What is a No-Logs VPN? Audited Providers, Independent Reports, and How to Tell a Real Claim from Marketing
A no-logs VPN is one that does not record traffic, DNS, or connection metadata that could identify a user. The claim only matters when an independent auditor has inspected the actual infrastructure. Here is how to tell.
What "no-logs" actually means
A no-logs VPN is a provider that pledges not to record traffic, DNS queries, IP addresses, or connection timestamps that could be tied back to an individual user. The word 'no-logs' itself has no legal definition. Every VPN homepage uses it. The claim only becomes meaningful when an independent auditor has inspected the actual server fleet and configuration — and the report is published. As of 2026, all five major paid VPNs we cover (Mullvad, Proton VPN, NordVPN, ExpressVPN, Surfshark) have published independent audits.
What the published audits actually cover
Mullvad's most recent audit is by Cure53, conducted June 3–14, 2024 (its fourth audit overall, second with Cure53). It is an infrastructure audit covering one OpenVPN and one WireGuard server in Mullvad's production fleet. Proton VPN has passed four consecutive Securitum no-logs audits (2022, 2023, 2024, 2025). NordVPN has passed six independent no-logs assurance assessments under ISAE 3000: PwC 2018, PwC 2020, Deloitte 2022, 2023, 2024, 2025. ExpressVPN's Trust Center lists 23 published audits, most recently a third KPMG no-logs audit (2025) and Cure53/Praetorian audits of the Lightway protocol's Rust rewrite (Sep–Oct 2024). Surfshark has Deloitte no-logs audits in 2023 and 2025 under ISAE 3000.
What a real no-logs claim looks like
Three signals separate a real no-logs claim from marketing. First, a published third-party report — not a press-release blog post, but a downloadable PDF or a trust-center page with the auditor's name and date. Second, audit scope that includes infrastructure (server-level configuration), not only the client app. Third, ideally, a real court-order test. Mullvad's offices were searched by Swedish police on 18 April 2023 under a warrant issued from a German legal-cooperation request; Mullvad documented the event publicly and police left without seizing customer data because the data the warrant sought did not exist on the servers (per Mullvad's blog post on the search warrant). PureVPN, by contrast, supplied connection logs to the FBI in 2017 in the Ryan Lin cyberstalking case despite its prior 'no logs' marketing — the case is the canonical reverse example of a marketing claim contradicted by real legal compulsion.
Jurisdiction matters less than what the provider stores
VPN marketing makes a lot of jurisdiction. The 5 / 9 / 14 Eyes intelligence-sharing arrangements (USA, UK, Canada, Australia, NZ + Denmark, France, Netherlands, Norway + Germany, Belgium, Italy, Sweden, Spain) are real and a Sweden-registered or Netherlands-registered VPN is in scope. But a provider in a non-Eyes jurisdiction that keeps connection logs is worse than a no-logs provider anywhere. Mullvad (Sweden, in 14 Eyes) and Proton VPN (Switzerland, outside Eyes) are both audited; the Mullvad raid demonstrates that a no-logs configuration matters more than a flag on the map.
How to read an audit report
Open the report and look for three things. (1) Scope — does the report describe what the auditor looked at, including which servers, which protocols, which date range? Generic 'audited the policy' language without specifics is weaker than 'examined VPN configuration files and server configurations'. (2) Method — Securitum's reports for Proton describe on-site configuration review and staff interviews; Deloitte's NordVPN reports cite ISAE 3000 (the international assurance-engagement standard); Cure53's Mullvad reports describe white-box security testing on production servers. (3) Findings — every audit finds something. Cure53's June 2024 Mullvad audit found two issues (one low, one medium); Praetorian's 2024 Lightway audit found two low-risk issues. The presence of findings is not bad — the absence of any findings would be suspicious. What matters is severity and remediation.
What to ignore
Ignore generic 'most private VPN' rankings that don't disclose their methodology. Ignore providers whose 'audit' is a letter from a small consultancy that never looked at the servers. Ignore VPN comparison sites that don't link the actual report — the report has a date and a publishing party; if a site won't link it, the claim is unverifiable. Ignore jurisdiction as the primary signal. The only reliable signal is the published audit scope plus, where it exists, the legal-compulsion case history.
Sources
Mullvad audit: mullvad.net/en/blog/fourth-infrastructure-audit-completed-by-cure53. Mullvad 2023 raid: mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised. Proton audits: protonvpn.com/blog/no-logs-audit. NordVPN audits: nordvpn.com/blog/nordvpn-no-logs-audit-2024. ExpressVPN Trust Center: expressvpn.com/trust. Surfshark audit: surfshark.com/blog/deloitte-nologs-policy-verified-again. PureVPN/Lin case: bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi. All URLs accessed 2026-04-30.