VPN Logging Policies Explained
A VPN's logging policy determines what data the provider records about your connection and activity. This is the single most important privacy factor when choosing a VPN, because it determines what could be handed to authorities or exposed in a data breach.
Types of Data VPNs May Log
| Data Type | Privacy Impact | Can Identify You? |
|---|---|---|
| Traffic/content logs | Records what websites you visited and data transmitted | Critical risk |
| Connection timestamps | Records when you connected and disconnected | Medium risk |
| Assigned VPN IP | Which VPN server IP you used at what time | Medium risk |
| Real IP address (incoming) | Your actual ISP IP at time of connection | High risk |
| Bandwidth usage | Total data transferred per session or account | Low risk |
| Diagnostic/crash logs | Error reports that may include connection metadata | Low risk |
What "No-Logs" Actually Means
The term "no-logs" is often used loosely. A genuine no-logs policy means the provider does not retain any data that could link a specific user to a specific network activity. Key distinctions:
- True no-logs: No connection timestamps, no assigned IPs, no incoming IPs, no traffic data. Confirmed by independent audit (e.g., Cure53, Deloitte, PwC).
- Minimal logs: Aggregate bandwidth or server load data only - Cannot identify individual users.
- Misleading no-logs: Claims "no traffic logs" but still logs connection timestamps and real IPs - Enough to identify users under subpoena.
- Real-world proof: Providers like Mullvad, ProtonVPN, and ExpressVPN have been subpoenaed or had servers seized with no user data recovered.
Audit History by Provider
| Provider | Auditor | Year | Scope |
|---|---|---|---|
| Mullvad | Cure53 | 2022, 2023 | Apps + infrastructure + no-logs |
| ProtonVPN | SEC Consult | 2022 | Apps + no-logs |
| NordVPN | PwC, Deloitte | 2020, 2022 | No-logs policy |
| ExpressVPN | KPMG, Cure53 | 2022, 2023 | No-logs + app security |
| Surfshark | Cure53 | 2021, 2023 | No-logs + infrastructure |
| Private Internet Access | Deloitte | 2022 | No-logs policy |
| CyberGhost | Deloitte | Annual | No-logs policy |
For jurisdiction context, see VPN Jurisdiction and the 14 Eyes. To verify your VPN is not leaking data in real time, run our VPN Leak Test.