What No-Logs Actually Means
A VPN no-logs policy means the provider does not keep records of your internet activity: which websites you visited, what you downloaded, your IP address, connection timestamps, or bandwidth usage. The strength of no-logs claims varies widely. Some providers claim no logs but retain connection metadata (when you connected, from which country, how long). This is worth distinguishing: a true no-logs policy should cover activity logs, connection logs, and IP assignment records.
Why No-Logs Claims Are Hard to Verify
Most VPN providers self-certify their no-logs policy in their privacy documentation. This is not verification. Verification requires an independent third-party audit of the provider's systems and logging infrastructure. Without an audit, a no-logs claim is a promise, not a fact. Promises have been broken before: multiple VPN providers have produced logs after claiming no-logs policies when faced with law enforcement requests.
Providers with Independent Audits
In 2026, a small number of providers have published independent third-party audit results from firms like Cure53, PwC, or Deloitte: ExpressVPN (multiple Cure53 audits), Mullvad (Cure53), ProtonVPN (Cure53), NordVPN (PwC and Deloitte audits). These audits inspect the servers, the logging infrastructure, and the configuration. They provide meaningful evidence that at the time of the audit, the systems were configured consistently with no-logging claims.
Limits of Audits
Audits are point-in-time checks. A provider's infrastructure can change after an audit. Frequency matters: annual audits are more credible than a single audit from three years ago. Also consider jurisdiction: providers based in countries without data retention laws (Iceland, Switzerland, British Virgin Islands) face less legal pressure to log than providers in 14-Eyes countries.
What to Look For
Evaluate no-logs claims by: published independent audit (with firm name and date visible), jurisdiction (outside 14-Eyes preferred), and track record (have they ever been compelled to produce logs? What happened?). Mullvad's case in 2022 -- where police raided their offices and found no usable logs -- is the strongest real-world test any provider has passed.