory data retention laws (Australia, UK, most EU countries have some form)
  • Unknown or opaque ownership
  • No public response to legal requests or transparency reports

The green flags checklist

Strong confidence indicators:

  • Multiple independent audits by named, credible firms
  • Policy explicitly lists every excluded data type
  • RAM-only server infrastructure
  • Published transparency report
  • Court-tested track record
  • Independent ownership (not part of a large holding company)

Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.

Bottom line

A no-logs policy is only as good as the evidence behind it. Read the policy language, check for audits by credible firms, research the ownership structure, and look for real-world legal tests. Mullvad and ProtonVPN have the cleanest combination of all four factors. NordVPN has the strongest audit track record. Any VPN that can't point to at least an independent audit is asking you to take their word for it.

The evidence hierarchy, made explicit

Rank what providers offer and the verification work mostly does itself. At the top: adversarial, involuntary tests, meaning court subpoenas answered with nothing (PIA, twice) and seized servers yielding nothing (ExpressVPN’s Turkey incident). Just below: recurring independent audits with live-server access (Proton’s annual Securitum rhythm, NordVPN’s PwC and Deloitte series), where cadence matters because habits beat snapshots. Then: single audits aging quietly, transparency reports, open-source clients and warrant canaries, each a real but lighter signal. At the bottom: policy prose and marketing pages, which verify nothing but at least state the claim you’ll be checking.

A provider’s trust score is roughly the highest rung it occupies, weighted by recency, which is exactly how the no-logs column in our comparison is assembled. The method’s power is what it filters out: ninety percent of “military-grade no-logs” marketing evaporates at the first request for evidence above the bottom rung.

Worked example: running the check in fifteen minutes

Take any candidate provider and walk it. Search the name plus “audit”: note the firm, the scope (no-logs specifically, not just app security) and the date; an audit older than two or three years is a memory, not a credential. Search the name plus “subpoena,” “court” and “seized”: incident history is where claims meet weather. Check the privacy policy’s data-collected list against the marketing claim, watching for connection timestamps and bandwidth-per-user, the quiet contradictions. Confirm jurisdiction in the legal pages and weigh it per our jurisdiction guide. Fifteen minutes, four searches, and you know more than most review sites publish.

Providers passing the full walk are rare by design; that scarcity is the answer to why this site’s table keeps recommending the same short list.

(The hierarchy above is also the reading key for every trust claim in our reviews: when a score cites an audit or a court case, it’s citing a rung, and now you know how high it sits.)

Keep reading: Does NordVPN Keep Logs? What the Audits Actually Say and RAM-Only VPN Servers Explained: Why It Matters for Privacy.