Look for VPNs with independent third-party audits, RAM-only servers, and privacy-friendly jurisdictions. Marketing claims mean nothing without verification. Check our methodology for how we evaluate these claims.
What Does "No-Logs" Actually Mean?
Almost every VPN claims "no-logs," but the term is often misleading. Let's break down what can be logged:
Types of Logs
| Log Type | What It Contains | Privacy Risk |
|---|---|---|
| Connection logs | Timestamps, IP addresses, session duration | High |
| Activity logs | Websites visited, files downloaded | Critical |
| Bandwidth logs | Amount of data transferred | Medium |
| Aggregate statistics | Server load, total users (anonymized) | Low |
True No-Logs vs Marketing No-Logs
True No-Logs
- No IP addresses stored
- No connection timestamps
- No browsing activity
- Verified by independent audit
- Technical measures (RAM-only)
Marketing "No-Logs"
- "No activity logs" (but keeps connection logs)
- Vague privacy policy language
- No independent verification
- History of handing over data
- Jurisdiction requires retention
Understanding No-Logs Audits
A no-logs audit is an independent examination by a third-party security firm. Here's what makes a good audit:
What Auditors Examine
- Server configurations: What logging is enabled at the OS level
- VPN software: Does the code collect or transmit user data
- Infrastructure: Network architecture, data flows
- Policies vs practice: Does reality match the privacy policy
- Access controls: Who can access what data
Reputable Audit Firms
- PricewaterhouseCoopers (PwC): Big 4 accounting firm
- KPMG: Big 4 accounting firm
- Deloitte: Big 4 accounting firm
- Cure53: German security firm, specializes in VPNs
- VerSprite: Cybersecurity consulting firm
Audit Limitations
- Regular, recurring audits (annual or more frequent)
- Full audit reports published (not just summaries)
- Technical measures that make logging impossible (RAM-only)
RAM-Only Servers Explained
RAM-only servers (also called "diskless" or "volatile" servers) run entirely in memory with no persistent storage:
How It Works
- Server boots from a read-only image
- Operating system and VPN software load into RAM
- All operations happen in volatile memory
- When powered off, all data is instantly wiped
- Rebooting loads a fresh, clean image
Security Benefits
- No persistent logs: Technically impossible to store long-term
- Seizure protection: Physical server seizure yields no data
- Tamper evidence: Any modification requires reboot, wiping data
- Consistent state: Every reboot starts fresh
VPNs with RAM-Only Servers
- ExpressVPN (TrustedServer)
- NordVPN
- Surfshark
- Private Internet Access
- CyberGhost (some servers)
Jurisdiction & Legal Obligations
Where a VPN is legally incorporated affects what laws apply:
Surveillance Alliances
| Alliance | Countries | Concern |
|---|---|---|
| 5-Eyes | US, UK, Canada, Australia, New Zealand | Intelligence sharing, potential data requests |
| 9-Eyes | 5-Eyes + Denmark, France, Netherlands, Norway | Extended intelligence cooperation |
| 14-Eyes | 9-Eyes + Germany, Belgium, Italy, Sweden, Spain | Broader surveillance network |
Privacy-Friendly Jurisdictions
Generally Favorable
- Panama: No data retention laws
- British Virgin Islands: No mandatory logging
- Switzerland: Strong privacy laws
- Romania: Rejected EU data retention
- Malaysia: No VPN-specific laws
Considerations
- Laws can change
- International pressure exists
- Server locations matter too
- Company ownership structure
- Actual practices > jurisdiction
Warrant Canaries
A warrant canary is a regularly published statement that a company has NOT received:
- National Security Letters (NSLs)
- Secret court orders
- Gag orders preventing disclosure
If the statement disappears or isn't updated, it may signal they've received such an order (since they can't directly say so).
Effectiveness Debate
- Proponents: Provides transparency within legal constraints
- Critics: Removing canary could itself violate gag orders
- Legal uncertainty: Never tested in court
- Jurisdiction matters: More relevant in US than elsewhere
Red Flags to Watch For
- Vague privacy policy: "We may collect some data for service improvement"
- No independent audit: Just trust us, we don't log
- History of data handover: Previous cases of providing user data
- Free VPN with no business model: If you're not paying, you're the product
- Ownership opacity: Unknown or hidden company ownership
- 14-Eyes jurisdiction with no technical safeguards: Legal obligations without protection
- Logs "anonymized" data: Anonymization can often be reversed
How to Verify Claims
- Read the privacy policy: Look for specific language about what is/isn't logged
- Check for audits: Look for published audit reports, not just claims
- Research the company: Who owns it? Where are they based?
- Look for court cases: Has the VPN been subpoenaed? What happened?
- Check technical claims: RAM-only, infrastructure details
- Read independent reviews: Not affiliate marketing sites
Frequently Asked Questions
Trust but verify. Look for VPNs with independent audits from reputable firms, RAM-only server infrastructure, and a track record of not handing over data when legally challenged. Marketing claims alone mean nothing.
With RAM-only servers, seizure yields nothing-data is wiped when power is cut. With traditional servers, authorities could potentially access stored logs. This is why RAM-only infrastructure is a significant privacy advantage.
Reputable audit firms (Big 4, Cure53) stake their reputation on honest assessments. However, audits are point-in-time-a VPN could change practices afterward. Look for regular, recurring audits and technical measures that make logging impossible.
If a VPN truly doesn't log and uses RAM-only servers, jurisdiction matters less-they have nothing to hand over. However, some jurisdictions could legally compel a VPN to start logging. Privacy-friendly jurisdictions provide an extra layer of protection.