Every VPN on the market makes the same promise: your browsing stays private, your data stays encrypted, and nobody — not your internet provider, not advertisers, not hackers on hotel Wi-Fi — sees what you do online. The pitch rarely changes. What the ads never mention is the uncomfortable mechanic underneath: a VPN doesn't eliminate trust, it relocates it. Instead of your ISP watching your traffic, the VPN company can. Every site you visit, every DNS lookup, every connection timestamp flows through servers someone else controls.
That transfer of trust has gone badly wrong for millions of Americans. A 2025 investigation by the Tech Transparency Project found that one in five of the top 100 free VPN apps in Apple's US App Store were quietly owned by Chinese companies — 20 apps downloaded more than 70 million times from US app stores, several of them linked to Qihoo 360, a firm sanctioned by the US in 2020 over ties to China's military. Under China's national security laws, those companies can be compelled to hand user data to government authorities. The people who installed those apps to protect their privacy may have shipped their entire browsing history overseas.
The good news is that a handful of VPN providers can now back their promises with hard evidence: repeated third-party audits, open-source code, and in one memorable case, a police raid that came up empty. We compared the major services on what they can actually prove.
Why "No-Logs" Is a Claim, Not a Feature
Encryption is no longer what separates good VPNs from bad ones. Virtually every mainstream service uses AES-256 or ChaCha20 ciphers over modern protocols like WireGuard or OpenVPN, and custom implementations such as NordVPN's NordLynx and ExpressVPN's Lightway have made fast, secure tunneling table stakes. If a VPN is competently built, the traffic between your device and its servers is effectively unreadable in transit.
The real differentiator is what happens at the other end of the tunnel. A "no-logs policy" means the provider claims it doesn't record which sites you visit, your DNS queries, your originating IP address, or connection metadata that could tie activity back to you. But anyone can type "no-logs" on a landing page. The industry has a documented history of providers whose logs surfaced in court after they swore none existed. That's why the only claims worth your money are the ones tested by outsiders — accounting firms with subpoena-grade audit standards, security researchers with server access, or law enforcement officers who showed up with a warrant.
The Evidence That Actually Counts
NordVPN has now passed six independent no-logs examinations. The most recent, conducted by Deloitte between November 10 and December 12, 2025, was performed under the ISAE 3000 (Revised) assurance standard and gave auditors access to NordVPN's server infrastructure — including its specialty Double VPN, Onion over VPN, and obfuscated server configurations. Deloitte concluded that the company's systems and operations are designed and implemented in line with its no-logs statement.
Proton VPN has completed five consecutive annual no-logs audits by Securitum, a European security firm that runs more than 300 testing engagements a year for banks and major corporations. The audits involve technical interviews, supervised access to randomly selected live production servers, and review of logging configurations and admin procedures. Uniquely, every report is publicly downloadable without an account, and Proton added a SOC 2 Type II attestation of its operational security in July 2025.
"The technical evidence reviewed during the engagement did not indicate that the examined Proton VPN server infrastructure logs users' browsing activity, DNS queries, destination services, network traffic contents or user-identifiable connection metadata." — Securitum, Proton VPN no-logs audit report
ExpressVPN holds the volume record: 23 third-party audits published to date, including a third KPMG examination of its no-logs claims covering compliance as of February 28, 2025. Its TrustedServer platform runs entirely in RAM, and its Lightway protocol was rewritten in the memory-safe Rust language, then independently assessed by security firms Cure53 and Praetorian.
Mullvad offers the most cinematic proof in the industry. On April 18, 2023, at least six officers from the National Operations Department of the Swedish Police arrived at Mullvad's Gothenburg office with a search warrant, intending to seize computers containing customer data. As Mullvad recounted publicly, the data they wanted simply did not exist. After the company demonstrated how its service works and officers consulted the prosecutor, police left without taking a single device — the first search warrant in the company's 14-plus years of operation, and it produced nothing.
Side by Side: Price, Jurisdiction, and Proof
Pricing below reflects promotional long-term rates advertised in mid-2026; monthly plans typically cost several times more, and renewal prices often jump after the first term.
