A no-log policy is the single most important privacy promise a VPN can make. It means the provider does not record any information about what you do while connected — no browsing history, no connection timestamps, no IP addresses, no DNS queries. Without logs, there is nothing to hand over to law enforcement, nothing to sell to advertisers, and nothing to leak in a data breach. But a policy on paper is just a policy on paper. The real question is how to verify that a VPN is actually keeping its promise. In this guide, we explain what a real no-logs policy covers, how independent audits work, what real-world tests have proven, and which VPNs have earned genuine trust.
What a True No-Logs Policy Covers
A meaningful no-logs policy should explicitly state that the provider does not collect any of the following:
- Browsing history: URLs visited, search queries, page content.
- Connection timestamps: When you connected, disconnected, or for how long.
- Source IP address: Your real IP assigned by your ISP.
- Destination IP address: The IPs of sites or services you access.
- DNS queries: Domain name lookups, which reveal every site you visit.
- Bandwidth usage: How much data you transferred.
- Session duration: How long you stayed connected.
- VPN server used: Some providers log which server you connected to.
Be skeptical of vague language like "we don't log your activities" without specifics. A provider might not log your browsing history but still log connection timestamps and IP addresses — enough to identify you. Read the actual privacy policy, not the marketing page.
What VPNs Do Need to Keep
Even a strict no-logs VPN needs to keep some account-related data to operate a business:
- Account email: For login and communication.
- Payment records: For billing and refunds. This links your account to a payment method.
- Aggregate bandwidth stats: Some providers keep total bandwidth per server for capacity planning, but not per user.
- Customer support tickets: If you contact support, that conversation is logged.
This is acceptable. The key is that none of this data can be linked to your browsing activity. Your account email is tied to your subscription, not to the sites you visited while connected.
How to Verify a No-Logs Claim
There are three meaningful ways to verify a no-logs claim, in increasing order of trust:
1. Independent Audit
The gold standard is a third-party audit by a reputable cybersecurity firm. The auditor examines the VPN's server infrastructure, source code, and logging configuration and issues a public report. Look for audits by firms like Cure53, PwC (PricewaterhouseCoopers), Deloitte, or Verizon Enterprise Solutions. Audits should be repeated periodically — a single audit from 2019 is much less meaningful than one from 2025 or 2026.
VPNs with current audited no-logs policies include:
- ExpressVPN: Audited by PwC (2019, 2020, 2022, 2023). TrustedServer architecture.
- NordVPN: Audited by Deloitte (2020, 2022, 2023, 2024). Verified no-logs.
- Surfshark: Audited by Deloitte (2021, 2022, 2023).
- PIA: Audited by Deloitte (2022, 2024). Open-source apps.
- ProtonVPN: Audited by SEC Consult (2021, 2023). Open-source apps.
- Mullvad: Audited by Assured AB (2020, 2022, 2023, 2024). Most transparent.
2. Real-World Legal Test
The strongest possible evidence is a case where a VPN was served a valid legal request for user data and could not produce any. Several providers have passed this test:
- ExpressVPN (2017): Turkish authorities seized an ExpressVPN server in connection with the assassination of a Russian ambassador. The server held no user data — no logs, no connection metadata. This was the result of the TrustedServer RAM-only design.
- PIA (2020): In a US court case, FBI requested logs. PIA produced nothing, confirming their no-logs claim under legal pressure.
- Mullvad (2023): Swedish police raided Mullvad's offices with a search warrant. Mullvad had no user data to hand over. The police left empty-handed.
- ProtonVPN (2021): Swiss courts ordered Proton to log a specific user's IP. Proton complied with the court order but had no historical data — only future data could be collected, and only for the specified account. Proton transparently disclosed this in their transparency report.
These cases are powerful because they are adversarial — the VPN had every incentive to cooperate and could not, because the data did not exist.
3. RAM-Only Server Architecture
A modern safeguard is the RAM-only server. Traditional VPN servers run from a hard drive or SSD; if logs are written, they persist across reboots. RAM-only servers run entirely in memory — every reboot wipes everything. ExpressVPN's TrustedServer was the first large-scale deployment; NordVPN, Surfshark, and PIA have since followed. This makes it technically impossible for logs to accumulate on the server, even if a bug accidentally writes them.
Red Flags: VPNs That Do Log
Avoid VPNs that exhibit any of these behaviors:
- Free VPNs with no paid tier: If you're not paying, the VPN is monetizing you. Hola VPN was caught selling user bandwidth; Betternet was caught logging and selling data; many free App Store VPNs are operated by shadowy data brokers.
- Vague privacy policies: If the policy says "we may collect" without specifying what, assume they collect everything.
- Headquartered in a Five Eyes country with data retention laws: The UK, US, Australia, Canada, and New Zealand all have legal frameworks that can compel logging. This does not automatically disqualify a VPN (PIA is US-based and has proven its no-logs claim in court), but it raises the bar.
- No audit, ever: A provider that has never been audited is asking you to take their word for it. In 2026, this is not acceptable.
- Logs "for marketing purposes": Some VPNs explicitly state they log aggregate data for advertising. Run.
Why Jurisdiction Matters (and Why It Doesn't)
Traditional advice says you should pick a VPN outside the Five Eyes / Fourteen Eyes intelligence-sharing alliances. Jurisdictions like the British Virgin Islands (ExpressVPN), Panama (NordVPN), and Switzerland (ProtonVPN) are popular because they have no mandatory data retention laws for VPNs.
This is good practice, but it is less important than the audit and the technical architecture. A US-based VPN like PIA has proven in court that it cannot produce logs. A BVI-based VPN with no audit and hard-drive servers is less trustworthy than a US-based VPN with an audited RAM-only infrastructure. Jurisdiction is one factor among several — do not over-index on it.
The Bottom Line
A no-logs policy is the foundation of VPN privacy, but only a verified no-logs policy counts. Stick to providers that have been independently audited, ideally multiple times. Give extra weight to providers that have survived real-world legal tests — ExpressVPN, PIA, Mullvad, and ProtonVPN have all demonstrated that their no-logs claims hold up when it matters. And pair the policy with RAM-only servers, which make accidental logging impossible. If your VPN cannot point to an audit report and a RAM-only architecture, it is time to switch.
Use a VPN with a Proven No-Logs Policy
Top-rated no-logs VPNs from $2.19/month, all independently audited.
Get the Deal →

