VPN Audits Explained: What 'Independently Audited' Actually Means (Spoiler: Not Much)

Every VPN now claims to be “independently audited.” NordVPN, ExpressVPN, Surfshark - they all wave audit reports like they’re get-out-of-jail-free cards.

Here’s what they hope you don’t realize: An audit only proves what the auditor was hired to check, during the specific time they checked it, on the specific servers they looked at. That’s it.

“Audited” does not mean “no logs.” “Audited” does not mean “we can’t see your traffic.” “Audited” does not mean “you’re safe.”

This article will teach you:

• What VPN audits actually check (and what they don’t)
• How to read audit scope language (the fine print VPNs hope you skip)
• Which audits are meaningful vs. marketing theater
• The questions you should ask before trusting any audit claim

Commission disclosure: This article recommends Mullvad ($0, no affiliate program) and ProtonVPN (~$25/sale). Most VPNs with flashy audits pay $60-150/sale. I’m not recommending them.

⚡ 30-Second Reality Check

What VPN audits CAN prove:

• Code has no obvious backdoors (at time of audit)
• Specific servers inspected had no logs (at time of audit)
• Privacy policy matches technical implementation (at time of audit)

What VPN audits CANNOT prove:

• No logs exist on ANY server (auditors check samples, not everything)
• No logs will exist tomorrow (point-in-time, not continuous)
• The company can’t create logs if pressured
• VPN doesn’t keep metadata (connection times, bandwidth, etc.)
• VPN won’t cooperate with authorities despite claims

The real test: Has the VPN been subpoenaed or raided, and did they have nothing to hand over? That’s the only audit that matters.

The “Independently Audited” Marketing Lie

What VPNs want you to think: “We hired independent auditors and they verified we keep zero logs. You’re completely safe.”

What actually happened:

1. VPN hired and paid an auditing firm
2. VPN defined the scope of what would be checked
3. Auditors checked only what VPN told them to check
4. Auditors checked only the servers VPN gave them access to
5. Auditors checked only during the time period agreed upon
6. Auditors found “no evidence” of the things they were asked to look for
7. VPN turned this into “VERIFIED NO-LOGS POLICY”

See the problem?

It’s like a restaurant paying an inspector to check only the dining room, then advertising “Health Department Verified!” while the kitchen remains uninspected.

The Three Types of VPN Audits

Not all audits are created equal. Understanding the types helps you spot the bullshit.

Type 1: Infrastructure Audit

What it checks:

• Server configurations
• Whether logging is disabled in server settings
• RAM-only server claims
• Network architecture

What it proves:

• At the specific servers inspected, at the time of inspection, logging appeared to be disabled in the configurations examined

What it doesn’t prove:

• All 5,000+ servers are configured the same way
• Logging can’t be enabled remotely
• No logging happens at the data center level
• The VPN company doesn’t have other ways to collect data

Example: NordVPN’s PwC audit checked a “sample” of servers. What percentage of their 5,000+ servers? They don’t say. Could be 10, could be 100. You don’t know.

Type 2: Code Audit

What it checks:

• Application source code
• Whether the VPN app has tracking or logging built in
• Security vulnerabilities
• Data collection mechanisms in the software

What it proves:

• The version of the code reviewed didn’t have obvious tracking
• Security experts found no major vulnerabilities (at time of audit)

What it doesn’t prove:

• The code on your device matches what was audited
• Future updates won’t add tracking
• Server-side code (which you never see) is clean
• Browser extensions have the same scrutiny

Example: ExpressVPN’s Cure53 audit reviewed their apps. But the audit explicitly states it covered “the client applications” - not the server infrastructure, not the backend systems, not the browser extensions.

Type 3: Policy Audit

What it checks:

• Whether the privacy policy matches technical implementation
• Whether no-logs claims are technically accurate
• Whether data handling procedures are followed

What it proves:

• At the time of audit, the policy appeared consistent with the technical setup inspected

What it doesn’t prove:

• The policy is actually followed day-to-day
• Employees can’t access data if they wanted to
• Law enforcement requests haven’t changed practices
• The company’s legal obligations don’t override the policy

Example: KPMG audited ExpressVPN’s TrustedServer claims. The scope was specifically “assessing the consistency of ExpressVPN’s TrustedServer technology against its stated claims.” That’s policy vs. implementation - not “no logging exists anywhere.”

