No-logs VPN claims: what they actually mean
Last updated: April 9, 2026
What do 'no-logs' VPN claims actually mean? Learn how audits work, why jurisdiction matters, and the right questions to ask instead of trusting marketing.
Imagine you hire a locksmith to secure your front door. The locksmith promises: "I don't keep any record of your lock's combination." That sounds reassuring—but what does it actually guarantee? Does it mean the locksmith never wrote anything down, ever? Does it mean they're physically unable to write things down? Does it mean they could be forced by a court order to reconstruct the combination from memory? Or does it mean they're based in a country where courts can't compel them to cooperate?
This is the practical problem with "no-logs" VPN claims. The phrase sounds simple, but what it means—and whether you should trust it—depends on understanding what gets logged, who can prove it, and what a government or attacker can actually force a company to reveal.
What "no-logs" actually refers to
When a VPN provider claims they keep no logs, they're usually making a statement about their own servers: they say they don't store records of your browsing activity, the websites you visit, or the data you transmit. A true no-logs policy means that even if someone broke into their servers, they'd find no record of which user connected at which time and accessed which sites.
But "no-logs" is marketing shorthand. The precise claim varies by company. Some say they don't log IP addresses. Others say they don't log connection timestamps. Some claim they don't log DNS queries (the requests your device makes to translate website names into numerical addresses). A few go further and claim they log nothing at all about your connection.
The catch: they often still log other things. Most VPN providers log payment information (to bill you), account creation data, and server load statistics. These aren't "logs about your activity," but they can still reveal patterns. If you pay with a credit card, subscribe on Monday, your account gets created, and someone later learns you were a paying customer during a specific week, they've narrowed the window significantly.
Why independent audits exist and what they can prove
This is where independent audits enter the picture. An external auditor—a firm like PwC, Deloitte, Cure53, or KPMG—inspects a VPN provider's servers and code to verify their no-logs claims. Audits are not magic. They examine what exists at a specific moment in time. They answer the question: "On the day we looked, we found no activity logs." They do not answer: "This company has never logged anything" or "This company cannot be forced to keep logs in the future."
Different audit firms use different methodologies and have different scopes. A security-focused firm like Cure53 might conduct a deep technical audit of the VPN software's code, checking whether the application is designed to prevent logs from being written. An accounting firm like PwC might audit the company's documented policies and spot-check servers. Neither audit guarantees that logs don't exist on a backup server in a different facility, or that the company's founder didn't secretly keep records offline.
An audit also doesn't prove future behavior. A company could be audited, pass with flying colors, and change their practices the day after the auditor leaves. Audits are snapshots, not guarantees.
What happened when courts tested these claims
The strongest test of a no-logs claim is a legal subpoena. In at least one high-profile case, law enforcement served a legal demand on a major VPN provider. The company claimed they kept no logs. In response, they produced... nothing—because they genuinely had nothing to produce. This outcome actually supported the no-logs claim.
However, other cases went differently. In another instance, a VPN provider claimed they kept no logs but law enforcement retrieved user information anyway—not because the company was lying, but because the information existed elsewhere: in DNS records, payment processors' records, or ISP (Internet Service Provider) logs maintained by the user's home internet company. The VPN provider's servers contained no logs, but the user was still identified.
There's also the uncomfortable middle ground: a company claims no logs, law enforcement serves a subpoena, and the company says "we truly have no logs to provide." Law enforcement may not believe them. They might obtain a warrant to search the company's offices or seize equipment. What happens next depends on jurisdiction.
Why jurisdiction and legal authority matter more than you might think
A VPN provider based in the United States is subject to U.S. law. If a U.S. court issues a subpoena, the company must comply or face charges. A provider based in Iceland or Switzerland or Singapore operates under different legal systems with different data retention requirements and different penalties for non-compliance.
This matters because of international surveillance alliances. Countries in the "Five Eyes" alliance (United States, United Kingdom, Canada, Australia, New Zealand) have formal agreements to share intelligence with minimal legal friction. The "Nine Eyes" and "Fourteen Eyes" alliances expand this further. A VPN provider based in a Five Eyes country can be pressured through these channels even if they claim no logs; the claim doesn't protect them from legal leverage.
Conversely, a provider in a jurisdiction with no data-sharing agreements with your country offers different tradeoffs—but also introduces uncertainty. Can you trust the legal system in that jurisdiction to actually protect privacy? You can't verify that from outside the country.
The practical questions you should ask instead
Instead of simply believing or disbelieving a no-logs claim, ask: Has the company been independently audited, and by whom? What exactly was audited—code, servers, both? How recent was the audit? Is the audit report public, or does the company just claim an audit occurred? If the company has been served a legal demand, what was the outcome—and can you verify it from court records?
Also ask: What information does the company definitely collect, and where? Does it match their privacy policy? If the company took payment from you, they have a record linking you to a subscription; that's not a log of your activity, but it's information that exists.
Finally, remember that no-logs is one property of a VPN. It doesn't address whether the VPN's encryption is actually secure, whether their servers are compromised, whether they've been hacked without noticing, or whether a government pressured them to insert monitoring software. A no-logs promise is meaningful but not a complete solution to privacy.
The takeaway: no-logs claims require evidence, not faith. Audits provide useful third-party verification but have built-in limitations—they're point-in-time checks, not lifetime guarantees. Jurisdiction and legal authority matter as much as the company's own practices. The strongest confidence comes from audits, transparency about what is logged, and jurisdictions where data protection is legally enforced. But even then, you're managing risk, not eliminating it.
When you encounter a no-logs claim, your question shouldn't be "Is this true?" but rather: "What evidence exists, and is it credible given what I know about audits, legal systems, and how this company actually operates?"
