Several major VPNs have published independent audits of their no-logs and/or infrastructure: NordVPN (six assurance engagements, most recently Deloitte, December 2025), ExpressVPN (KPMG, Cure53, PwC), Surfshark (no-logs 2023/2025 plus a SecuRing infrastructure audit, January 2026), and Proton VPN (consecutive annual audits). Mullvad's open-source stack has passed repeated independent security audits, and PIA's no-logs record has been court-tested. Each audit is point-in-time — read the report's scope and date.
What an independent no-logs audit actually proves
An independent no-logs audit is when a named third-party firm examines a VPN's systems and confirms that the configuration matches the no-logs policy at the time of the review. It is meaningful evidence — far stronger than a self-declared claim — but it has two limits worth understanding: it is point-in-time (it describes the day it was done, not the future), and it has a defined scope (a no-logs audit and an infrastructure audit check different things).
That is why we always record which firm conducted the audit, what it covered, and when. A provider that publishes the full report and renews it regularly is making a stronger, more accountable claim than one that cites a single old audit or only a logo. Read the actual report on the provider's own site before relying on it.
Who has been audited, by whom, and when
Below are the audit facts we have verified against primary or strong secondary sources as of June 2026. Confirm the latest on each provider's own site, since audits are renewed (and occasionally lapse).
- NordVPN — six independent no-logs assurance engagements, the most recent by Deloitte (report dated December 2025). Among the most frequent audit cadences in the category.
- ExpressVPN — no-logs audited by KPMG (2022, 2023) and PwC Switzerland (earlier); its TrustedServer RAM-only technology audited by Cure53.
- Surfshark — independent no-logs audits (2023, 2025), a SecuRing infrastructure audit published January 2026, an earlier Cure53 server-infrastructure assessment, and MASA app-security certification.
- Proton VPN — consecutive annual independent no-logs audits, alongside fully open-source apps.
- Mullvad — open-source software stack with repeated independent security audits (including its WireGuard implementation, GotaTun protocol, and web app via Assured).
- Private Internet Access (PIA) — open-source clients; no-logs record tested in court (no logs to hand over in legal requests) rather than via a single named-firm audit.
Frequently asked questions
Which VPN has the most independent no-logs audits?
NordVPN has one of the most frequent audit cadences in the category, with six independent no-logs assurance engagements, the most recent by Deloitte (December 2025). ExpressVPN, Surfshark and Proton VPN also publish independent audits, and Proton VPN runs consecutive annual ones alongside open-source apps. Read each provider's report for its scope and date.
Is a no-logs audit a permanent guarantee?
No. An audit is point-in-time: it confirms the systems matched the no-logs policy on the day of the review, within a defined scope. It is strong evidence, not a forever-guarantee, which is why frequent renewal and a readable report matter. Check the date and scope of the latest audit on the provider's own site.
Has any VPN's no-logs claim been tested in court?
Yes — Private Internet Access (PIA) has had no user logs to produce in legal requests, which is real-world evidence of its no-logs design alongside its open-source clients. That court record is a different kind of evidence from a named-firm audit, and arguably harder to manufacture, though PIA is US-based, which some users weigh against it.
Sources & further reading
An independent publisher comparing VPN services. Our editorial desk verifies every claim against primary sources — the provider's own documentation and the actual audit report — and never accepts payment for a better assessment.