What Is No-Logs Policy?
A no-logs policy is a VPN provider's commitment not to record data that could link you to your online activity — browsing history, traffic contents, DNS queries, original IP addresses, or session timestamps that could correlate you with destinations. Because using a VPN shifts trust from your ISP to the provider, the credibility of this policy — ideally verified by independent audits and tested by real legal cases — matters more than any technical feature.
What 'no logs' actually covers (and what providers still keep)
No serious provider keeps zero data. Operating a service requires some state: account/payment records, aggregate bandwidth statistics, and often a count of simultaneous connections. The no-logs commitment is specifically about activity data: which sites you visited, what you transmitted, which IP you held at a given time.
Read policies for these distinctions: 'connection logs' (timestamps, IPs, bandwidth per session — privacy-relevant) versus 'usage/activity logs' (browsing content — the core promise) versus 'aggregate diagnostics' (generally harmless). A provider that keeps per-session connection logs with source IPs can be compelled to correlate you with your activity, no matter what its homepage says.
Verification: audits, court cases, and RAM-only servers
Three forms of evidence beat marketing claims. Independent audits: Big Four firms (Deloitte, PwC, KPMG) inspect provider infrastructure and attest the policy matches reality — NordVPN, ExpressVPN, and Surfshark all maintain current audits. Court tests: the strongest evidence is a subpoena that produced nothing — both PIA (US court cases, 2016 and 2018) and ExpressVPN (Turkish server seizure, 2017) have documented instances where authorities obtained no usable logs.
RAM-only (diskless) infrastructure complements the policy: when servers run entirely in memory, all state is destroyed on every reboot, making retroactive log recovery physically impossible. Most top providers have migrated their fleets to RAM-only operation.
Jurisdiction — does it still matter?
Provider headquarters determine which legal demands they can receive: BVI (ExpressVPN), Panama (NordVPN), and the Netherlands (Surfshark) sit outside mandatory data-retention regimes, while providers in Fourteen Eyes countries face broader intelligence-sharing exposure. Jurisdiction is a meaningful tiebreaker — but a provider with audited no-logs and RAM-only servers has little to hand over regardless of who asks, which is why we weight verification above flag of convenience.
Frequently Asked Questions
Can a no-logs VPN still be forced to log me?
A provider can be ordered to start logging a specific target going forward in some jurisdictions — this happened in the 2021 ProtonMail case (email, not VPN, and Swiss law treats VPNs differently). What audited no-logs + RAM-only infrastructure prevents is retroactive disclosure: data that was never written cannot be produced.
Which VPNs have proven no-logs policies?
By independent audit: NordVPN (Deloitte, multiple times), ExpressVPN (PwC and KPMG), Surfshark (Deloitte), Proton VPN (Securitum). By court test: PIA and ExpressVPN both have documented cases where seized servers or subpoenas produced no usable data.
Do free VPNs keep logs?
Most do — logging and monetizing user data is the business model that funds 'free.' The exceptions are freemium tiers from audited providers (ProtonVPN Free inherits Proton's audited policy). Independent research has repeatedly found tracking in the majority of standalone free VPN apps.
Is a no-logs policy enough for anonymity?
No. A VPN with a perfect no-logs policy still doesn't make you anonymous — accounts you log into, cookies, browser fingerprinting, and payment trails all identify you independently of your IP. A no-logs VPN removes one significant tracking layer; it doesn't remove the others.