Every major VPN provider in 2026 claims a strict no-logs policy. Not some of them. All of them. The phrase appears with such consistency across landing pages, app store listings, and affiliate review sites that it has become functionally meaningless as a differentiator. Which is a problem — because the underlying question it is supposed to answer, “Will this company hand over my data if asked?” is one worth taking seriously before you trust a provider with your network traffic.
The good news is that evaluating these claims has become more structured than it used to be. There are now established mechanisms — independent audits, RAM-only server architecture, jurisdiction analysis, and real-world legal tests — that separate providers with verifiable commitments from those making promises they have never been tested on. The less good news is that reading those mechanisms correctly requires more nuance than most comparison articles provide.
Here is a framework for doing it properly.
Why “no-logs” is a marketing phrase, not a technical guarantee
A true no-logs policy means the provider retains zero information that could link a specific user to specific online activity at a specific time. In practice, that is harder to achieve than the headline suggests. There is a meaningful difference between “we don’t log your browsing activity” — which may still permit logging of connection timestamps, session durations, bandwidth consumed, or the IP address you connected from — and a policy that explicitly enumerates every data category and states unambiguously that none of it is retained.
Reading the actual privacy policy, rather than the summary on the homepage, is the first step. Look for qualifying language: “anonymised diagnostic data,” “aggregate usage statistics,” or “we may retain connection metadata.” Each of these phrases is doing work that the marketing headline is not. A policy that clearly specifies what is not collected is generally more trustworthy than one that makes sweeping claims without defining its terms.
The audit question — and why not all audits are equal
Independent audits have become the VPN industry’s primary trust mechanism in 2026. The companies that published verified reports this year include NordVPN, audited by PwC; ExpressVPN, audited by Deloitte; Surfshark and Proton VPN, both audited by Cure53; Mullvad by SEC Consult; and Private Internet Access by KPMG, among others. The existence of independent audits is meaningful progress. The problem is that most users still do not know what those audits actually examined.
PwC, Deloitte, and KPMG are large accounting firms. When they conduct VPN audits, they typically perform attestation-style work — examining policies, reviewing record-keeping practices, and sampling operational evidence. This is useful for verifying that a provider’s stated policies are actually followed internally. It does not involve inspecting source code, conducting penetration tests, or examining server-level configurations in technical depth.
Cure53, NCC Group, and Trail of Bits are security consultancies. Their technical audits examine client applications, server configurations, cryptographic implementations, and API security. They probe for real vulnerabilities, not just policy alignment. An audit from Cure53 and an audit from a Big Four accounting firm both use the word “audit,” but they are answering fundamentally different questions.
“Read the audit date, not just the headline. Anything older than 24 months is stale. Check scope. Does the report examine server configs and authentication flow, or just policy docs?” — Redact.dev, 2025
The most reliable providers publish the full audit report, not just a press release. They commit to recurring audits rather than treating a single report as permanent certification. And they disclose the scope explicitly, so you can judge what was and was not examined.
Jurisdiction — where the company is incorporated, not where it has offices
The legal framework a VPN provider operates under is determined by where it is incorporated, not where its marketing team is based. A company with offices in Amsterdam but incorporated in the British Virgin Islands operates under BVI law for the purposes of responding to data requests. This distinction matters significantly, because data retention laws, intelligence-sharing obligations, and the legal threshold for compelled disclosure all vary by jurisdiction.
The Five Eyes, Nine Eyes, and Fourteen Eyes intelligence alliances represent a framework for data sharing between member country governments. A provider incorporated in a member country may be subject to legal obligations that a provider in Switzerland, Iceland, or the BVI is not. This does not automatically make providers in member countries untrustworthy — it means the relevant question is whether the provider’s no-logs infrastructure would give them anything to hand over if they were compelled to. A genuine no-logs policy in a less favourable jurisdiction is still preferable to a questionable policy in a favourable one.
Proton VPN’s approach to this question is instructive. In 2019, Swiss authorities ordered the company to turn over user data in a legal proceeding. They were unable to comply because the data did not exist. That real-world outcome is more compelling than any audit certificate — it demonstrates that the infrastructure matched the policy under actual legal pressure.
How to read a trust or transparency page
Most serious VPN providers now publish a trust center or transparency page — a consolidated resource covering their privacy commitments, infrastructure architecture, ownership structure, and audit history. Reading one carefully can tell you considerably more than most comparison articles.
On any VPN transparency page worth taking seriously, you should expect to find: a specific description of what data is and is not collected, the company’s legal jurisdiction and ownership structure, links to audit reports with dates and scope descriptions, transparency reporting around government or law enforcement data requests, and a description of server architecture — especially whether RAM-only infrastructure is used.
RAM-only servers are worth understanding briefly. Traditional server storage writes data to disk, where it persists even after the machine is powered down. RAM-only servers store runtime data in temporary memory, which is wiped completely on every reboot. This means that even if servers are physically seized, there is nothing on disk to recover. It converts a policy claim into a hardware-level safeguard.
Evaluating a VPN on iPhone before you commit
For readers evaluating a VPN for iPhone before making a decision, the framework above applies regardless of platform. Read the privacy policy in full. Find the audit reports and check when they were conducted and by whom. Look at the jurisdiction. Search for the provider’s name alongside “subpoena” or “data request” to see whether any legal cases have tested its commitments in practice.
A no-registration option — where you can try the service without providing an email address or creating an account — also reduces the data footprint from the outset. X-VPN offers this on iOS, which means the provider holds less identifiable information from the moment you begin using the service, independent of whatever logging policy is in place.