From the article:
| VPN | HQ & Eyes Alliance | Latest Independent Audit | Real-World Test | Retention Verdict* |
|---|---|---|---|---|
| ExpressVPN | British Virgin Islands (no data-retention laws) | KPMG ISAE 3000 Type I, Feb 2025 (ExpressVPN) | Split-tunnelling DNS leak disclosed Feb 2024 (patched) | Gold-standard. RAM-only fleet, annual audits, BVI jurisdiction. |
| NordVPN | Panama | Deloitte 5th audit, Dec 2024 (NordVPN) | 2018 server breach – no logs leaked | Regular audits and positive breach outcome. |
| Surfshark | Netherlands (9-Eyes) | Deloitte, Jan 2023 (Surfshark) | TunnelCrack Wi-Fi leak (Aug 2023) → patched in <7 days. | Strong audit hygiene but concerning jurisdiction. |
| Proton VPN | Switzerland | Securitum, Apr 2024 (securitum.com) | N/A | Open-source clients + Swiss privacy laws. |
| Mullvad | Sweden (14-Eyes) | Assured AB config audit 2023 | Swedish police raid Apr 18 2023 left empty-handed (Mullvad VPN) | Minimal-data design proven in the wild. |
| Private Internet Access | USA (5-Eyes) | Deloitte, Apr 2024 (Private Internet Access) | Multiple US subpoenas produced no logs | Paper-trail-verified despite US HQ. |
| CyberGhost | Romania (EU, outside Eyes) | Deloitte, May 2024 (CyberGhost VPN) | N/A | Second audit boosts trust. |
| TunnelBear | Canada (5-Eyes) | Cure53 7th audit, Dec 2023 (TunnelBear: Secure VPN Service) | N/A | Longest unbroken audit streak. |
| Windscribe | Canada (5-Eyes) | Cure53 server image audit 2022 | 2025 Greek/Canadian court case upheld no-logs stance (Tom’s Guide) | Policy tested – passed. |
| Hotspot Shield | USA (5-Eyes) | Performance/security review by AV-Test only; no dedicated no-logs audit (vpnMentor) | AV-TEST performance audit only; no no-logs audit to date. (CVE Details) | Speed king, privacy laggard. |
Archived links:
They lost me at calling ExpressVPN the gold standard. Even their audit is bs. KPMG is the same company that provides the “always-on” audit to PureVPN.
Any article that still uses the “eyes” as a factor in their evaluation is a massive red flag. Very public intelligence alliances are the least of your worries.
I had not read about this criticism of KPMG before. For the benefit of other readers, I found this other forum post from March 2025 where commenters question the worthiness of the KPMG audit for PureVPN. For my own part, I’m not sure I understand what an audit that’s acceptable to privacy communities would look like. If somebody can elaborate on this, I would appreciate it.
Audit providers just like VPN providers come in a wide variety of quality.
Its hard to point out specifics of what makes a good audit as most people don’t, and have no need to, understand the technical details of the audit and just go off its summary.
Another difficulty is just like most VPN providers, there just isn’t much info provided about Auditors or the auditing process.
A few have well known reputations…
KPMG is a low quality provider. Any auditing company that provides an “always-on” service is not being serious.
Cure53 is a high quality provider.
I’d imagine it would be very difficult to audit a VPNs privacy, since most at least have a veneer of privacy and the auditor won’t have nearly the same pull or resources as a state actor
Expressvpn, pia and cyber ghost are owned by kape technologies
For the unaware: Kape has a history of bundling malware into software that they have purchased. Like they’ll buy out an existing piece of software, then bundle malware into updates for that purchased sodtware. I remember a lot of PIA users fled when Kape bought it a while ago. PIA hasn’t had any bad updates yet, but it’s still putting a lot of trust into a company with a rocky history.
Notably, PIA is one of the few VPNs that still provides port forwarding. Most VPNs dropped port forwarding support a while ago.
Yes, here are some non kape vpn services with port forwarding for the people reading along:
Air, proton, ivpn, windscribe.
VPN services are targeted at different user bases and have different features. It would be unwise to rely on one service for wildly different uses like browsing, bypassing edge devices, p2p, hosting, location spoofing, etc.
The only gold standard here, is this article being the gold standard for hand-wavy “truths”.
Such a load of BS. Mullvad is the only one so far that has not squealed.
The founder and CEO of redact (the site this is hosted) is Dan Saltman, a man so obsessed with online drama that he would side with Hitler if he went after Hasan.
There are also allegations that Dan has used redact to dox someone, though, I find this less substantiated.
CyberGhost is great if you support zionism and trust mossad.
Well that was pretty useless
ExpressVPN is a Chinese govt aproved company… do all audits you want. You need trust. Audits doesn’t matter. They can change everything after. I trust IVPN and Mullvad
So i wouldn’t recommwnd them to anyone with people in china but i kind of trust them a little more for my use case now.
If you like one spy over another, be my guest. I think companies that spy are not worth it at all.
I don’t like them, but my threat profile is what it is, and that’s a thing when compromises need to be made.
Like i said; would not recommemd to any friend who knew people in china.
Any of them have port forwarding? Thought not…
Proton does… but you need to use a shell script to enable it on Linux. It’s easy enough and documented on their site, but it’s annoying. Mullvad does not, that’s why I moved away from them. Can’t speak for others
Proton is too fucking expensive.
Same price as Mullvad, about a fiver a month, if you buy a year at a time. Annoying that you have to buy a year upfront but works out to the same price
Paid for itself for a year in like 2-3 movies!
Do you know if Proton’s port forwarding times out and needs to be reconfigured every so often in the same way the other commenter mentions about Windscribe?
It’s pretty solid, but if you reconnect to a different server then you’ll likely have a different port number. There’s an add-on script for docker qbittorrent though that auto updates the port number.
I have it alias the external port to local port 2000 and point qbittorrent at 2000
For Linux it does timeout and basically just need to run a bash while loop to keep open. I’m not sure if windows is the same way, but from what I hear it’s more integrated.
Overall the port forwarding is not that big of a hassle on Linux. It’s an opt in feature and I just have bash aliases to enable the port forwarding when I need it.
Same
Windscribe, although unless you pay an extra $2/month they time out and need to be reconfigured after one week.
i use windscribe and mullvad at this point but their android apps are so useless :(
i also hate how expressvpn is the only one i found that does auto connect by wifi network
I’ve had windscribe for a few years and love it! Dirt cheap and pretty damn fast. Haven’t had any issues with their android app, but I rarely use it. What’s the issue with the windscribe app?
IVPN has this feature for iOS, iPadOS and macOS. I’m sure it would be in the android app too.
