From the article:
| VPN | HQ & Eyes Alliance | Latest Independent Audit | Real-World Test | Retention Verdict* |
|---|---|---|---|---|
| ExpressVPN | British Virgin Islands (no data-retention laws) | KPMG ISAE 3000 Type I, Feb 2025 (ExpressVPN) | Split-tunnelling DNS leak disclosed Feb 2024 (patched) | Gold-standard. RAM-only fleet, annual audits, BVI jurisdiction. |
| NordVPN | Panama | Deloitte 5th audit, Dec 2024 (NordVPN) | 2018 server breach – no logs leaked | Regular audits and positive breach outcome. |
| Surfshark | Netherlands (9-Eyes) | Deloitte, Jan 2023 (Surfshark) | TunnelCrack Wi-Fi leak (Aug 2023) → patched in <7 days. | Strong audit hygiene but concerning jurisdiction. |
| Proton VPN | Switzerland | Securitum, Apr 2024 (securitum.com) | N/A | Open-source clients + Swiss privacy laws. |
| Mullvad | Sweden (14-Eyes) | Assured AB config audit 2023 | Swedish police raid Apr 18 2023 left empty-handed (Mullvad VPN) | Minimal-data design proven in the wild. |
| Private Internet Access | USA (5-Eyes) | Deloitte, Apr 2024 (Private Internet Access) | Multiple US subpoenas produced no logs | Paper-trail-verified despite US HQ. |
| CyberGhost | Romania (EU, outside Eyes) | Deloitte, May 2024 (CyberGhost VPN) | N/A | Second audit boosts trust. |
| TunnelBear | Canada (5-Eyes) | Cure53 7th audit, Dec 2023 (TunnelBear: Secure VPN Service) | N/A | Longest unbroken audit streak. |
| Windscribe | Canada (5-Eyes) | Cure53 server image audit 2022 | 2025 Greek/Canadian court case upheld no-logs stance (Tom’s Guide) | Policy tested – passed. |
| Hotspot Shield | USA (5-Eyes) | Performance/security review by AV-Test only; no dedicated no-logs audit (vpnMentor) | AV-TEST performance audit only; no no-logs audit to date. (CVE Details) | Speed king, privacy laggard. |
Archived links:
Expressvpn, pia and cyber ghost are owned by kape technologies
For the unaware: Kape has a history of bundling malware into software that they have purchased. Like they’ll buy out an existing piece of software, then bundle malware into updates for that purchased sodtware. I remember a lot of PIA users fled when Kape bought it a while ago. PIA hasn’t had any bad updates yet, but it’s still putting a lot of trust into a company with a rocky history.
Notably, PIA is one of the few VPNs that still provides port forwarding. Most VPNs dropped port forwarding support a while ago.
Yes, here are some non kape vpn services with port forwarding for the people reading along:
Air, proton, ivpn, windscribe.
VPN services are targeted at different user bases and have different features. It would be unwise to rely on one service for wildly different uses like browsing, bypassing edge devices, p2p, hosting, location spoofing, etc.