Every VPN claims to have a no-logs policy. The claim is common. The proof is rare. This guide explains exactly what a no-logs policy means, what types of data might still be recorded, how to tell if a policy is genuine, and which VPNs have had their policies verified in the real world.
When a VPN says it has a no-logs policy, it is claiming that it does not record information about what you do while connected. In theory, if authorities requested your browsing history, connection times, or the IP addresses you visited — there would be nothing to hand over.
But "no logs" is not a single, defined standard. It is a marketing phrase that different providers use to mean different things. Some providers log nothing at all. Others log some data — connection timestamps, bandwidth used, the fact that you connected — while claiming a no-logs policy because they do not log your browsing activity specifically.
The most important question is not "does this VPN have a no-logs policy?" — every VPN claims that. The question is: what evidence exists that the policy is actually implemented?
Activity logs record the content of your internet usage: which websites you visited, what you searched for, which files you downloaded, and when. A VPN that logs this data is, practically speaking, no more private than your ISP. This is what a genuine no-logs policy prohibits.
Connection logs record metadata about your session without recording what you did: your real IP address, the VPN server IP you connected to, the time and duration of your connection, and the amount of data transferred. Some VPNs log this data for network management purposes while claiming they do not log "user activity." Whether this constitutes a "no-logs" policy depends on how strictly you interpret the claim.
For most users, connection logs are a meaningful privacy concern. Your connection times and IP address can reveal a great deal about your behaviour even without recording the specific sites you visited. A genuine no-logs policy should cover both activity and connection logs.
A no-logs policy only protects you if the company is not legally compelled to start logging — or to hand over logs that do exist. This is where jurisdiction becomes critical.
In countries with mandatory data retention laws, VPN providers can be required by law to log and preserve user data regardless of their stated policy. The UK's Investigatory Powers Act, for example, gives authorities broad powers to compel data retention. A VPN based in the UK could legally be required to log everything.
The safest jurisdictions for VPN privacy are those with no mandatory data retention laws and no participation in intelligence-sharing alliances:
An independent audit means a third-party security firm is given access to the VPN provider's actual infrastructure — servers, code, databases, logs — and checks whether the stated policy matches what the systems actually do. The auditor publishes a report confirming whether logs that should not exist actually do not exist.
This is meaningfully different from a VPN simply publishing a privacy policy and asking you to trust it. An audit means a professional with expertise and access has checked the claim against the reality.
| VPN | Auditor | Frequency | Real-world test |
|---|---|---|---|
| Proton VPN | Securitum | Periodic | ✓ Yes |
| NordVPN | Deloitte | Multiple times | ✓ 2018 server seizure |
| ExpressVPN | PwC + KPMG | Multiple times | ✓ 2017 server seizure |
| Surfshark | Deloitte | Periodic | No known test |
| CyberGhost | Quarterly reports | Quarterly | No known test |
| PIA | Court proceedings | Ongoing | ✓ Court tested x2 |
Finnish authorities seized a NordVPN server as part of a criminal investigation. Despite having physical access to the hardware, they found no useful data — because none existed. NordVPN has since moved to RAM-only servers, which physically cannot retain data when powered off.
Turkish authorities investigating the assassination of the Russian ambassador seized an ExpressVPN server hoping to find information about a related account. They found nothing — confirming that ExpressVPN's policy held under real pressure.
US federal courts subpoenaed Private Internet Access for user data on two separate occasions. Both times, PIA submitted documentation stating it had no relevant data to provide. The court accepted this. This is arguably the strongest proof available — a legal proceeding where the claimed absence of data was formally accepted.
Best proof: Court-tested policy (PIA — twice) or server seizure with no data found (NordVPN, ExpressVPN). Strong proof: Independent audit by a reputable firm (Deloitte, KPMG, PwC, Securitum). Weak proof: Published privacy policy with no independent verification — do not rely on this alone.
Our best VPN for privacy guide ranks Proton VPN, NordVPN, PIA, and ExpressVPN specifically on the strength of their no-logs credentials — jurisdiction, audit quality, and real-world track record.
See Privacy Rankings →