How to Actually Read an Audit Report

VPNs link to audit reports hoping you’ll see “audit complete” and stop reading. Don’t.

Step 1: Find the Scope Section

Every audit report has a scope section. This tells you exactly what the auditors were allowed to examine.

Red flags in scope:

• “Sample of servers” (not all servers)
• “During the audit period” (point-in-time, not continuous)
• “Provided by the client” (VPN controlled what auditors saw)
• “Limited to” (everything NOT listed wasn’t checked)

Example scope language from real audits:

NordVPN (PwC):

“Our procedures were performed on a sample basis…”

Translation: We didn’t check everything.

ExpressVPN (Cure53):

“The assessment covered the client applications…”

Translation: Server infrastructure wasn’t part of this audit.

Step 2: Check the Time Frame

Question to ask: When was this audit performed, and how old is it?

Red flags:

• Audit older than 2 years (a lot changes)
• No clear date specified
• “Annual audit” but no 2026/2026 report

Technology and infrastructure change. An audit from 2021 doesn’t tell you much about 2026 practices.

Step 3: Look for Specific Exclusions

Good audits explicitly state what was NOT examined. If an audit doesn’t mention exclusions, assume everything important was excluded.

Common exclusions (often buried in footnotes):

• Browser extensions
• Server-side logging
• Third-party infrastructure (data centers)
• Employee access controls
• Backup systems
• Metadata (connection timestamps, etc.)

Step 4: Identify the Auditor

Not all auditing firms are equal:

Tier 1 (Actually credible):

• Cure53 - Specializes in security, known for thorough work
• F-Secure - Legitimate security company
• PwC (for infrastructure) - Big 4 accounting firm with security practice

Tier 2 (Okay but less specialized):

• Deloitte, KPMG, EY - Big 4, good for policy, less security-focused

Red flags:

• Unknown auditing firm
• Auditing firm in same country as VPN (easier pressure)
• “Self-certified” or “internal audit”
• Audit by company that also does VPN’s marketing

Step 5: Read the Actual Findings

What auditors typically say:

“We found no evidence of…”

What this actually means: “We looked where we were told to look and didn’t see the thing we were looking for during the time we were looking.”

What it doesn’t mean: “This thing definitely doesn’t exist anywhere, ever.”

The phrase “no evidence” is very different from “confirmed absence.”

Real Audit Examples Analyzed

Let me show you how to read some actual VPN audits critically.

NordVPN - PwC Audit (2020, 2021, 2022)

What NordVPN says:

“Our no-logs policy has been independently audited by PwC”

What the audit actually covered:

• Sample of servers (unknown percentage of 5,500+ servers)
• Server configurations in the Netherlands
• Policy vs. technical implementation check

What was NOT covered (per audit scope):

• All global servers
• Real-time monitoring of actual traffic
• Data center logging (outside NordVPN control)
• Metadata handling
• Employee access controls

Key quote from PwC report:

“We performed inquiry and inspection procedures on a sample basis”

Translation: We asked questions and looked at some things. Not everything.

Verdict: Better than nothing, but “independently audited” oversells what was actually verified.

ExpressVPN - Cure53 Audit

What ExpressVPN says:

“Our apps have been independently verified by Cure53”

What the audit actually covered:

• Desktop and mobile application code
• TrustedServer technology claims (separate KPMG audit)
• Security vulnerabilities

What was NOT covered:

• Server infrastructure globally
• Browser extensions (ExpressVPN has browser extensions)
• Backend logging systems
• Third-party data center practices

Key limitation: The Cure53 audit was a code audit. It verified the apps don’t have obvious backdoors. It did NOT verify no logging happens on servers.

Verdict: Good security audit of apps. Not a “no-logs verification” despite how it’s marketed.

Mullvad - The Different Approach

What makes Mullvad different:

1. Actual police raid in 2023: Swedish police showed up with a warrant. Mullvad had nothing to give them. Documented publicly.

