Top Picks at a Glance
| Provider | Audit | Court-Tested | RAM Servers | Jurisdiction | Price/Mo |
|---|---|---|---|---|---|
| 1. Mullvad | Yes (Cure53) | Partial | Yes | Sweden (EU) | $5.00 |
| 2. ProtonVPN | Yes (SEC Consult) | Yes (Swiss courts) | No | Switzerland | $4.99 |
| 3. ExpressVPN | Yes (KPMG, Cure53) | Yes (2017 server seizure) | Yes (TrustedServer) | British Virgin Islands | $8.32 |
| 4. NordVPN | Yes (Deloitte, PwC) | Yes (2018 server seizure) | Yes (RAM-only) | Panama | $3.99 |
| 5. PIA | No formal audit | Yes (multiple US court cases) | No | United States | $2.03 |
Our Picks in Detail
- Account system requires no email address — only an anonymous account number
- Accepts cash and Monero — payment cannot be traced to identity
- RAM-only servers in development (some locations already deployed)
- Cure53 independent audit of client apps and server infrastructure
- Open-source apps on all platforms — no hidden logging code
- Sweden GDPR jurisdiction: strong legal protection for user data
- No dramatic court-case proof (no major case has targeted Mullvad yet)
- Flat $5/month — no annual discount
- Smaller server network than NordVPN/ExpressVPN
- Swiss jurisdiction: Swiss courts have rejected multiple foreign government requests for Proton user data
- SEC Consult independent audit of server infrastructure and logging claims
- Open-source apps: no hidden code that could secretly log data
- Secure Core architecture routes traffic through hardened servers before exit
- No logs policy covers connection metadata, not just content
- ProtonMail (same company) was ordered by Swiss courts to collect IP data of a specific user — VPN has stricter protection than email
- Secure Core adds latency — not ideal for all use cases
- TrustedServer technology: all servers run on RAM only — no data persists after reboot
- 2017 Turkish government server seizure: authorities found no user data — real-world proof
- KPMG and Cure53 independent audits of no-logs claims and infrastructure
- BVI jurisdiction outside most major legal frameworks
- Lightway protocol open-sourced — transparent speed implementation
- Highest price at $8.32/mo
- ExpressVPN acquired by Kape Technologies in 2021 — some privacy researchers note this ownership change, though audits have continued
- Multiple independent audits: Deloitte (2022, 2023), PwC (earlier) — most frequently audited major VPN
- 2018 Finnish data center server seizure: authorities accessed the server, found zero user connection data
- RAM-only server infrastructure rolled out across the fleet
- Panama jurisdiction — no mandatory data retention laws
- Meshnet and split tunneling designed to not generate user-identifiable logs
- 2018 incident showed one server was accessible — though no user data was found, it highlighted server security importance
- Organizational structure (Nord Security parent company) is complex
- Has received and responded to numerous US court subpoenas across multiple years — consistently reported no user data to produce
- Open-source apps: code is publicly auditable for any logging functions
- MACE ad blocker provides additional protection layer
- 10 simultaneous connections
- US court cases are high evidentiary bar — real-world proof under adversarial conditions
- No formal third-party infrastructure audit (unlike NordVPN's Deloitte audits)
- US jurisdiction (5 Eyes member) — the legal framework is less protective than Switzerland or Panama
- Kape Technologies ownership (same as ExpressVPN) — see note above
How to Evaluate a VPN's No-Logs Claim
When assessing whether a VPN's no-logs policy is genuine, apply this framework:
| Evidence Type | Strength | Examples |
|---|---|---|
| Independent infrastructure audit | High — third party verifies server config | NordVPN (Deloitte), ExpressVPN (KPMG) |
| Court-tested: subpoena with no data produced | High — adversarial real-world test | PIA (multiple US cases), NordVPN (2018), ExpressVPN (2017) |
| Open-source client code | Medium — shows no logging in app code; doesn't verify server | Mullvad, ProtonVPN, PIA |
| RAM-only servers | High — physical impossibility of log persistence | ExpressVPN TrustedServer, NordVPN |
| Anonymous account system | High — no identity tied to usage | Mullvad (account number only) |
| Self-attested privacy policy only | Low — unverifiable marketing claim | Most budget and free VPNs |
| Bug bounty program | Low-Medium — encourages security but not logging audit | Various providers |
What 'No Logs' Actually Means — and What It Doesn't
A true no-logs policy covers:
- No connection logs: The VPN does not record which VPN servers you connected to, when, or for how long.
- No traffic logs: The VPN does not inspect or record the content of your traffic — websites visited, apps used, data transferred.
- No IP logs: The VPN does not record your real IP address or your assigned VPN IP address per session.
- No DNS logs: The VPN's own DNS resolvers do not log domain name queries.
What even no-logs VPNs typically do collect (and must, to operate):
- Aggregate server load data (to show server capacity in apps — not tied to individual users)
- Email address (for account management — except Mullvad)
- Payment data (billing records — except cash/crypto options)
- App version and platform (for update targeting — anonymized)
The key test: if served with a court order demanding "all user activity data for account X or IP Y on date Z," a genuine no-logs provider has nothing to produce.
Jurisdiction: Why Country of Incorporation Matters
A VPN's jurisdiction determines which legal frameworks can compel data disclosure:
- Switzerland (ProtonVPN): Not a member of EU, 5/9/14 Eyes. Swiss courts have rejected foreign government requests. Strongest legal protection.
- Panama (NordVPN): No mandatory data retention laws. Outside 5/9/14 Eyes. Foreign court orders not automatically enforceable.
- British Virgin Islands (ExpressVPN): UK overseas territory with independent courts. Outside EU data retention directives. Strong but UK-adjacent.
- Sweden (Mullvad): EU member subject to GDPR, but EU's strong privacy framework protects against arbitrary disclosure. Swedish courts protective of privacy.
- United States (PIA): 5 Eyes member. No mandatory VPN data retention law — but US courts can issue subpoenas. PIA has successfully responded to multiple subpoenas with no data produced, but the legal framework is less protective than Swiss or Panamanian law.
Frequently Asked Questions
Can a VPN truly have no logs?
Yes — technically. RAM-only server infrastructure (ExpressVPN TrustedServer, NordVPN's fleet) stores all data in volatile RAM, which is wiped on every server reboot. Without persistent storage, logs cannot exist after a reboot. Combined with a strict policy against writing user data to disk, a VPN can be architecturally incapable of producing user activity logs. The key is independent verification — independent audits and court cases provide evidence beyond marketing claims.
How do I know if a VPN's no-logs policy is real?
Look for three types of evidence: (1) Independent infrastructure audits by firms like Deloitte, PwC, KPMG, or Cure53 — these inspect actual server configurations, not just the privacy policy document; (2) Court-tested cases where the provider was legally compelled to produce data and could not; (3) Technical architecture like RAM-only servers that makes log persistence structurally impossible. Providers who offer only a self-written privacy policy with no external verification should be treated skeptically.
Does a no-logs VPN protect against government surveillance?
A no-logs VPN significantly reduces government surveillance capability — if a VPN has no records, a court order produces nothing. However, a VPN is not a complete anonymity solution: traffic analysis at the network level (comparing timing patterns of VPN connections), payment records, device fingerprinting, and account metadata can still be used to investigate users in high-resources surveillance scenarios. For most users, a verified no-logs VPN provides meaningful protection against routine ISP surveillance and data retention. For high-risk individuals (journalists, dissidents), additional measures (Tor, air-gapped devices) may be appropriate.