What is a no-logs VPN, and how would anyone actually verify the claim?
"No logs" is on the homepage of nearly every VPN on the market. It's also one of the least verifiable claims in consumer software, because the thing being promised — that a private company isn't quietly writing down what you do — happens entirely inside infrastructure you will never see. This isn't a reason to dismiss the claim outright. It's a reason to know what kinds of evidence actually exist, what each one proves and doesn't prove, and how to weigh them against each other instead of taking a marketing badge at face value.
What "no-logs" actually covers
The phrase gets used as if it means one thing. In practice, VPN logging splits into three distinct tiers, and a provider can be completely honest about "no logs" while still keeping the middle tier.
What a strict no-logs claim covers
- Usage logs — browsing history, DNS queries, which sites you visited, traffic content
- The category every credible "no-logs" provider explicitly promises not to retain
- This is the tier that would actually identify what you did online
What "no-logs" often doesn't cover
- Connection logs — timestamps, session length, bandwidth used, server chosen
- Aggregate diagnostics — total server load, crash reports, app version
- Some providers retain these briefly for abuse prevention or troubleshooting, and disclose it in the fine print, not the headline
Neither connection logs nor aggregate diagnostics are inherently dishonest to keep — the problem is only when a provider markets itself as "zero logs, period" while its own privacy policy, several paragraphs down, says otherwise. Reading the actual privacy policy, not the homepage headline, is step one of verifying any claim.
Why the claim is structurally hard to verify
A no-logs policy is a promise about ongoing behavior on infrastructure the provider controls entirely and you never get direct access to. There is no external mechanism that can continuously confirm a private company isn't writing a line to a log file at 3 a.m. on a Tuesday. Every method of verification available is necessarily indirect — a snapshot, a legal stress test, an architectural safeguard, or a self-reported statistic. None of them, alone, is proof in the way a cryptographic signature is proof. The honest approach is to stack several independent kinds of evidence and see whether they agree.
The four kinds of evidence, ranked by how much they actually tell you
1. Court cases and server seizures — the strongest real-world test
When a government agency legally compels a provider to produce user-identifying data and the provider genuinely cannot, that's a result no self-commissioned report can replicate — nobody chose the scenario or the timing, and the stakes for getting caught lying were real. A handful of providers now have a public track record here, in both directions:
| Provider | What happened | Outcome |
|---|---|---|
| Private Internet Access | FBI subpoenas, 2016 and 2018, separate criminal investigations | No usable logs existed to produce |
| ExpressVPN | Physical server seized by Turkish authorities, 2017, assassination investigation | Server contained no identifying data; company introduced RAM-only "TrustedServer" architecture afterward |
| Mullvad | Swedish police raid with a search warrant, April 2023 | No customer data existed to seize |
| Perfect Privacy | Two servers seized by Dutch authorities, 2016 | No user data recovered from RAM-disk servers |
| IPVanish | DHS summons, 2016 | Connection logs were provided, contradicting its marketing at the time |
| PureVPN | FBI request in a cyberstalking case, 2017 | Logs were handed over despite a "no-logs" claim |
| HideMyAss | UK court order tied to LulzSec hacking investigation, 2011 | Connection logs led to a user's identification |
2. Independent third-party audits — a scoped snapshot, not a live feed
Firms like Deloitte, PwC, and the security research group Cure53 are hired to inspect a provider's server configuration, source code, or internal processes against its stated no-logs policy. A real audit is meaningfully different from a "security review" a company writes about itself — the auditor is independent, the methodology is disclosed, and (ideally) the full report is published rather than summarized in a press release.
What it doesn't do: verify anything outside the agreed scope, or anything that happens after the audit's field work concludes. A provider that publishes one audit from three years ago is offering weaker evidence than one that publishes a fresh audit annually — recency and repetition matter as much as the auditor's name. Our Surfshark review walks through one real example of what a repeated, multi-firm audit trail actually looks like in practice, rather than a single one-off report.
3. Technical architecture — RAM-only servers, and a genuine industry disagreement
Some providers run their entire server fleet in volatile memory with no hard drives at all. Reboot the server, or cut its power, and everything on it disappears — which is precisely why the Turkish and Dutch server seizures above turned up nothing. It's a real, verifiable engineering choice, not a marketing claim you have to take on faith.
It's also genuinely contested within the industry. Proton VPN has publicly argued that RAM-only is oversold as a security guarantee, since a server's live memory is just as accessible to anyone with root-level access while the machine is running — the scenario RAM-only actually defends against is narrower: a server seized while powered off. Their position is that full-disk encryption on a stopped server provides comparable protection in most realistic threat models. Both positions have a real technical basis; the practical takeaway is that RAM-only is one useful signal, not a complete answer on its own.
4. Transparency reports — useful, but self-reported
A transparency report discloses how many legal requests a provider received in a given period and how many it could actually fulfill. A provider showing hundreds of requests received and zero fulfilled with user data is offering real evidence — but the report is written and published by the company itself, with no external party checking its accuracy before release. It's most useful as a companion to a court case or audit, not as a stand-alone proof point.
