“No-logs” is the easiest promise in the VPN industry to make and the hardest to prove. Any provider can type the words on a homepage; what separates a real no-logs VPN from a marketing slogan is evidence — an independent audit, infrastructure that physically cannot retain data, a jurisdiction with no retention law, and, best of all, a real-world test where someone demanded the data and there was none to give. This page is about that proof, not the buzzword.
Our top no-logs pick is Proton VPN. Based in Switzerland, outside the 5/9/14 Eyes, it carries the deepest verification record in the market — repeatedly audited, fully open-source, and built so its no-logs claim can be checked rather than believed. Just behind it sits Mullvad, whose policy was tested for real when Swedish police walked into its office and left empty-handed. After those two come NordVPN (Panama, RAM-only, Deloitte-audited) and ExpressVPN (British Virgin Islands), whose RAM-only server survived a literal police seizure with no data on it.
For the broader case for privacy — what a VPN hides, anonymity, day-to-day habits — read our best VPN for privacy guide. This page stays narrow on one question: when the no-logs promise is put under pressure, which providers have actually survived it? If P2P is your priority, see the best VPN for torrenting.
What “no-logs” really means — a promise, and its catch
A no-logs VPN keeps no record of what you do or what you connect to. In plain terms: no list of the websites you visit, no log of your real IP address paired with a session, nothing that could later be handed to anyone and used to reconstruct your activity. That is the ideal, and every provider on this page claims it.
The catch is that “no-logs” is a promise, not a feature you can switch on and watch work. You cannot see inside a provider’s data centre, or verify from your sofa in Dublin that the company is not quietly keeping a connection log “for troubleshooting”. So the claim, on its own, is worth almost nothing — it is a sentence on a webpage that anyone can write, and plenty of dishonest providers have.
It also helps to know what is being promised. There is a difference between activity logs — the sites you visit, what you do — and connection logs — timestamps, your source IP, how much data moved. A genuine no-logs VPN keeps neither in any form that can be tied back to you. Some weaker services keep “anonymised” connection logs and still call themselves no-logs; the wording matters.
The whole value of a no-logs policy lives in the proof behind it. A claim with no audit, no transparent infrastructure and no track record is just a slogan — and the rest of this page is about the things that turn that slogan into something you can trust.
How a no-logs claim is proven
There is no certificate that makes a VPN “officially” no-logs. Trust is built from a stack of independent signals — the more of them a provider has, the more credible the promise — and two carry the most weight.
Independent audits. A reputable outside firm is given access to the servers, configuration and internal policies, checks whether the provider is actually keeping what it says it is not, and publishes its findings. The big names on this page have all done it, several repeatedly:
- Proton VPN — audited by Securitum, with apps that are fully open-source so the code can be inspected on top of the audit.
- NordVPN — its no-logs policy has been independently audited by Deloitte.
- ExpressVPN — one of the longest and most repeated audit records in the industry.
- Private Internet Access — audited by Deloitte.
- CyberGhost — audited by Deloitte.
RAM-only servers. This is the technical half of the proof, the part that makes the promise hard to break even by accident. A RAM-only (disk-less) server runs entirely in volatile memory and wipes everything on every reboot — there are no hard drives to write logs to in the first place. NordVPN runs RAM-only, and ExpressVPN’s TrustedServer is built on exactly this idea: reinstall the whole server from scratch on each boot so nothing persists. When the hardware physically cannot hold a log, “we keep no logs” stops being a policy you trust and becomes a fact of the architecture.
Audits and RAM-only servers reinforce each other: the audit confirms the design does what it claims today, and the disk-less design means there is nothing to find tomorrow. But the single most convincing proof is the one no provider can stage-manage — and that is what the next section is about.
Court-tested: the cases that settled it
Audits are commissioned by the provider; RAM-only servers are designed by the provider. The most powerful proof of a no-logs policy is the one the provider has no control over at all: a court or police force demanding the data, and the provider having nothing to hand over. Three cases have done exactly that, and they are the strongest evidence on this page.
Private Internet Access — subpoenaed, twice, with no logs to produce
PIA has been ordered by US courts to produce user data — once in 2016 and again in 2017 — and in both cases it had no logs to give. The courts themselves confirmed that the data simply did not exist. That is about as definitive as it gets: not a marketing claim, not a self-commissioned audit, but a legal demand met with an empty hand, on the record. It is also the answer to anyone nervous about PIA being US-based, which we come back to below.
ExpressVPN — a seized server with nothing on it
In 2017, Turkish investigators physically seized an ExpressVPN server as part of an investigation and tried to recover data from it. They found no logs — because the server held none. This is the RAM-only design from the previous section proving itself in the worst-case scenario: not a subpoena the company could fight in court, but the hardware itself in someone else’s hands, and still nothing to find.
