Who Really Owns Your VPN? The Consolidation Map in 2026

The VPN industry looks competitive. Dozens of brands, each with distinct marketing, different price points, and various privacy claims. The reality is different: a handful of holding companies own most of the brands you’ve heard of, and several of those companies have histories worth knowing about.

This matters for a VPN specifically because you’re trusting the provider with your internet traffic. Who ultimately controls that company determines what happens when a government, regulator, or acquirer comes knocking.

Kape Technologies: four major VPN brands, one company

Kape Technologies is a British-Israeli company whose majority shareholder is businessman Teddy Sagi. Kape owns:

• ExpressVPN (acquired 2021 for $936 million)
• CyberGhost (acquired 2017)
• Private Internet Access (acquired 2019 via LTMI Holdings)
• ZenMate (acquired 2018)

These four brands compete against each other in VPN reviews while being run by the same corporate parent. Kape was taken private in 2023 at approximately $1.51 billion.

The history that privacy researchers cite: Kape was previously named Crossrider. From 2012 to 2018, Crossrider operated a platform used to distribute adware and browser hijackers. The company rebranded as Kape Technologies in 2018, pivoted to cybersecurity and VPN products, and has since invested in improving those products.

This doesn’t automatically make Kape’s VPNs untrustworthy. ExpressVPN, CyberGhost, and PIA all have independent privacy audits and generally positive reviews from technical security researchers. But the history is relevant context when evaluating a company that now sells privacy products.

Nord Security: three VPN brands, one Lithuanian parent

Nord Security owns:

• NordVPN (incorporated in Panama)
• Surfshark (merged with Nord Security in 2022)
• Atlas VPN (acquired 2023)

Nord Security is incorporated in Lithuania, an EU member state, even though NordVPN itself operates under Panamanian law. This creates a layered structure: the VPN product is subject to Panama jurisdiction, but the parent company is subject to EU law.

Nord Security was historically connected to Tesonet, a Lithuanian data analytics company. The exact relationship was never fully disclosed and generated community discussion for several years. Nord Security has since clarified that the connection was through shared founders and early investment, not ongoing operational control.

NordVPN’s six consecutive no-logs audits (most recently Deloitte in December 2025) and RAM-only infrastructure are the strongest technical evidence that the product’s privacy claims hold up regardless of the corporate structure above it.

Ziff Davis: media company meets VPN empire

Ziff Davis (formerly j2 Global) owns:

• IPVanish
• StrongVPN
• Encrypt.me
• SaferVPN

Ziff Davis also owns PCMag, Mashable, and other technology media properties that publish VPN reviews. The conflict of interest here is straightforward: the same company publishes VPN rankings and owns several of the VPNs being ranked.

IPVanish and StrongVPN are US-based, which is a significant jurisdiction concern for privacy-focused users. IPVanish was involved in a 2016 incident where it provided user logs to the Department of Homeland Security despite claiming a no-logs policy at the time. The company has since changed ownership (from StackPath to Ziff Davis) and revamped its logging practices, but the incident is documented.

Independent VPNs: a shorter list

A smaller number of VPNs remain genuinely independent:

Mullvad: privately owned, Gothenburg-based team, no external investors, no corporate parent.

ProtonVPN: owned by Proton AG, the Swiss company also behind ProtonMail. Proton has received significant investment but remains independent, mission-driven, and transparent about its ownership.

IVPN: small independent provider, transparent ownership, no corporate parent.

Windscribe: Canadian company, privately owned, independent.

Independence doesn’t guarantee better privacy, but it does mean there’s no parent company whose interests might diverge from user privacy over time.

Why this matters in practice

Corporate ownership affects VPN privacy in two ways.

First, a holding company with operations in multiple jurisdictions may be subject to legal requests from multiple governments, even if the VPN product itself is incorporated in a privacy-friendly country. A government that can’t get data from NordVPN Panama might try to compel Nord Security Lithuania.

Second, ownership can change without notice. When Kape acquired ExpressVPN in 2021, users who had chosen ExpressVPN specifically because of its BVI jurisdiction and independent ownership suddenly found themselves under a company with a different history. The product didn’t change overnight, but the risk profile did.

The review site problem

Many VPN review sites are owned or funded by the same companies that own VPN products. When you read a “top 10 VPN” article on PCMag, you’re reading content from a company that owns IPVanish and StrongVPN. The reviews may be genuinely independent, but the structure creates incentives worth knowing about.

This site has no ownership relationship with any VPN provider. Our scores come from our testing database and are not influenced by affiliate commission rates.

Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.

How to run the ownership check yourself, in ten minutes

The method this article applies generalizes to any provider you’re considering. Start at the legal pages: the company name and registration country at the bottom of the privacy policy, not the marketing homepage. Search that entity name plus “parent company” and “acquisition”; corporate press releases and registries surface the chain quickly. Check the chain against the known conglomerates (Kape’s stable, Ziff Davis’s holdings, the app-farm operators running dozens of white-label brands), and weigh what you find against behavior: audits commissioned, transparency reports published, incidents disclosed honestly.

The red flags that end the inquiry early: ownership you cannot determine at all, a brand operating dozens of near-identical VPN apps, and free products whose corporate parent monetizes data elsewhere. The green flags that soften a concerning name: post-acquisition audit cadence maintained, infrastructure investments (RAM-only conversions), and years of incident-free operation under the new owner.

Why this layer outranks most spec sheets

Ownership is the layer that can silently rewrite every other promise: policies are amendable, settings are server-side, and the entity holding root access is the entity you’re actually trusting, whatever the app store listing says. That’s why our comparison table carries transparency and ownership as scored columns alongside speed and price, and why the providers at the top of this site’s rankings (Nord Security, Proton AG, Mullvad’s founder-owned structure) share legible ownership as a common trait. Specs tell you what a product does today; ownership tells you who decides what it does tomorrow.

Ownership changes, so date your trust: an acquisition announcement is the trigger to re-run the ten-minute check, watch the next audit cycle, and confirm the policies survived the handover. The providers that pass that test repeatedly are the ones whose names keep appearing at the top of this site’s table.

(The conglomerate map above reflects this update’s state of play; consolidation continues, and the check method matters more than any snapshot of who currently owns whom.)

The habit this article hopes to leave: read the ownership line the way you read a nutrition label, automatically and before consuming. Ten minutes per provider, once a year, and the layer most buyers never check becomes the one you check first.

Keep reading: Best VPN Jurisdiction in 2026: Panama vs Switzerland vs Iceland and How to Verify a VPN’s No-Log Policy: What Actually Counts as Proof.