Audit history at a glance
NordVPN's no-logs claim is not just a marketing line; four separate auditing firms have inspected the configuration of its servers and the policies behind them.
- November 2018 — PwC AG (Zurich): first independent assurance audit of NordVPN's no-logs policy. Auditors had access to servers, infrastructure, and interviewed engineers.
- November 2020 — Deloitte: second no-logs audit, this time covering a broader server sample and policy review.
- June 2022 — Deloitte: third audit with the same scope, after the migration to RAM-only servers was complete.
- October 2023 — Deloitte: fourth audit. NordVPN now publishes a summary letter from Deloitte rather than the full report.
That cadence (a fresh audit every 18 to 24 months) is more frequent than most competitors. ExpressVPN audits less often; Surfshark started auditing only in 2022 after the Nord Security merger.
The 2018 Finland incident, explained without spin
In March 2018, an attacker accessed a single server at Creanova, a third-party data center NordVPN rented space in. The attacker exploited an insecure remote management system the data center had installed without NordVPN's knowledge.
What the attacker could see: the server's TLS key. What the attacker could not see: user identities, browsing history, or session data. NordVPN had no centralized logs to steal, and the server itself did not record activity.
The incident only became public in October 2019 when chatter on hacker forums surfaced. NordVPN's response was slow on disclosure (a real criticism), but the technical fix was decisive: by 2019 NordVPN had migrated its entire fleet to RAM-only servers, ended the Creanova contract, and started a bug-bounty program.
What protects you today
Four overlapping defenses make a successful repeat of the 2018 incident much harder:
- RAM-only servers. No data is written to disk. Every reboot wipes the entire server state.
- Panama jurisdiction. Panamanian law has no mandatory data-retention requirement and no membership in the Five/Nine/Fourteen Eyes intelligence alliances.
- Self-owned DNS. Queries don't pass through third-party resolvers that could log them.
- Public bug-bounty program. Researchers are paid to find vulnerabilities before attackers do.
What the audits don't cover
Two honest caveats. First, audits are point-in-time; a clean audit in October 2023 doesn't prove the configuration is identical today. Second, the published documents are summary letters, not full reports, so independent researchers can't verify every claim themselves. Both criticisms apply to every commercial VPN, not just NordVPN.
If full transparency matters more to you than feature breadth, Mullvad's anonymous-account model (you get a random account number, no email required) is worth considering. For everyone else, NordVPN's audit cadence is among the strongest in the industry.
Verdict
NordVPN is safe to use for the threat models most people actually face — ISP tracking, public Wi-Fi snooping, geo-blocked content. It is not the right tool for evading a nation-state adversary, and no commercial VPN is. The 2018 Finland incident is a real entry on its record, but the response (RAM-only migration, bug bounty, Deloitte cadence) is the kind of follow-through you want to see.