This is the practical problem with "no-logs" VPN claims. The phrase sounds simple, but what it means—and whether you should trust it—depends on understanding what gets logged, who can prove it, and what a government or attacker can actually force a company to reveal.
What "no-logs" actually refers to
When a VPN provider claims they keep no logs, they're usually making a statement about their own servers: they say they don't store records of your browsing activity, the websites you visit, or the data you transmit. A true no-logs policy means that even if someone broke into their servers, they'd find no record of which user connected at which time and accessed which sites.
But "no-logs" is marketing shorthand. The precise claim varies by company. Some say they don't log IP addresses. Others say they don't log connection timestamps. Some claim they don't log DNS queries (the requests your device makes to translate website names into numerical addresses). A few go further and claim they log nothing at all about your connection.
The catch: they often still log other things. Most VPN providers log payment information (to bill you), account creation data, and server load statistics. These aren't "logs about your activity," but they can still reveal patterns. If you pay with a credit card, subscribe on Monday, your account gets created, and someone later learns you were a paying customer during a specific week, they've narrowed the window significantly.
Why independent audits exist and what they can prove
This is where independent audits enter the picture. An external auditor—a firm like PwC, Deloitte, Cure53, or KPMG—inspects a VPN provider's servers and code to verify their no-logs claims. Audits are not magic. They examine what exists at a specific moment in time. They answer the question: "On the day we looked, we found no activity logs." They do not answer: "This company has never logged anything" or "This company cannot be forced to keep logs in the future."
Different audit firms use different methodologies and have different scopes. A security-focused firm like Cure53 might conduct a deep technical audit of the VPN software's code, checking whether the application is designed to prevent logs from being written. An accounting firm like PwC might audit the company's documented policies and spot-check servers. Neither audit guarantees that logs don't exist on a backup server in a different facility, or that the company's founder didn't secretly keep records offline.
An audit also doesn't prove future behavior. A company could be audited, pass with flying colors, and change their practices the day after the auditor leaves. Audits are snapshots, not guarantees.
What happened when courts tested these claims
The strongest test of a no-logs claim is a legal subpoena. In at least one high-profile case, law enforcement served a legal demand on a major VPN provider. The company claimed they kept no logs. In response, they produced... nothing—because they genuinely had nothing to produce. This outcome actually supported the no-logs claim.
However, other cases went differently. In another instance, a VPN provider claimed they kept no logs but law enforcement retrieved user information anyway—not because the company was lying, but because the information existed elsewhere: in DNS records, payment processors' records, or ISP (Internet Service Provider) logs maintained by the user's home internet company. The VPN provider's servers contained no logs, but the user was still identified.
There's also the uncomfortable middle ground: a company claims no logs, law enforcement serves a subpoena, and the company says "we truly have no logs to provide." Law enforcement may not believe them. They might obtain a warrant to search the company's offices or seize equipment. What happens next depends on jurisdiction.
Why jurisdiction and legal authority matter more than you might think
A VPN provider based in the United States is subject to U.S. law. If a U.S. court issues a subpoena, the company must comply or face charges. A provider based in Iceland or Switzerland or Singapore operates under different legal systems with different data retention requirements and different penalties for non-compliance.
This matters because of international surveillance alliances. Countries in the "Five Eyes" alliance (United States, United Kingdom, Canada, Australia, New Zealand) have formal agreements to share intelligence with minimal legal friction. The "Nine Eyes" and "Fourteen Eyes" alliances expand this further. A VPN provider based in a Five Eyes country can be pressured through these channels even if they claim no logs; the claim doesn't protect them from legal leverage.
Conversely, a provider in a jurisdiction with no data-sharing agreements with your country offers different tradeoffs—but also introduces uncertainty. Can you trust the legal system in that jurisdiction to actually protect privacy? You can't verify that from outside the country.
The practical questions you should ask instead
Instead of simply believing or disbelieving a no-logs claim, ask: Has the company been independently audited, and by whom? What exactly was audited—code, servers, both? How recent was the audit? Is the audit report public, or does the company just claim an audit occurred? If the company has been served a legal demand, what was the outcome—and can you verify it from court records?
Also ask: What information does the company definitely collect, and where? Does it match their privacy policy? If the company took payment from you, they have a record linking you to a subscription; that's not a log of your activity, but it's information that exists.
Finally, remember that no-logs is one property of a VPN. It doesn't address whether the VPN's encryption is actually secure, whether their servers are compromised, whether they've been hacked without noticing, or whether a government pressured them to insert monitoring software. A no-logs promise is meaningful but not a complete solution to privacy.
The takeaway: no-logs claims require evidence, not faith. Audits provide useful third-party verification but have built-in limitations—they're point-in-time checks, not lifetime guarantees. Jurisdiction and legal authority matter as much as the company's own practices. The strongest confidence comes from audits, transparency about what is logged, and jurisdictions where data protection is legally enforced. But even then, you're managing risk, not eliminating it.
When you encounter a no-logs claim, your question shouldn't be "Is this true?" but rather: "What evidence exists, and is it credible given what I know about audits, legal systems, and how this company actually operates?"
🛡️
Recommended VPN Services
Top-rated VPNs trusted by millions
N
NordVPN
⭐ EDITOR'S PICK
★★★★★ 9.5/10 · 6,000+ servers · Works in China
$3.39/mo
View Deal →
S
Surfshark
BEST VALUE
★★★★★ 9.6/10 · Unlimited devices
$2.49/mo
View Deal →
E
ExpressVPN
PREMIUM
★★★★★ 9.4/10 · 94 countries
$6.67/mo
View Deal →
Disclosure: SaveClip may earn a commission when you sign up through our links. This helps us keep our tools free for everyone.