Which VPNs have actually proven their no-logs claim? (2026)

Every VPN claims "no logs." The phrase means little on its own, because you cannot see what a provider stores. What turns a claim into a fact is outside verification, and there are three kinds, in rising order of how convincing they are: an independent audit (a firm inspects the servers and code), a court case (a government demands data and the provider has none to give), and a police raid (servers seized, nothing useful found). Treat any provider with none of these as unproven, however loud the marketing.

Where the major providers stand (June 2026): NordVPN: no-logs policy independently verified several times; based in Panama; runs RAM-only servers. ExpressVPN: independently audited multiple times; based in the British Virgin Islands. Proton VPN: independently verified and fully open source; based in Switzerland. Surfshark: no-logs independently verified; based in the Netherlands. Private Internet Access: no-logs claim upheld in US court; open-source apps; US jurisdiction. Mullvad: collects no account data and stores no logs; when Swedish authorities visited in 2023 there was nothing to seize; based in Sweden. CyberGhost and IPVanish: serviceable, but with less independent proof, and IPVanish sits under US jurisdiction.

Two practical conclusions. For most people, an independently audited no-logs policy from NordVPN, ExpressVPN, Surfshark, or Proton is more than enough, and audits repeated over years (as Nord and Express have done) matter more than a single one. For privacy purists, proof under real pressure beats a paid audit: PIA in court and Mullvad under a raid are the strongest evidence there is, and Switzerland (Proton) and Sweden (Mullvad) sit outside the Five Eyes intelligence-sharing alliance that includes the US and UK. Jurisdiction is not everything, since a US provider with a court-tested record can beat an unaudited one elsewhere, but combined with audit history it is the clearest signal of who you can trust.