What Is a No-Logs VPN Policy? (And Why It Matters)
A no-logs VPN doesn't record what you browse, which sites you visit, when you connected, or your real IP address. If a court orders the VPN to hand over user data, there's nothing to hand over. But 'no-logs' is a marketing claim that any VPN can make — what matters is whether it's been independently audited or tested under real legal pressure.
What logs a VPN might keep
VPNs vary widely in what data they collect. The spectrum:
- Full logs (worst): Connection timestamps, IP addresses, sites visited, bandwidth. Rare among reputable VPNs.
- Connection logs (partial): When you connected, which server, how long, and how much bandwidth — but not what you did.
- Aggregate/diagnostic logs: Anonymized usage stats for performance monitoring — no personal data.
- True no-logs: No activity logs, no connection timestamps, no IP addresses. The VPN cannot reconstruct your session.
How to verify a no-logs claim
Three levels of verification, from weakest to strongest:
Court cases are the gold standard for no-logs verification. When a VPN has had its servers seized and no user data was recovered, that's real-world proof.
- 1. Self-declaration (weakest): The VPN says it has a no-logs policy in its terms of service. Means nothing without verification.
- 2. Independent audit: A security firm (Deloitte, PwC, Cure53) reviews the VPN's systems and verifies logs aren't being kept. Better — but audits are point-in-time snapshots.
- 3. Court/legal test (strongest): Law enforcement requests data, the VPN cannot comply because no logs exist. NordVPN (2018 server seizure), ExpressVPN (2017 Turkey assassination case), PIA (multiple FBI subpoenas), and ProtonVPN (2021 Swiss case) all passed this test.
VPNs with audited no-logs policies
These VPNs have had their no-logs claims independently verified by security firms:
- NordVPN: Audited by Deloitte (2024) — their most recent audit, with previous audits by PwC
- ExpressVPN: Audited by PwC (multiple times)
- ProtonVPN: Audited by SEC Consult (2022), confirmed in legal proceedings (2021)
- Surfshark: Audited by Deloitte (2023)
- Mullvad: Audited by Cure53 (2023)
- Private Internet Access: Three separate FBI subpoenas resulted in no useful data
- IVPN: Audited by Cure53 (2022)
Does the VPN's jurisdiction matter?
Yes. VPNs based in 5 Eyes countries (US, UK, Canada, Australia, New Zealand) can be compelled to log data or share with intelligence agencies under national security orders — often with gag orders preventing disclosure. VPNs in Switzerland (ProtonVPN), Panama (NordVPN), and British Virgin Islands (ExpressVPN) are outside these alliances. However, if a VPN genuinely keeps no logs, jurisdiction matters less — there's nothing to share.
A genuine no-logs policy matters more than jurisdiction. A US-based VPN with truly no logs is safer than a Swiss VPN that secretly keeps connection logs.
Frequently asked questions
Can a VPN be forced to log my data?
In most jurisdictions, authorities can compel a VPN to start logging future connections with a court order. They cannot retroactively create logs that didn't exist. This is why real-time no-logs architecture (RAM-only servers) matters — there's nothing to compel.
What are RAM-only servers?
RAM-only (diskless) servers wipe all data when powered off. There are no hard drives to seize. NordVPN, ExpressVPN, Surfshark, and Mullvad use RAM-only servers. Even if physical servers are confiscated, no data survives a power cycle.
Does NordVPN really keep no logs?
NordVPN's no-logs policy was independently audited by Deloitte in 2024, following earlier PwC audits. In 2018, a Finnish data center that hosted one NordVPN server was breached — no user data was recovered because none existed. This is strong real-world evidence.