One company now owns four of the most heavily marketed VPN brands — ExpressVPN, Private Internet Access, CyberGhost, and ZenMate — and in early 2026, that company went fully private. No more public stock filings. No transparency reports that anyone outside can independently verify.
What you need to know:
- Kape Technologies (formerly Crossrider, an adware company) owns ExpressVPN, PIA, CyberGhost, and ZenMate, and delisted from the London Stock Exchange in early 2026 — removing the last external visibility into its operations.
- Most "Top 10 VPN" review sites are owned by the companies they review. Kape also owns several VPN review websites that consistently rank its products first.
- NordVPN and Surfshark are both owned by Nord Security. They're marketed as competitors; they share corporate ownership since their parent company merger in 2022.
- Mullvad and Proton VPN are the only major providers with both repeated independent audits AND a real law enforcement test — in both cases, police left with nothing because no data existed to hand over.
- An audit is a snapshot, not a guarantee. A pattern of audits over multiple years, combined with a court test, is the only meaningful signal.
I've tracked VPN industry ownership since the ExpressVPN acquisition in 2021 and update this analysis as structures change. The consolidation has accelerated faster than most privacy coverage has acknowledged.
What Changed and Why It Matters
The ExpressVPN acquisition — about $1 billion in 2021 — was alarming enough at the time. A company with Crossrider's history buying one of the most trusted VPN names in the industry, backed by billionaire Teddy Sagi, raised obvious questions about what the long-term business model actually was. But the situation has since gotten murkier. Kape Technologies was delisted from the London Stock Exchange at the start of 2026, moving entirely under Sagi's Unikmind private group. Public companies have disclosure requirements. Private ones don't. Whatever Kape's relationship with its VPN users' data looks like in practice, it is now considerably harder for anyone outside the company to examine.
ExpressVPN itself has responded to the trust concerns by accumulating ISO certifications — ISO/IEC 27001, ISO 9001, and others. These are legitimate certifications, and the existing post covering the ExpressVPN situation goes into the history in detail. But ISO certifications verify that an organisation has appropriate management processes in place. They are not no-logs audits. They don't confirm that traffic data isn't retained. And in April 2025, ExpressVPN had a second significant technical failure — a Windows IP leak that exposed real IP addresses for RDP traffic, the second such incident since 2022.
What a VPN Audit Actually Tells You
The industry has responded to trust concerns partly by normalising independent audits. Most major VPN providers now publish third-party no-logs audits, and a provider without any audit is a genuine red flag in 2026. But understanding what an audit actually confirms is important before treating it as a clean bill of health.
A no-logs audit means an independent firm examined the provider's infrastructure and found no evidence that the claimed data wasn't being retained. It's a snapshot — one auditor, one point in time, the servers they were given access to. It doesn't cover what happens between audits. It doesn't guarantee that ownership decisions, government orders, or infrastructure changes haven't shifted what gets collected. And it says nothing about whether the company that owns the provider has interests that conflict with yours.
The more meaningful signal than a single audit is a pattern of audits over time, combined with a court test — an actual legal demand for user data that produced nothing because no data existed.
Proton VPN has both. The company passed its fourth consecutive no-logs audit in August 2025 — this one conducted by Securitum, a European security firm — following a SOC2 Type II certification in July 2025. More usefully, Proton received 59 legally binding data requests in 2025 and denied all 59. Swiss law gave them the legal standing to do so, and their architecture gave them nothing to hand over even if they had complied.
Mullvad has the same combination. The August 2025 penetration test by Assured Security Consultants found no significant findings. And in 2023, Swedish police executed a search warrant on Mullvad's Gothenburg office looking for subscriber data. They left empty-handed — not because Mullvad refused to cooperate, but because the data didn't exist.
A police raid that produces nothing is a stronger trust signal than any audit.
The Ownership Question Nobody Asks Enough
Most VPN buying guides focus heavily on technical specifications — jurisdiction, encryption standards, server count, speed. Fewer spend time on ownership, which is where the actual risk concentrates.
Mullvad and IVPN are independently owned. No outside investors, no corporate parent with separate business interests, no acquisition history. Mullvad doesn't even require an email address to create an account — you get an account number, pay with cash or crypto if you want, and that's the entire relationship. IVPN operates similarly: small team, Gibraltar jurisdiction, no affiliate program, no growth-at-all-costs pressure.
Proton VPN sits under Proton AG, a Swiss company founded by CERN scientists that also operates ProtonMail. The mission-alignment argument is stronger here than with most providers — Proton's reputation depends on privacy in a more direct way than a VPN subsidiary of a digital advertising conglomerate.
NordVPN and Surfshark are both owned by Nord Security, having merged their parent companies in February 2022. They're marketed as competitors but share corporate ownership. Both are legitimate options — audited, no public logging incidents, Panama and Netherlands jurisdictions respectively — but the competitive framing is worth knowing about. NordVPN's affiliate program pays 100% of the first month's revenue, which is why it appears in so many recommendations. That doesn't make it untrustworthy, but it explains the volume of enthusiastic coverage.
ExpressVPN's situation is covered above. The Kape privatisation in 2026 doesn't make it provably unsafe. It makes it harder to verify, which for a privacy tool is a meaningful distinction.
What This Means in Practice
The honest answer for 2026 is that the VPN market has bifurcated. On one side are providers that have demonstrated their no-logs claims through court tests and repeated independent audits, with ownership structures that don't create obvious conflicts of interest. On the other are heavily marketed providers with more revenue incentive, more complex ownership, and less external verification.
If your threat model is general surveillance — ISP monitoring, public Wi-Fi risks, basic location privacy — most audited providers will serve you adequately. If you're relying on a VPN for anything where your identity actually matters, the ownership question and the court-test record matter considerably more than the marketing does.
The full breakdown of which providers pass the trust tests covers how to evaluate the audit record, the ownership question, and what the court-test standard actually requires. The VPN comparison table lays out jurisdiction, audit history, Tor support, and price side by side. If you're thinking about routing VPN traffic through Tor — or wondering where traditional VPNs end and overlay networks begin — those questions have different answers depending on your threat model.
The providers that have demonstrated they can be trusted in 2026 have done so by not having data when the police came looking. That's a more reliable standard than any certification.
Last updated: April 2026. For the full timeline of the ExpressVPN acquisition, see What Happened to ExpressVPN.