| Provider | Starting price (long-term plan) | Jurisdiction | Strongest privacy evidence | Standout feature |
|---|---|---|---|---|
| NordVPN | ~$3.09/mo (2-year) | Panama | 6th Deloitte no-logs engagement (Dec 2025) | RAM-only servers, Double VPN, post-quantum encryption |
| ExpressVPN | ~$2.49/mo (2-year Basic) | British Virgin Islands | 23 published audits; 3rd KPMG no-logs audit (2025) | TrustedServer RAM-only platform, Lightway in Rust |
| Proton VPN | $2.99/mo (2-year); free tier | Switzerland | 5 consecutive Securitum audits, all reports public | Open-source apps, Secure Core multi-hop |
| Surfshark | ~$1.78/mo (2-year) | Netherlands | Deloitte no-logs audits (2023 and 2025) | Unlimited devices, RAM-only servers |
| Mullvad | Flat €5/mo (~$5.50) | Sweden | 2023 police raid found no customer data | Numbered accounts, no email, cash accepted |
| Private Internet Access | ~$1.98/mo (3-year) | United States | Independently audited, fully open-source apps | Unlimited devices, MACE ad blocking |
A note on the pricing games: the VPN industry leans hard on teaser rates. NordVPN's month-to-month plans can run over $12 depending on tier, and most providers quietly renew multi-year deals at two to three times the intro price. If a service matters to you, calculate the second-year cost before committing. Mullvad is the outlier — one flat rate, no discounts, no coupons, unchanged for years.
Jurisdiction, RAM, and the Architecture of Forgetting
Where a VPN company is incorporated determines which governments can compel it to log. NordVPN operates from Panama and ExpressVPN from the British Virgin Islands — jurisdictions with no mandatory data retention for VPNs. Proton VPN runs under Swiss law, which currently imposes no logging requirements on VPN services, and applies its no-logs policy uniformly across servers in 140-plus countries and every subscription tier, including the free one. Mullvad stays in Sweden and relies on architecture rather than geography: if the data doesn't exist, the warrant doesn't matter. Private Internet Access is the notable US-based option, which puts it within reach of American legal process — offset, in its case, by open-source apps and audit history.
Infrastructure choices matter just as much. NordVPN, ExpressVPN, and Surfshark run RAM-only servers: nothing writes to disk, so every reboot wipes the machine clean and a seized server yields nothing. Proton takes a different route, using full-disk encryption on its hardware instead. Mullvad goes furthest on the identity side — it never asks for an email address, assigning customers a random numbered account, and accepts cash mailed in an envelope for the truly committed.
The Free VPN Trap
The Tech Transparency Project's findings deserve a closer look, because free VPNs remain among the most-downloaded utilities in US app stores. TTP's June 2025 spot check found 13 Chinese-owned VPN apps still live in Apple's top 100 free VPNs — including X-VPN, Turbo VPN, VPN Proxy Master, and Ostrich VPN — and 11 on Google Play, months after the initial report. None clearly disclosed Chinese ownership; some buried it under layers of shell companies. These weren't fringe apps: X-VPN generated over $10 million in lifetime US revenue, with Apple and Google taking their standard commission on every subscription.
The business logic of a free VPN should worry you on its own. Running thousands of servers costs real money, and if you aren't paying, your browsing data is the obvious inventory. The safer exception is Proton VPN's free tier, which is funded by its paid subscribers rather than advertising and is covered by the same audited no-logs policy as the premium plans. If your budget is zero, that's the route — not an anonymous app with a shield logo and 70 million downloads.
What Even the Best VPN Won't Do
A caution before you buy: a VPN encrypts the pipe, not your identity. Log in to Google, Facebook, or Amazon through a VPN and those companies still know exactly who you are. Browser fingerprinting and cookies keep tracking you across sites regardless of your IP address. A VPN typically won't stop phishing emails or malware, and it won't make illegal activity untraceable — determined investigators correlate traffic in other ways.
What a good VPN does deliver for Americans is real: it blinds your ISP, which US law has allowed to monetize browsing data since Congress rolled back the FCC's broadband privacy rules in 2017; it protects you on public Wi-Fi; it masks your IP from the sites you visit; and it keeps your DNS queries out of third-party hands. Those are meaningful wins — as long as the company on the other end of the tunnel keeps its word.
Picking the Right One for You
If maximum anonymity is the goal, Mullvad stands alone: no email, no name, cash accepted, and a raid-tested empty filing cabinet — provided you can live without streaming-focused extras. Privacy purists who want polish should look at Proton VPN, with its open-source apps, Swiss jurisdiction, fully public audit reports, and the only free tier worth trusting. NordVPN offers the strongest blend of verified no-logging and mainstream features, with six Deloitte engagements behind it and post-quantum encryption ahead of the curve. ExpressVPN's 23 audits and RAM-only fleet justify its premium positioning, while Surfshark and Private Internet Access cover budget shoppers with unlimited device connections.
The comparison ultimately reduces to a single question: who has shown their work? In a market built on invisible promises, the providers above are the ones that invited outsiders in — and passed. Anyone still asking you to take their word for it doesn't deserve your traffic.
