Are VPN no-logs claims trustworthy?

Short answer

Some are, most aren't. There are three tiers: claimed (the provider says so), audited (an independent firm verified it at a point in time), and court-tested (police or courts tried to get user data and the provider had nothing). Court-tested is the only kind that actually proves it. PIA, ExpressVPN, and Mullvad have been court-tested.

An audit is a snapshot. A provider can be audited in January and start logging in March. Audits are evidence of intent; court-tested is evidence of architecture.

Tier 1 — Court-tested (strongest)

Police or court tried to get user data and the provider had nothing. Private Internet Access (US, 2016 and 2018), ExpressVPN (Turkey, 2017), Mullvad (Sweden, 2023). This is the only thing that proves a no-logs claim under the conditions it's claimed to protect against.

Tier 2 — Audited (medium)

An independent firm verifies that systems are configured the way the provider claims. NordVPN (Deloitte, multiple), Surfshark (Deloitte), CyberGhost (Deloitte), ProtonVPN (Securitum). Better than nothing; weaker than court-tested.

Auditors check what's running on the day they audit. They don't and can't promise the architecture stays that way for the next year.

Tier 3 — Claimed (weakest)

Provider says they don't log. There's no evidence this isn't simply marketing copy. Avoid for serious privacy use.

Last verified: 2026-05-05

Are VPN no-logs claims trustworthy?

Tier 1 — Court-tested (strongest)

Tier 2 — Audited (medium)

Tier 3 — Claimed (weakest)

Which VPN has been court-tested?

Which VPN is most trusted?

Can the FBI see through VPNs?

Can police track VPN users?