2. Open source clients: You can verify the code yourself.

3. Cash payments accepted: No payment records for some customers.

4. Annual Cure53 audits: But more importantly - tested by actual law enforcement.

Why the raid matters more than audits: An audit is a controlled test the VPN prepares for. A police raid is an unannounced test of whether no-logs claims are real.

Verdict: The only way to truly verify no-logs is to have authorities try to get logs and fail. Mullvad passed this test.

ProtonVPN - Open Source + Audit Approach

What ProtonVPN does:

1. Open source apps: Anyone can audit the code, anytime.
2. Swiss jurisdiction: Stronger privacy laws than most.
3. Securitum audit (2023): Infrastructure and apps.
4. No identifying info required: Sign up with email only, pay with Bitcoin.

Key difference from others: Open source means continuous community auditing, not just periodic paid audits.

Verdict: The open source approach is more verifiable than “trust our paid audit.”

The Audits That Actually Matter

There’s only one audit that truly verifies a no-logs claim:

A subpoena, warrant, or raid where authorities demanded data and the VPN had none to give.

VPNs That Have Been “Court Tested”

Mullvad (Sweden, 2023):

• Police raid with warrant
• Outcome: No customer data existed to seize
• Source

Private Internet Access (USA, multiple):

• FBI subpoena in 2016
• Outcome: PIA produced no logs because they had none
• Court documents public

ExpressVPN (Turkey, 2017):

• Turkish authorities seized server after ambassador assassination
• Outcome: Server was RAM-only, no usable data
• Note: This predates Kape Technologies acquisition

The Uncomfortable Truth

VPNs that have NOT been tested by authorities are making unverified claims, regardless of how many audits they wave around.

An audit says: “We looked and didn’t find logs.” A court case says: “Authorities demanded logs and the VPN couldn’t provide any.”

Which would you trust more?

Red Flags in VPN Audit Marketing

Red Flag #1: “Verified No-Logs Policy”

The problem: No auditor can “verify” a no-logs policy. They can only say they found no evidence of logging in the specific places they checked, at the specific time they checked.

Better language: “Audit found no evidence of logging on inspected servers.”

When you see “verified no-logs”: The VPN is overselling audit findings.

Red Flag #2: “Independent” Audit (That VPN Paid For)

The problem: The VPN hired the auditor. The VPN defined the scope. The VPN provided access. How “independent” is that really?

Better: Audits by organizations with reputation to protect (Cure53, F-Secure). Audits where scope is publicly documented.

Red flag: Unknown auditing firm, or audit from firm that also does VPN’s marketing.

Red Flag #3: Old Audit, New Claims

The problem: A 2020 audit doesn’t tell you about 2026 infrastructure. Companies change. Infrastructure changes. Policies change.

Better: Annual or at least bi-annual audits with published reports.

Red flag: Citing audits more than 2 years old without newer verification.

Red Flag #4: Audit Only Covers Apps

The problem: App audits verify the software doesn’t track you. Server audits verify the infrastructure doesn’t log you. These are DIFFERENT things.

Many VPNs have app audits but no server audits. They blur the distinction.

What you need: Both app audits AND infrastructure audits for meaningful verification.

Red Flag #5: No Public Audit Report

The problem: Some VPNs say “we’re audited” but don’t publish the report. Why? Maybe the scope was embarrassingly limited.

Better: Full audit report publicly available with clear scope section.

Red flag: “Trust us, we’re audited” without proof.

Questions to Ask Before Trusting Any VPN Audit

Before accepting an audit claim at face value, ask:

1. What exactly was audited?

• Apps only? Servers only? Both?
• Which servers? All of them? A sample?
• What percentage of infrastructure was covered?

2. When was the audit?

• Date of audit
• Is there a more recent one?
• How much has the company changed since?

3. What was explicitly NOT audited?

• Metadata logging?
• Data center level logging?
• Employee access?
• Backend systems?

4. Who performed the audit?

• Reputable security firm?
• Firm with reputation to protect?
• Any conflicts of interest?

5. Has this VPN been tested by authorities?

• Any documented court cases?
• Any seizure attempts?
• Did they have logs to provide?

