When a VPN claims a no-logs policy, the question worth asking is: what happens if someone seizes the physical server?

Traditional servers store data on hard drives. Even if a VPN doesn’t log user activity by design, residual data, temporary files, and operating system artifacts can remain on disk and be recovered with forensic tools. A no-logs policy is a software-level claim. A seized hard drive is a hardware-level reality.

RAM-only servers address this at the infrastructure level.

How RAM-only servers work

All server operating data lives in RAM (memory) rather than on a hard disk. RAM requires continuous power to retain data. The moment a RAM-only server loses power or is rebooted, all data is gone permanently. There is nothing to image, nothing to forensically recover, and nothing to hand to authorities.

This means:

  • If a server is physically seized and powered down, it wipes itself in the process
  • Configuration, keys, and any temporary data are lost on every reboot
  • Each server restart loads the operating system from a read-only image, in a known clean state

The trade-off is that RAM-only servers require remote management infrastructure: the server needs to boot from a trusted image source, which requires careful architecture to avoid creating new attack surfaces.

Which VPNs use RAM-only servers

NordVPN: Completed full network migration to RAM-only (diskless) servers. All standard, Double VPN, obfuscated, and Onion over VPN servers run diskless.

ExpressVPN: Uses what it calls “TrustedServer” technology, RAM-only across the network. Independently audited.

Surfshark: Completed migration to RAM-only servers.

ProtonVPN: Secure Core servers run on RAM-only infrastructure. Standard servers vary.

Mullvad: Uses a mix, with RAM-only on a growing portion of the network.

CyberGhost, PIA, others: Have made commitments but have not completed full migrations as of 2026.

Does it make a difference in practice?

For most users, probably not. Law enforcement serving a VPN provider with a server seizure order is a rare scenario, and a provider with a genuine no-logs policy has nothing to hand over regardless of whether the server uses RAM or disk.

Where RAM-only matters is in the adversarial case where a sophisticated attacker (nation-state level) physically compromises a server. A disk-based server might yield OS artifacts, cached data, or keys that a RAM-only server would not.

It also matters as a signal of investment in privacy infrastructure. A VPN that has migrated its entire network to diskless servers has spent real money on an operational change that benefits users rather than the company. It’s one indicator among several for evaluating privacy commitment.

The bigger picture

RAM-only servers don’t replace the need for an audited no-logs policy, strong jurisdiction, and transparent ownership. They’re one layer of a defense-in-depth approach to privacy. A VPN with RAM-only servers but weak logging practices elsewhere hasn’t actually improved user privacy in any meaningful way.

The providers that combine all four elements: RAM-only infrastructure, independent no-logs audits, favorable jurisdiction, and transparent ownership, are the ones worth trusting with sensitive traffic.

Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.

Bottom line

RAM-only servers are a genuine technical improvement over disk-based infrastructure for privacy. NordVPN, ExpressVPN, and Surfshark have completed full network migrations. For everyday users the difference is marginal. For users with higher threat models, it removes a physical attack vector that disk-based servers cannot address through policy alone.

The seizure scenario, played out

Abstract architecture becomes concrete the day servers get seized, and the industry has run this experiment. When authorities took hardware from providers running traditional disk-based servers in past incidents, the question was always what the disks held. With RAM-only fleets, the answer changes physically: power interrupted, contents gone, and what investigators carry away is hardware containing the operating system the provider reloads onto every server anyway.

This is why RAM-only pairs so naturally with no-logs policies: the architecture enforces the promise at the hardware layer. A no-logs policy on disk-based servers asks you to trust configuration; RAM-only asks you to trust physics plus configuration. Auditors increasingly treat the combination as the baseline for top-tier ratings, and our comparison table tracks it as its own column for exactly that reason.

The limits of the guarantee

Honesty about what RAM-only doesn’t cover keeps the feature in proportion. It protects data at rest on the server; it does nothing about data in motion, which is the encryption layer’s job, and nothing about a provider that actively logs to an external system, which is the audit’s job to rule out. A malicious provider could run RAM-only servers and still ship logs elsewhere in real time; the architecture removes accidental and forensic retention, not deliberate betrayal.

It also resets on reboot but not between reboots: a server up for weeks holds whatever ephemeral state it holds until power-cycled or rotated. Providers handle this with frequent automated redeployment, NordVPN and Surfshark among the publicized examples. The takeaway shape: RAM-only is one verified layer in a trust stack alongside audits, jurisdiction and leak-proof clients, the same stack our comparison scores assemble, not a magic word that ends the conversation.

How to verify a provider’s RAM-only claim

The claim is checkable at three levels. Lowest effort: the provider’s own infrastructure page; RAM-only fleets are marketing assets, so providers that have them document them. Middle: audit reports, since infrastructure audits (NordVPN’s by VerSprite and others, Surfshark’s by Cure53) describe server architecture explicitly; an audit that examined live servers and reports diskless operation is strong corroboration. Highest: incident history, the involuntary kind of proof; providers whose seized or compromised servers yielded nothing have demonstrated the property under the worst conditions.

Our comparison’s RAM servers column condenses this: fully transitioned fleets score top marks, partial transitions middle, disk-based zero. Cross-reference it with the no-logs column when trust is the question; the providers strong in both (NordVPN, Surfshark, ExpressVPN, Proton) are the ones whose privacy story has hardware behind it.

The questions readers actually ask

Does RAM-only make the VPN faster? Marginally if at all; RAM is fast, but disks were never the bottleneck in tunnel performance. The benefit is forensic, not athletic. Does a reboot disconnect me? Server rotations are scheduled and load-balanced; users get migrated, not dropped, and you’ve almost certainly ridden through dozens without noticing. Can a RAM-only server still be wiretapped live? In principle a compromised live server sees traffic passing through it, which is why multi-hop and Tor exist for adversaries of that caliber; RAM-only narrows what an attacker gains to the live window, eliminating the archive. And should disk-based providers be disqualified? For high-stakes privacy, increasingly yes; for casual streaming, it’s one factor among the eighteen our table scores.

The feature has also become a useful tiebreaker: when two providers match on price and speed, the one running a fully RAM-only fleet has made a capital investment in not keeping your data, which says more than another marketing page ever could. Architecture choices are the rare VPN claims that can’t be A/B tested into existence by a copywriter.

If this article convinced you the feature matters, the implementation list in our table is current as of this writing; fleet transitions complete and get audited on a rolling basis, so the column is worth rechecking when you next change providers.

Keep reading: How to Verify a VPN’s No-Log Policy: What Actually Counts as Proof and Who Really Owns Your VPN? The Consolidation Map in 2026.