In April 2023, six Swedish police officers showed up at Mullvad VPN's offices with a search warrant. They intended to seize computers containing customer data. They left with nothing — because Mullvad had nothing to hand over. That's not a PR story. That's the closest thing to a real-world audit you can get.
The question isn't whether commercial VPNs claim to be trustworthy. They all do. The question is which ones have actually been tested.
What you need to know:
- The VPN industry is more consolidated than ever. Kape Technologies owns ExpressVPN, PIA, and CyberGhost — plus several "independent" review sites that recommend their own products.
- A no-logs policy is marketing until it's tested. Independent audits and real law enforcement encounters are the only evidence that counts.
- Three providers consistently pass both tests: Mullvad, Proton VPN, and IVPN — all with named ownership, independent audits, and no history of logging user data.
- NordVPN has improved significantly since its 2018 breach, with six completed Deloitte audits — but its ownership structure (Cyberspace Inc.) is worth understanding.
- Jurisdiction matters less than people think. A no-logs provider in Sweden (Mullvad) is safer than a logging provider in Panama.
The Consolidation Problem Got Worse
When this post was first published in 2022, the VPN industry was already consolidating fast. Four years later, the picture is clearer — and more concentrated.
Kape Technologies (London-based) now owns ExpressVPN, Private Internet Access, CyberGhost VPN, and Intego, serving over 7 million subscribers. Kape also owns Webselenese, which operates several VPN review websites that consistently rank Kape-owned products at the top. That's not a conflict of interest buried in the footnotes — it's the business model.
Cyberspace Inc. (Netherlands) owns both NordVPN and Surfshark after the two merged in 2022, despite Surfshark having denied the relationship publicly for years before the announcement.
j2 Global (now Ziff Davis) owns IPVanish, StrongVPN, and several others alongside a portfolio of tech publications. Same structure: media properties that review the parent company's VPN products.
This matters because the review ecosystem that most people use to evaluate VPNs is largely owned by the same companies selling them. If you've ever read a "Top 10 VPNs" article that put ExpressVPN or CyberGhost at #1 with a 9.8/10 rating, you may have been reading a product of that structure.
The full breakdown of what's changed in the VPN industry is covered in VPN Industry 2026: Who Owns What, Who Can You Trust. This post focuses on the trust question specifically.
Why Ownership Actually Matters
The standard concern is jurisdiction — the country where the VPN is based determines which laws apply to it. That's real but often overstated. A no-logs provider in a Five Eyes country is still safer than a logging provider in any country.
The more important question is: who actually owns and operates this service, what are their incentives, and what happens when a government shows up asking for data?
Kape Technologies was previously called Crossrider — a company that developed browser extensions used to inject ads. Their trajectory from adware distribution to owning four major VPN brands is documented, and it's relevant context for trusting them with your traffic.
When you use a VPN, you're shifting your trust from your ISP to the VPN provider. That's only a good trade if the VPN provider is more trustworthy than your ISP — and that's not guaranteed just because the marketing says so. Some providers have uploaded user data to ad platforms like Google and Facebook for retargeting purposes. That's documented, not theoretical.
The Three Tests That Actually Matter
You can't audit a VPN provider yourself. But you can look for three things that provide real evidence:
1. Independent third-party audits — of the infrastructure, not just the apps
App audits check the code. Infrastructure audits check whether the servers are actually logging anything. Proton VPN has completed annual infrastructure audits by Securitum every year since 2022. The most recent, published in September 2025, confirmed that Proton VPN's servers held no user activity logs, no connection metadata, and no DNS query records — across all regions and subscription tiers. IVPN has completed multiple audits by Cure53 since 2019. Mullvad undergoes annual infrastructure audits and publishes the results.
NordVPN has completed six no-logs audits under the Deloitte ISAE 3000 standard — more than most providers. Their 2018 server breach was a real incident; their response since then has been to build a more robust audit programme.
2. Real-world law enforcement encounters
This is the hardest test to pass, because it requires someone to actually try. On April 18, 2023, Swedish police from the National Operations Department executed a search warrant at Mullvad's offices in Gothenburg. Six officers arrived intending to seize computers containing customer data. Mullvad demonstrated how their infrastructure works — no account data, no connection logs, no identifiable user information stored anywhere — and the officers left without taking anything. First search warrant in over 14 years of operation.
No other major commercial VPN has had its no-logs claim tested that directly and come out clean.
3. Named, identifiable ownership
IVPN is run by Nick Pestell, a named individual with a public track record. Proton VPN is operated by Proton AG, a Swiss company with named leadership and origins at CERN. Mullvad is operated by Amagicom AB in Gothenburg, with named directors.
Contrast that with providers whose corporate structure runs through multiple holding companies across jurisdictions chosen to obscure ownership. If the company can't tell you who runs it, that's a data point.
Who Passes All Three in 2026
Mullvad — Sweden, Amagicom AB. Annual audits, accepts cash and Monero, no email required to sign up. Police showed up and left with nothing. The gold standard for operational privacy.
Proton VPN — Switzerland, Proton AG. Annual Securitum infrastructure audits (most recent: September 2025). Open-source apps. The most accessible of the three — free tier available, polished apps across all platforms.
IVPN — Gibraltar, named CEO Nick Pestell. Multiple Cure53 audits since 2019. Smaller network (41 countries) but strong transparency record. Accepts Monero and cash for annual plans.
For how these three compare on protocols, pricing, kill switch behaviour, and specific use cases, see Best VPN for Privacy in 2026: Audited, No-Logs, Court-Tested.
What About NordVPN?
NordVPN is owned by Cyberspace Inc. (Netherlands), which also owns Surfshark. Six Deloitte ISAE 3000 audits completed — more third-party scrutiny than most providers have invited. The 2018 server breach was disclosed two years late. Its marketing budget dwarfs its audit budget. A more detailed breakdown is in the VPN comparison.
What to Avoid
Avoid any VPN where the parent company also owns the review sites ranking it. Avoid VPNs bundling password managers, email, and cloud storage under a single opaque corporate structure — you've shifted from "trusting your ISP with your traffic" to "trusting one company with everything." Avoid any provider that can't tell you who runs it.
What VPNs don't protect you from is a separate question — the VPN with Tor post covers the limits of what any VPN can actually do.
Commercial VPNs are trustworthy when they're built to be caught lying and haven't been. That's a short list. Mullvad, Proton VPN, and IVPN are on it. Most of the VPNs dominating search results are not.
