Open any VPN's homepage and you'll find the same two words, usually in the biggest font on the page: no-logs. It's the promise the entire industry is built on — that whatever you do while you're connected, your provider keeps no record of it. It's also the most-claimed and least-verified promise in technology.
Here's the uncomfortable part: a no-logs claim costs nothing to make. Any company can type 'we don't keep logs' onto a landing page in an afternoon, whether or not it's true — whether or not their servers are quietly recording every site you visit. The words on the page tell you what a provider wants you to believe, not what their infrastructure actually does.
So the real question isn't which VPN says it's no-logs — they all do. It's how you tell a genuine no-logs VPN from a marketing line. This guide gives you the tools to judge any provider, including us.
What "no-logs" actually means
First, a definition — because 'no-logs' is fuzzier than it sounds. Logs come in a few different flavors, and they are not equally sensitive.
- Usage (activity) logs. The websites you visit, the apps you open, your DNS queries, the actual content of your traffic. This is the sensitive stuff — a record of what you do online. A real no-logs VPN keeps none of it.
- Connection (metadata) logs. Your real IP address, the VPN server you connected to, connection timestamps, and how much data you moved. On their own these look harmless, but a timestamp plus a source IP can be enough to tie a specific person to specific activity. A genuine no-logs provider keeps none that can identify you.
- Operational data. What's left: an email address for your account, payment records, maybe an aggregate count of total bandwidth used to size servers. No honest provider claims to store literally nothing — they have to bill you and run the service. The line that matters is whether any of it can be traced back to what you actually did online.
So 'no-logs' done right means this: no record of your activity, and no connection metadata that could identify you or reconstruct your sessions. Everything else is the minimum a business needs to function. When you read a privacy policy, that's the distinction to look for — not the absence of the word 'data,' but the absence of anything that links you to your browsing.
The trust ladder: four levels of proof
Saying 'no-logs' and proving it are two different things. Think of proof as a ladder: each rung is harder to fake than the one below it, and the higher a provider climbs, the more their claim is worth.
Rung 1 — A privacy policy (a promise)
Every VPN has one, so it's the floor, not the ceiling. A privacy policy is a statement of intent — useful for understanding what a company says it does, worthless as proof that it actually does it. Read it anyway, because a vague or self-contradictory policy is a red flag. But a clean policy on its own is just a well-written promise.
Rung 2 — An independent audit (verification at a point in time)
This is where claims start to carry weight. A provider hires an outside firm to inspect its servers, configuration, and code, then publish the findings. Names you'll see in this space include Deloitte, KPMG, Securitum, Cure53, and Leviathan Security. An audit means a qualified third party looked under the hood and confirmed the no-logs setup was real — at the moment they looked. It's a snapshot, not a live feed, and a provider can change things after the auditors leave. Regular, repeated audits are the strong signal; a single audit from five years ago is a weak one.
Rung 3 — Proof under real pressure (a court case or server seizure)
The hardest test isn't an auditor you invited in — it's a government you didn't. When authorities demand data and a provider has nothing to hand over, the no-logs claim stops being a claim and becomes a matter of record. Three real cases show what this looks like:
- ExpressVPN, 2017. Turkish investigators seized one of its VPN servers as part of an inquiry. They came away with nothing usable — the server held no logs that could identify users or their activity. The no-logs architecture held up under a physical seizure.
- ProtonVPN, 2019. A Swiss court order sought user data in a case. ProtonVPN's no-logs design meant there was no VPN connection history to produce, and the company has been public about how its structure limits what it can ever be compelled to reveal.
- Windscribe, 2025. This is the starkest one. Authorities in Greece pursued a case tied to activity on a Windscribe server, and the company's CEO was personally charged. The case was dismissed in April 2025 — for the simplest possible reason: the server kept no logs, so there was no data linking the account to the alleged activity. There was nothing to convict on because there was nothing recorded.
These cases are worth more than any marketing page, because they're the claim being tested by someone actively trying to break it.
Rung 4 — Structural backing (architecture that can't log)
The top rung is design that makes logging difficult or impossible in the first place, rather than relying on a policy that simply says 'we choose not to.' The main pieces:
- RAM-only servers — servers that run entirely in volatile memory with no hard drives. Every reboot wipes them completely; there's no disk for data to persist on. You can't seize what was never written down.
- Open-source apps — when the client software is public, anyone can inspect it for hidden tracking. You're not taking the company's word for it; you're trusting code that thousands of people can read.
- A privacy-friendly jurisdiction — where a provider is legally based shapes what it can be forced to collect and hand over. Countries outside intrusive data-retention and surveillance-sharing regimes give a no-logs policy the legal room to actually mean something.
The takeaway: a privacy policy is the entry ticket, not the proof. The providers worth trusting are the ones climbing toward audits, court-tested records, and architecture that can't betray you in the first place — and who tell you honestly which rung they're standing on.
Five questions to ask any VPN
You don't need to be a security engineer to evaluate a provider. Walk through five questions, and keep one principle in mind underneath all of them: the burden of proof is on the provider, not on you. A trustworthy VPN makes the answers easy to find.
- Is there a public, independent audit? And how recent is it? One audit you can click on and read, with a date on it, beats a hundred repetitions of the words 'no-logs.'
- What jurisdiction is the company in? Where is it legally based, and what does that country require it to retain or disclose?
- Are the servers RAM-only? If they are, the provider will say so loudly — it's a real engineering investment that's hard to claim falsely.
- What does the privacy policy actually say it collects? Read it. Look specifically for activity logs and identifying connection metadata — not just for reassuring language.
- Is the company transparent about who owns it? A provider that hides its ownership, its parent company, or its country of operation is asking for trust it isn't willing to reciprocate.
If a provider makes any of these hard to answer, that difficulty is itself the answer.
A warning about "free" VPNs
One category deserves special caution: free VPNs that aren't really free. Running a global server network costs real money. If you're not paying and there's no clear business model behind the app, it's worth asking how the service stays alive — and too often the answer is that your data is the product. Some free apps have been caught logging user activity and selling it to advertisers and data brokers, which is the exact opposite of what a VPN is for.
The pattern to avoid is the combination: an app that's free with no explanation of how it makes money, hides who owns it, and has no audit or court record to point to. Any one of those alone is a yellow flag. All three together is a service you should not route your traffic through.
Where Vela stands today — honestly
It would be easy to end here by telling you Vela passes every test above. We're not going to, because it wouldn't be true — and an article about how to spot empty claims is the worst possible place to make one.
Here is exactly where we are. Vela is new — we launched in 2026. From day one, we're no-logs by design and by policy: we don't store your browsing history, your traffic, or a record of the IP addresses you connect from. We're built on WireGuard, the modern protocol that's been audited and trusted across the industry, and our apps are fully bilingual in Arabic and English. That's the foundation, and it's real today.
And here's what we don't have yet. We haven't completed an independent third-party audit. We're not yet fully RAM-only across our entire network. We haven't published a transparency report — we're too new to have a meaningful one. Those three things are on our roadmap, in that order, and we'll show the receipts as we reach each one rather than announce them before they're done.
We're early. We'd rather earn your trust by being honest about exactly where we are than by overclaiming and hoping you don't check. The whole point of this article is that you shouldn't take any VPN purely at its word — and that has to include us. Hold us to the same ladder. As we climb it, you'll be able to watch each rung go by.
That's the version of 'no-logs' we think is actually worth something: not the loudest claim, but the one you can watch become true.
Privacy you can start with today
Vela is no-logs by design, built on WireGuard, and free to start — 5 GB every month, full Arabic and English apps. We'll keep showing you our progress, not just our promises.