Mullvad — a police raid that left with nothing
In April 2023, Swedish police arrived at Mullvad’s office with a search warrant, intending to seize customer data. They left with nothing, because Mullvad stores essentially no customer data to begin with — no logs, and an account model that holds no personal details either. It is the clearest demonstration you will find that an audited no-logs policy beats a “perfect” jurisdiction on paper, since Sweden is technically inside the alliances we discuss next.
Three countries, three kinds of legal pressure — US subpoenas, a foreign server seizure, a domestic police raid — and three times the answer was the same: no data. That is what a no-logs claim looks like when it has actually been tested. None of it is about hiding crime, it is worth adding: using a VPN is perfectly legal in Ireland, as our guide on whether VPNs are legal in Ireland explains — a no-logs policy is about not being recorded, not about evading the law.
Jurisdiction and the Eyes alliances
Where a VPN company is legally based decides who can compel it and under what laws, which is why jurisdiction is part of any honest no-logs assessment. The shorthand is the 5/9/14 Eyes: intelligence-sharing alliances (the Five Eyes — US, UK, Canada, Australia, New Zealand — widening to fourteen countries including Sweden) whose members pool surveillance data. A provider based outside these blocs, with no mandatory retention law, faces less pressure to keep records at all.
Here is where our six sit:
- Proton VPN — Switzerland. Outside the Eyes, strong privacy law, no mandatory retention.
- NordVPN — Panama. Outside the Eyes, no retention law.
- ExpressVPN — British Virgin Islands. Outside the Eyes, no retention law.
- CyberGhost — Romania. Inside the EU but repeatedly resistant to blanket retention rules.
- Mullvad — Sweden. Technically inside the 14 Eyes, but pairs strong law with storing essentially no user data — which is exactly why the 2023 raid found nothing.
- Private Internet Access — United States. Inside the Five Eyes, but court-proven to keep no logs.
The honest takeaway: jurisdiction matters, but no-logs matters more. A flawless jurisdiction with sloppy logging is worse than a 14-Eyes provider that genuinely keeps nothing — if there are no logs, there is nothing to compel, wherever the company is incorporated. Mullvad in Sweden and PIA in the US prove it: both sit “inside” the alliances on paper, and both have shown under real pressure that the data isn’t there.
How we ranked the no-logs VPNs
This ranking follows our privacy rating — the right yardstick for a no-logs page, since it weights the things that make a logging policy believable rather than the speed and streaming we measure elsewhere. We scored each provider on:
- Quality and depth of audits. Not just whether an audit exists, but who ran it and how often it has been repeated.
- Real-world proof. A court case or seizure where the no-logs claim was actually tested carries more weight than any document — which is why PIA, ExpressVPN and Mullvad score so well.
- RAM-only infrastructure. Whether retaining logs is technically impossible rather than merely against policy.
- Jurisdiction and retention law. A meaningful tie-breaker, but never enough on its own to outweigh a tested no-logs record.
That gives us: Proton VPN first on its audit and open-source record in a no-retention jurisdiction; Mullvad second, raid-tested with almost no data to lose; then NordVPN and ExpressVPN, both RAM-only and audited, with ExpressVPN’s seized server adding real-world weight; then PIA, whose US base is offset by being the most court-tested name here; and CyberGhost, audited and Romania-based. For the all-round picture across speed, price and streaming, see our best VPN for Ireland ranking.
Our top picks for no-logs
Proton VPN — best no-logs overall
Based in Switzerland, outside the 5/9/14 Eyes, with no mandatory data retention and the deepest verification record in the market: a Securitum no-logs audit on top of fully open-source apps, so the claim can be inspected rather than taken on faith. It is the most complete combination of proofs here. More in our Proton VPN review.
Mullvad — the raid-tested pick
The clearest real-world proof of a no-logs policy you can buy. When Swedish police raided Mullvad’s office in April 2023 they left with nothing, because Mullvad stores essentially no customer data. Pair that with an account model that needs no personal details and it is the choice when you want the promise already battle-tested. See our Mullvad review.
NordVPN — audited and RAM-only at scale
Panama-based, outside the Eyes, running RAM-only servers with a no-logs policy independently audited by Deloitte — the proof stack done properly, alongside the speed and unblocking that make it our overall top VPN for Ireland. Detail in our NordVPN review.
ExpressVPN — RAM-only, and seizure-proven
Headquartered in the British Virgin Islands, outside the Eyes, ExpressVPN pioneered RAM-only TrustedServer technology — and proved it in 2017 when a server seized in Turkey yielded no data at all. A long, repeated audit record and easy apps make strong no-logs privacy genuinely simple to live with.
Private Internet Access and CyberGhost complete the six: PIA the most court-tested name on this page despite its US base, and CyberGhost a Deloitte-audited, Romania-based option. All six clear the bar — audited no-logs — that we treat as the floor, not a bonus.