Warrant canaries: mostly symbolic today
A warrant canary is a regularly-updated statement saying, in effect, "we have not received a secret government order as of this date" — the idea being that if the statement quietly stops updating, users can infer something happened that a gag order prevents the company from stating directly. In practice, canaries have fallen out of favor: their legal enforceability is untested and disputed, they're trivially easy to let lapse for unrelated reasons, and most providers with a serious verification story have shifted toward audits and published transparency reports instead, which carry a clearer, independently checkable meaning.
Red flags that undercut a no-logs claim before you even test it
- Jurisdiction with mandatory data-retention laws. A provider legally required to log connection metadata can't out-promise the law it operates under, no matter what its homepage says.
- Ownership by an ad-tech or data-broker parent company. A VPN's revenue model matters — a company whose broader business is built on user data has a structural incentive at odds with the product it's selling you.
- Free VPNs with no clear monetization story. Server costs are real and ongoing; if a free app isn't selling a subscription, it needs another revenue source, and that source is worth identifying before you trust its privacy policy — see our free vs. paid VPN guide for what that usually turns out to be.
- A rewritten privacy policy with no changelog. Providers with nothing to hide generally don't mind showing what changed and when.
- Marketing that says "audited" without naming the firm, the date, or linking the report. A real audit is something a provider is eager to show you in full, not gesture at vaguely.
How to actually evaluate a provider's claim yourself
- Read the actual privacy policy, not the homepage summary — specifically the sentence describing what's logged during an active connection, not just "after the fact."
- Look for a named, dated, published third-party audit — and check whether it's been repeated, not a single report from years ago.
- Search for the provider's name alongside "subpoena," "seized," or "court" to see whether its claim has ever actually been tested, and how it held up.
- Check the provider's home jurisdiction against known data-retention mandates — a claim can be sincere and still be legally overridden depending on where the company is incorporated.
- Check ownership history. Several major no-logs incidents trace back to a provider's ownership at the time, not its current management — this context changes how much weight an old failure should carry today.
None of this replaces the basics covered elsewhere on PrivacyTestLab — a no-logs policy only protects what happens after your traffic leaves your device; it doesn't fix a kill switch that fails silently, and it says nothing about whether your DNS requests are actually routed through the tunnel in the first place. Verifying "no logs" is one piece of a larger picture, not the whole thing.
What does "no-logs" actually mean, technically?
It depends entirely on which of three tiers a provider is talking about, and most marketing pages don't say which. Usage logs (browsing history, DNS queries, traffic content) are the ones that matter most and the ones every credible provider claims not to keep. Connection logs (timestamps, session duration, bandwidth used, which server you picked) are a separate category — some "no-logs" providers still keep these briefly for troubleshooting and abuse prevention. Aggregate/diagnostic data (server load, total daily traffic, app crash reports) is the least sensitive and usually fine even from an otherwise strict provider. A genuine no-logs claim should specify which of the three it covers.
Can a "no-logs" VPN still see what I do while I'm connected?
Technically, yes, in the moment — your unencrypted traffic passes through their server before continuing to its destination, so the provider has the same visibility your ISP normally would. "No-logs" is a claim about what they retain afterward, not about what's technically visible during the session. This is exactly why the provider itself becomes the trust bottleneck a VPN is supposed to remove — see our guide to how the encrypted tunnel actually works for what is and isn't protected end to end.
Do court cases actually prove a VPN has no logs?
They're the strongest evidence available, but not absolute proof. When a provider is legally compelled to produce user data and genuinely cannot, that's a real-world stress test no self-published audit can replicate. The limitation is that it only proves the state of things at the moment of that specific request — it doesn't guarantee the policy hasn't changed since, or that every server in every jurisdiction was covered by the same request.
Is a third-party audit enough on its own?
It's meaningful, but it's a photograph, not a live feed. A reputable audit (Deloitte, PwC, and Cure53 are the firms most frequently used in this space) verifies that a provider's stated architecture and configuration matched its no-logs policy at the time of the audit, within the scope the provider agreed to grant access to. It says nothing about the following Tuesday, or about servers and jurisdictions outside that scope. Recurring audits, published in full rather than summarized, are meaningfully stronger than a single one-time report.
What is a RAM-only ("diskless") server, and does it actually matter?
It's a server that runs entirely in volatile memory with no hard drive, so a reboot or power-off wipes everything, and a physically seized server has nothing persistent for investigators to recover. It's a genuine, verifiable technical safeguard against the specific scenario of physical seizure. It is not, by itself, proof that logs aren't being written somewhere else — some providers with a strong no-logs track record (Proton VPN among them) have publicly argued that RAM-only is oversold, since a server's live memory is just as readable to anyone with root access while it's running, and full-disk encryption on a powered-off server offers comparable protection in most realistic threat models. Treat it as one useful signal among several, not a silver bullet.
Why would a VPN lie about being no-logs?
Mostly business-model and jurisdiction pressure. A provider based in a country with mandatory data-retention laws, or owned by a parent company with an advertising or data-broker history, has structural incentive or legal obligation to keep more than it advertises. Free VPNs are the highest-risk category by far, since a service with no subscription revenue needs another way to fund server costs — several documented cases involve free or low-cost VPNs whose "no-logs" claim didn't survive a closer read of their own privacy policy.