The Problem with 'No-Logs' Marketing
No-logs is a marketing term, not a technical standard. It can mean anything from 'we never store your browsing history' to 'we store connection timestamps and server load data but call that no-logs.' Reading the actual privacy policy, not the marketing page, is the only way to know what a VPN actually records.
What a Real No-Logs Policy Covers
A genuine no-logs policy states explicitly that the provider does not store: your IP address, connection timestamps, bandwidth usage, DNS queries, browsing history, or traffic content. It should also state that they cannot fulfill law enforcement requests for browsing history because that data does not exist. Some providers log aggregate, non-identifiable data for network performance. That is generally acceptable if it truly cannot be tied to individual users.
Why Audits Matter
Self-declared no-logs policies are unverifiable. Independent audits by firms like Cure53, KPMG, or Deloitte provide external verification. ExpressVPN, NordVPN, and Mullvad have all undergone multiple independent audits. Look for the audit firm's name, the date of the audit, and the scope: a code audit is not the same as a logging audit. The report should specifically state that auditors found no evidence of user-identifying log storage.
The Warrant Canary Test
Some VPNs publish warrant canaries: statements that they have not received any government requests for user data. If the canary is removed or not updated, it signals that a request was received. This is a secondary signal worth checking, not a primary guarantee.
Providers with the Strongest Track Records
Mullvad is the most privacy-focused option: they accept anonymous payment, require no email at signup, and have passed multiple audits. ProtonVPN is based in Switzerland, has strong legal protections, and has published audits. NordVPN and ExpressVPN are audited and have demonstrated no-logs in practice when law enforcement requested data and received nothing. Avoid providers with no published audits, vague privacy policies, or headquarters in countries with mandatory data retention laws.