No-Log VPN (2026): What the Claim Actually Means and How to Verify It

Almost every commercial VPN markets itself as "no-log" or "zero-log." The phrase is so common it has lost most of its meaning. The category includes providers that genuinely retain nothing, providers that retain connection metadata but not browsing history, providers whose policies say one thing while their architecture quietly does another, and a small number whose internal practices have been examined by independent third parties.

This guide is written by CasperVPN. We are pre-launch. We have not yet completed an independent audit. We are deliberately publishing this guide in that posture, because we think the most useful thing a VPN can do for users is to be precise about what "no-log" actually means and what evidence supports it — including for our own product.

The Four Categories of VPN Logs

The word "log" hides four distinct categories. A provider can be no-log in one and still log in another. When evaluating a claim, ask about each one independently.

1. Activity Logs

What you do inside the tunnel: the websites you visit, the DNS queries you make, the apps that send traffic. This is the most invasive category. A VPN that retains this is functionally equivalent to an ISP — except a paid one.

No serious VPN in 2026 claims to keep activity logs. If a provider does keep them, it almost always shows up in a transparency report or court filing rather than in marketing copy.

2. Connection Metadata

When you connected, which server you connected to, how long the session lasted, how much data you transferred. This is the category where most "no-log" claims actually live or die. Many providers retain some of this — sometimes in aggregate, sometimes per-session — and the precise definition is buried in the privacy policy.

Connection metadata, even without activity data, can be enough to deanonymize users in adversarial scenarios. If a provider knows that a specific account was connected to a specific exit IP for a specific window, and an external party knows that a specific exit IP transmitted traffic to a specific destination at the same moment, the correlation is trivial. This is exactly the attack used in several high-profile deanonymization cases.

3. Authentication and Account Logs

The email or payment method you used to sign up, the device IDs you registered, the IP address you authenticated from. Almost every VPN keeps some of this — they have to, to operate accounts, send emails, and handle payments. The question is how long it is kept, whether it is linked to session data, and whether the provider accepts anonymous payment methods.

4. Diagnostic and Performance Logs

CPU usage on the server, bandwidth per port, crash reports from the client app, error rates per protocol. Almost all of this is benign in aggregate, but some implementations include per-connection identifiers that, if retained long enough, become connection metadata under a different name.

A precise "no-log" claim should be readable as: "We retain none of category 1, none of category 2, the minimum of category 3 required to operate accounts, and category 4 only in aggregate without per-session identifiers." Most marketing copy collapses this into "no logs," and the reader has no way to tell which categories the provider actually means.

Policy vs Architecture

A privacy policy is a promise. Architecture is what the system actually does.

You can write a privacy policy that says "we keep no logs" while running a VPN server that writes to /var/log/wireguard for forensic purposes. You can also run a server with logging fully disabled at the kernel level and have a privacy policy that, due to legal counsel hedging, still mentions retention windows.

The two questions you should be asking, in order, are:

What does the architecture make possible? Can the operator, if asked or compelled, produce a record of who connected to what server and when? If the answer is "yes, those records exist," the no-log claim is conditional on operator restraint. If the answer is "no, those records do not exist anywhere in the system," the claim is structural.

What does the policy promise? A clear, jurisdiction-specific privacy policy that itemizes the four log categories and specifies retention windows is more useful than a generic "we never log anything."

Architecture beats policy. A provider whose architecture genuinely cannot produce session records is in a stronger position than a provider whose policy promises not to look at the session records it does have.

What an Independent Audit Actually Verifies

Independent no-log audits are the only third-party signal that meaningfully validates a claim. They are also widely misunderstood.

An audit does not prove a provider keeps no logs forever. It does the following, scoped to the audit period and the systems examined:

Reviews server configurations on a sample of production servers.

Inspects logging-related code in the VPN server software and the management plane.

Examines retention policies in databases and log aggregation systems.

Interviews engineering staff about operational practices.

Tests scenarios where logs might be created (debugging modes, error conditions, support requests).

A reputable audit firm — Cure53, KPMG, PricewaterhouseCoopers, Securitum, Leviathan — publishes a report with scope, methodology, findings, and a date. The report is then either published in full or summarized in a public statement.

The most common gaps in audited no-log claims:

Scope. An audit that covers only the iOS client tells you nothing about the server fleet. Read the scope section before reading the conclusions.

Snapshot vs continuous. Most audits are point-in-time. The provider may have been compliant on audit day and changed configurations the next week. Repeat audits matter.

Methodology. A code review of logging functions is different from a live system inspection. A live system inspection is different from a packet capture during real user sessions.

A provider that has been audited multiple times, by multiple firms, with public reports of broad scope, is in a strong position. A provider that says "audited" without a published report, or with a single narrow-scope audit several years old, is making a weaker claim than the marketing implies.

How to Evaluate a No-Log VPN Without an Audit

Most VPNs in 2026 have either no audit or a single audit. If you are evaluating a provider in that position — including, for transparency, CasperVPN as of this writing — the evidence available to you is:

Privacy Policy Specificity

Read the actual document. Look for the four log categories explicitly addressed. Look for retention windows in days, not "minimum necessary." Look for the legal jurisdiction the provider operates in and what that jurisdiction can compel.

Jurisdiction

A no-log claim is only as strong as the legal environment around it. Providers in 14-Eyes jurisdictions can be compelled to begin logging a specific account going forward, regardless of their default policy. Some jurisdictions explicitly require ISPs and VPNs to retain metadata; others do not. The combination of jurisdiction and policy matters more than either alone.

Architectural Disclosures

Some providers publish architecture documentation: what server roles exist, what data flows where, what is stored in databases versus generated and discarded. This material is not a substitute for an audit, but it lets a technically literate user assess whether the no-log claim is plausible at the design level.

Transparency Reports

Has the provider received subpoenas, warrants, or data requests? What did they produce? A provider that has responded to legal process and has nothing to hand over is making a much stronger empirical claim than one that has never been tested. Look for warrant canaries and transparency reports updated within the last 12 months.

Server Infrastructure

RAM-only servers — servers that hold no persistent disk — make some categories of logging structurally difficult. They do not eliminate all logging surfaces (network-level captures, management-plane databases), but they materially raise the bar. Whether a provider runs RAM-only is verifiable from infrastructure disclosures and, sometimes, from third-party audits.

Source Availability

A provider whose VPN client is open source can be examined by the public for hidden telemetry. The server-side is rarely open, but client transparency is meaningful for a category of logging that happens on your own device.

What CasperVPN Currently Does

We are publishing this guide in the same posture we expect users to bring to any provider: skeptical, precise, and evidence-based.

As of 2026-05-11, the state of CasperVPN's no-log posture is:

Activity logs: Not retained. The VPN protocol implementations on our servers (WireGuard, OpenVPN, and our proprietary CasperCloak obfuscation layer, which is live in production) operate without writing session content to disk.

Connection metadata: Per-session metadata is not retained beyond the session. Aggregate counters (total bandwidth per server, peer count) exist for capacity planning and do not link to individual accounts.

Authentication logs: Account email, hashed password, subscription state, and the most recent IP used to authenticate are retained as long as the account is active, then deleted on account deletion. We do not link the authentication IP to session activity.

Diagnostic logs: Server-level performance metrics are aggregated. Client-side crash reports are opt-in and stripped of personal identifiers.

Audit status: Zero completed audits as of 2026-05-11. A third-party audit is planned post-launch; the firm has not yet been engaged. We are evaluating multiple firms, including Cure53, but no engagement is signed.

We are publishing the audit status this directly because the alternative — vague "we never log anything" marketing — is the pattern that has eroded trust in the no-log category across the industry. We will publish a clear, dated statement when an audit firm is engaged, and the full audit report when it is complete.

How No-Log Compares Across Providers in 2026

A high-level comparison of how the leading VPN providers position their no-log claims. Categories are policy claims, not third-party verified facts unless explicitly noted.

Provider Activity Logs Connection Metadata Most Recent Audit Jurisdiction --------------- CasperVPN None None retained beyond session None yet (post-launch planned) Lebanon — outside 14-Eyes NordVPN None claimed None claimed Deloitte (2023, scoped) Panama ExpressVPN None claimed None claimed KPMG / PwC (multi-year) British Virgin Islands ProtonVPN None claimed None claimed Securitum (2024) Switzerland Mullvad None claimed None claimed Cure53 (multi-year) Sweden Surfshark None claimed None claimed Deloitte (2023) Netherlands

Audit recency, scope, and jurisdiction all matter independently. A multi-year audit cadence is a stronger signal than a single audit several years ago. A jurisdiction outside surveillance alliances is a stronger signal than a permissive policy inside one.

The Practical Recommendation

If you need a VPN today and your threat model genuinely requires a verifiable no-log posture — journalism, activism, certain regulatory or legal contexts — choose a provider with multiple independent audits, recent (within 24 months), broad scope, and a jurisdiction outside 14-Eyes. Mullvad and ProtonVPN are the clearest examples in 2026.

If your threat model is more typical — ISP snooping, public Wi-Fi protection, geographic content access, general privacy hygiene — a provider with strong architectural disclosures and clear policy specificity is sufficient, even without a multi-year audit cadence.

If you are evaluating a newer provider, including us, the question to ask is not "do you log?" — every marketing page says no. The questions are: can your architecture log; what does your policy say in detail; what jurisdiction governs you; and when can users expect a public audit?

What to Watch For

The next two years in the no-log category will be defined by three things:

Audit cadence becoming standard. The leading providers have moved from one-time audits to annual or biennial cycles. The category is moving in this direction; providers without a published cadence will be at an increasing disadvantage.

Scope expanding past server fleet. Modern audits cover the management plane, the client applications, and the support infrastructure — not just the VPN servers. Audit reports that limit themselves to server configurations are becoming a weaker signal.

Architectural transparency. RAM-only servers, open-source clients, public infrastructure documentation, and detailed flow diagrams are becoming differentiators. Providers that lean on policy claims without architectural evidence will face increasing skepticism.

We will publish updates to this guide as our own audit posture changes. The plan is a third-party audit post-launch, full report publication, and a documented cadence after that. We will state the date that engagement is signed when it is signed.

Related Reading

VPN Encryption Explained — the cryptographic foundations underlying any no-log claim.

Best VPN For Privacy — broader privacy comparison across leading providers.

VPN With Kill Switch (2026) — the leak-prevention feature that complements a no-log posture.

CasperVPN Pricing — Free tier, Weekly $2.99, Monthly $9.99, 6-Month $34.99, Yearly $59.99, Lifetime $149.99. 30-day money-back guarantee.

---

Last reviewed 2026-05-11. CasperVPN is pre-launch as of this date. Audit status, jurisdiction, and policy details will be updated in line with our published transparency cadence.