VPN No-Logs Policy: What It Really Means
Every VPN claims "no logs." But what does that actually mean? Which providers have proven it? And what data do they still collect?
What "No Logs" Should Mean
Not Logged (Activity Data)
- + Browsing history / websites visited
- + Connection timestamps
- + Your real IP address
- + Session duration
- + Bandwidth used
- + DNS queries
- + Downloaded files
Usually Collected (Account Data)
- Email address (for account)
- Payment information (for billing)
- Aggregate server load stats (anonymized)
- Crash reports (optional, anonymized)
- Subscription status
Exception: Mullvad collects none of these — no email, anonymous payment accepted.
Independent Audit History
| Provider | Auditor | Year | Scope | Result |
|---|---|---|---|---|
| NordVPN | Deloitte | 2024 | No-logs infrastructure | Passed |
| NordVPN | Cure53 | 2023 | App security | Passed |
| Surfshark | Deloitte | 2023 | No-logs policy | Passed |
| ExpressVPN | KPMG | 2024 | No-logs policy | Passed |
| ExpressVPN | PwC | 2023 | TrustedServer | Passed |
| Proton VPN | Securitum | 2024 | Apps + no-logs | Passed |
| Mullvad | Assured AB | 2024 | Infrastructure | Passed |
| Mullvad | Swedish Police | 2023 | Server seizure | No data found |
How to Verify a No-Logs Claim
- 1. Check for independent audits — Has the provider been audited by a Big Four firm or Cure53? When was the last audit?
- 2. Check the jurisdiction — Is the provider in a country with mandatory data retention laws?
- 3. Look for RAM-only servers — Servers running in RAM can't store data persistently.
- 4. Review the privacy policy — Read the actual policy, not just the marketing. What data do they explicitly say they collect?
- 5. Check for real-world incidents — Has the provider been subpoenaed or had servers seized? What happened?
- 6. Open-source code — Can you verify the claims by reviewing the code? (Proton VPN, Mullvad: yes)