From the article:
| VPN | HQ & Eyes Alliance | Latest Independent Audit | Real-World Test | Retention Verdict* | |
|
|
|
|
| | ExpressVPN | British Virgin Islands (no data-retention laws) | KPMG ISAE 3000 Type I, Feb 2025 (ExpressVPN) | Split-tunnelling DNS leak disclosed Feb 2024 (patched) | Gold-standard. RAM-only fleet, annual audits, BVI jurisdiction. | | NordVPN | Panama | Deloitte 5th audit, Dec 2024 (NordVPN) | 2018 server breach – no logs leaked | Regular audits and positive breach outcome. | | Surfshark | Netherlands (9-Eyes) | Deloitte, Jan 2023 (Surfshark) | TunnelCrack Wi-Fi leak (Aug 2023) → patched in <7 days. | Strong audit hygiene but concerning jurisdiction. | | Proton VPN | Switzerland | Securitum, Apr 2024 (securitum.com) | N/A | Open-source clients + Swiss privacy laws. | | Mullvad | Sweden (14-Eyes) | Assured AB config audit 2023 | Swedish police raid Apr 18 2023 left empty-handed (Mullvad VPN) | Minimal-data design proven in the wild. | | Private Internet Access | USA (5-Eyes) | Deloitte, Apr 2024 (Private Internet Access) | Multiple US subpoenas produced no logs | Paper-trail-verified despite US HQ. | | CyberGhost | Romania (EU, outside Eyes) | Deloitte, May 2024 (CyberGhost VPN) | N/A | Second audit boosts trust. | | TunnelBear | Canada (5-Eyes) | Cure53 7th audit, Dec 2023 (TunnelBear: Secure VPN Service) | N/A | Longest unbroken audit streak. | | Windscribe | Canada (5-Eyes) | Cure53 server image audit 2022 | 2025 Greek/Canadian court case upheld no-logs stance (Tom’s Guide) | Policy tested – passed. | | Hotspot Shield | USA (5-Eyes) | Performance/security review by AV-Test only; no dedicated no-logs audit (vpnMentor) | AV-TEST performance audit only; no no-logs audit to date. (CVE Details) | Speed king, privacy laggard. |
Archived links:
