Home › Guides › Security checklist

1. Jurisdiction

Which country's laws is the VPN provider subject to?

Being outside the Five/Nine/Fourteen Eyes alliances (Panama, Switzerland, Romania, BVI) generally means stronger privacy protection. US- or UK-based providers — even with a no-logs policy — are more exposed to legal pressure.

2. Proof of independent audits

Has the no-logs claim been verified by a third party?

There should be a report from a recognized audit firm such as Deloitte, KPMG, Cure53, Securitum or Assured AB. A one-off audit isn't enough — repeated audits are preferable. NordVPN's six Deloitte audits are the reference point.

3. No-logs policy

What kind of logs does the provider keep?

Ideally: visited sites, IP addresses, connection timestamps, bandwidth used — none of it should be stored. Only the minimum needed for your account (email, payment).

4. Encryption standard

Which encryption algorithm and key length?

AES-256-GCM is the industry standard. WireGuard uses ChaCha20-Poly1305 (faster, modern). Avoid providers still using legacy PPTP or L2TP/IPsec.

5. Protocol options

Which VPN protocols does it support?

Minimum: WireGuard or WireGuard-based (NordLynx). An OpenVPN option is nice to have (for flexibility). Rule out anyone offering only legacy protocols (PPTP, L2TP).

6. DNS leak protection

Where do DNS queries go while the VPN is active?

They should go to the VPN provider's own DNS servers. If they leak to your ISP's DNS server, your ISP sees which sites you visit. Leak test: dnsleaktest.com.

7. Kill switch

What happens if the VPN connection drops?

A kill switch automatically cuts all internet traffic when the VPN connection drops — preventing your real IP from leaking. A system-wide kill switch is preferable, not just a per-app one.

8. RAM-only server infrastructure

How do the servers run?

Modern top-tier providers (NordVPN, ExpressVPN, Surfshark) use servers that run entirely in RAM. On reboot all data is wiped — persistent logs are physically impossible.

9. Open-source clients

Is the VPN app's code public?

Open-source clients let independent security researchers review the code — backdoors or vulnerabilities can be spotted. Proton VPN, Mullvad and PIA open-source all their clients; ExpressVPN has opened its Lightway protocol.

10. Device limit

How many devices can you use on one subscription?

For families or multi-device setups, 5+ devices is the minimum requirement. Surfshark offers unlimited; NordVPN 10, ExpressVPN 8 devices. Mullvad has a 5-device limit.

11. Court evidence (if any)

Has the no-logs claim been tested in a legal case?

Very few providers have this track record. PIA proved its no-logs claim in court in 2016 and 2018 federal cases. ExpressVPN couldn't disclose any data even when its server in Türkiye was seized in 2017. This is the strongest level of evidence.

12. Pricing transparency

Is the renewal price clear?

Most providers use a 'cheap intro period, expensive renewal' model. Knowing this up front matters — so you don't get hit with a surprise bill. Mullvad offers a flat price with no discount/renewal trap.