The State of VPN No-Log Audits — 2026

A sourced, at-a-glance comparison of which major VPNs have had their no-logs claims independently audited — by whom, and when — plus the jurisdiction and server architecture behind those claims.

A "no-logs" marketing line is not the same as a verified no-logs policy. The difference is an independent audit by a named third party, a privacy-friendly jurisdiction, and (increasingly) RAM-only servers that cannot retain data across a reboot. This page compiles those three signals for 12 of the most widely used consumer VPNs in 2026.

Free to cite and link. If you reference this table, a link back to this page is appreciated. See "How to cite" below.

The data (12 major VPNs)

VPN	Independent no-log audit (firm / year)	Jurisdiction	RAM-only	Notable public fact
NordVPN	Deloitte — 6th consecutive no-logs engagement (audit Nov 10–Dec 12, 2025)	Panama (outside 5/9/14 Eyes)	Yes (diskless)	7,000+ servers across 110+ countries
ExpressVPN	KPMG (2019, 2022, 2023, 2025); Lightway by Cure53	British Virgin Islands	Yes (wiped on reboot)	Owned by Kape Technologies since 2021
Surfshark	Deloitte (2025) verified its 15-min IP-deletion claim	Netherlands (Nine Eyes)	Yes	Merged with Nord Security in 2022; brands run independently
Proton VPN	5th annual no-logs audit; apps by Securitum (Aug 2025)	Switzerland (outside 5/9/14 Eyes)	—	First major VPN to open-source all its apps
CyberGhost	Quarterly transparency report of data requests	Romania (outside 5/9/14 Eyes)	NoSpy own data center	11,000+ servers across 100 countries
Private Internet Access	No-logs upheld in court (FBI subpoena yielded no data); independent auditor review	United States	—	All apps are 100% open source
IPVanish	Leviathan Security (2022); Schellman (2025)	United States	—	2016: handed data to DHS under prior ownership despite no-logs claims
PureVPN	KPMG "always-on" no-logs audit since 2023, reports public	British Virgin Islands (since 2021)	—	2017: provided connection logs to the FBI despite no-logs claim
Mullvad	Multiple audits by Cure53 and Assured AB	Sweden	Yes	Anonymous account numbers; runs no affiliate program
TunnelBear	Annual independent audits by Cure53	Canada (Five Eyes)	—	Owned by McAfee since 2018; free tier 2 GB/month
Hotspot Shield	Privacy-policy audit completed 2023	United States	—	Proprietary, closed-source Catapult Hydra protocol
Windscribe	Desktop app audited by Leviathan Security Group (2021)	Canada (Five Eyes)	—	2025: Greek court case dismissed — no logs meant no data to hand over

"—" means no public confirmation was found in the source compilation; it does not assert the opposite. Verify against the provider before relying on it.

Key findings

Independent audits are now table stakes, but cadence varies. Most-audited: NordVPN (6 consecutive Deloitte engagements through 2025), ExpressVPN (KPMG across 2019–2025), Mullvad (repeated Cure53 / Assured AB), TunnelBear (annual Cure53). A one-off audit is a weaker signal than an annual cadence.
Three providers have a documented history that contradicts a no-logs claim. PureVPN (2017, logs to the FBI) and IPVanish (2016, data to DHS under prior ownership) predate later audits. Conversely, PIA (FBI subpoena returned no data) and Windscribe (2025 Greek court case) had claims validated by real events.
Jurisdiction still splits the field. Panama, BVI and Switzerland sit outside the 5/9/14 Eyes alliances; Netherlands, Canada and the US sit inside. Inside-alliance providers lean harder on audits and RAM-only architecture.
RAM-only (diskless) infrastructure is the second proof point. NordVPN, ExpressVPN, Surfshark and Mullvad run RAM-only servers that wipe on reboot.

Methodology

Scope: 12 consumer VPN brands by 2026 market visibility. Signals compared: (a) existence/recency of an independent no-logs audit and named firm; (b) jurisdiction relative to the 5/9/14 Eyes alliances; (c) public RAM-only confirmation; (d) one notable public fact. This is a transparency-signal snapshot, not a security rating, speed test, or endorsement.

Editorial note (verification): Each audit, date and firm above should be cross-checked against its primary source (the provider's audit page, the firm's statement, or the court record) before republishing. Figures reflect a compilation dated 2026-06-27 and may change as providers publish new audits.

How to cite

"The State of VPN No-Log Audits — 2026", ToolsRanks. https://toolsranks.com/etudes/vpn-no-log-audits-2026
Plain-text and free to reference. A CSV of the underlying comparison is available on request.