6. Is the full audit report public?

• Can you read the scope yourself?
• Are limitations clearly stated?
• Or do you just have to trust marketing?

What “No-Logs” Actually Means (and Doesn’t Mean)

What VPNs Want You to Think “No-Logs” Means

• “We can’t see anything you do”
• “No record of your activity exists anywhere”
• “You’re completely anonymous”
• “Even we can’t identify you”

What “No-Logs” Usually Actually Means

Best case (rare):

• No activity logs (websites visited)
• No connection logs (when you connected)
• No IP logs (your real IP)
• No bandwidth logs (how much data)
• Server is RAM-only (no persistent storage)

Common case:

• No activity logs (websites visited)
• BUT connection timestamps logged
• BUT bandwidth logged
• BUT your account linked to payment
• BUT server generates some metadata

Worst case (some “no-logs” VPNs):

• They say “no logs” but define logs narrowly
• Connection logs aren’t “activity logs” so they don’t count
• They keep “anonymized” data that isn’t really anonymous
• Fine print contradicts marketing claims

The Metadata Problem

Even VPNs that truly don’t log activity often log metadata:

• When you connected
• How long you were connected
• How much data you used
• Which server you used

This metadata can be used to identify users. If authorities know you visited X at 3:47 PM and the VPN has metadata showing you connected at 3:46 PM and transferred Y amount of data, that’s potentially identifying.

True no-logs means no metadata either. Few VPNs achieve this.

The Only VPNs Worth Trusting

Based on actual evidence (not just paid audits), here are VPNs with meaningful verification:

Mullvad - Highest Confidence

Why:

• Court-tested (2023 Swedish raid)
• Open source clients
• No account system (just random number)
• Cash payments accepted
• Annual Cure53 audits

Commission: $0 (no affiliate program)

Limitation: Smaller server network than big VPNs.

ProtonVPN - High Confidence

Why:

• Open source apps (continuous verification)
• Swiss jurisdiction (strong privacy laws)
• Securitum audit
• No identifying info required to sign up

Commission: ~$25/sale

Limitation: Swiss law still requires compliance with valid legal requests, though standards are higher than most countries.

What About NordVPN, ExpressVPN, Surfshark?

My assessment:

They have audits. The audits are limited in scope. They haven’t been court-tested in ways that verify no-logs claims.

They also pay $60-150 per sale, which is why every YouTuber recommends them.

I’m not saying they’re logging you. I’m saying their “independently audited” claims oversell what was actually verified.

Verify This Yourself

Want to see the raw data behind my claims? Check out the data spreadsheets - technical details, ownership records, and more.

Don’t trust me. Verify everything:

Mullvad raid:

• Mullvad blog post

PIA court cases:

• TorrentFreak coverage

ExpressVPN Turkey incident:

• BetaNews coverage

NordVPN PwC audit:

• NordVPN audit page

ProtonVPN audits:

• ProtonVPN security page

Read the actual audit reports. Don’t just read the VPN’s marketing summary. Look at the scope sections. See what was and wasn’t covered.

The Bottom Line

“Independently audited” is marketing, not verification.

Audits prove that specific things were checked and appeared okay during specific times. They don’t prove “no logs exist anywhere, ever.”

The only meaningful verification:

1. Court cases where authorities couldn’t get logs
2. Open source code you can verify yourself
3. Police raids that found nothing

Before trusting any VPN’s audit claims:

1. Read the actual audit report
2. Check the scope section
3. Note what was NOT covered
4. Ask if this VPN has been court-tested
5. Consider open source alternatives

My recommendations:

• Mullvad - Court-tested, open source, I make $0
• ProtonVPN - Open source apps, Swiss jurisdiction, I make ~$25

The expensive VPNs with flashy audits? They might be fine. Their audits just don’t prove what they claim to prove.

---

Legal Note: This article contains my analysis of publicly available audit reports and court documents. Opinions on what audits do and don’t prove are my interpretations based on reading the actual scope sections.

Affiliate disclosure: I make money from ProtonVPN (~$25/sale) and nothing from Mullvad because they have no affiliate program. VPNs like NordVPN and ExpressVPN pay $60-150/sale. I’m recommending the ones with better verification, not higher payouts.