Update: After NordVPN's third independent audit in June 2021, we updated some sections of this article to reflect the findings.
Ranked as one of the best VPN providers on the scene, NordVPN is about as close to a household name as we’re going to get when it comes to cybersecurity software. It’s often touted as one of the most user-friendly and secure VPN services on the market – but when we dig into the details, do the facts and figures match up to the marketing bluster?
Here, we’ll be exploring if NordVPN logs user data, whether it’s undertaken independent audits to prove any logging claims, what standout features it boasts in terms of keeping you secure and private on the web, and if it has – or has had – any killer failings that might make you want to pick another provider.
NordVPN logs: What does zero-logging mean?
VPNs keep you secure because they reroute your Internet traffic through their own servers rather than your Internet Service Provider’s (ISP). This is an attractive proposition thanks to the fact that ISPs are widely known to monitor your activity, throttle your connection if you engage in certain activities like torrenting, and even sell the data they collect for profit.
By rerouting through a VPN’s servers you avoid this – but if you can’t trust your VPN, you’re substituting one evil for another. If you want to be sure your VPN isn’t doing the same thing as your ISP, you need to seek out a truly zero-logging VPN.
Zero-logging is a phrase often bandied about by VPN providers and reviews. Essentially, it means the VPN collects and stores absolutely no identifying data about you or your activity. So, if for any reason the authorities want to tie activity detected to come from a VPN server back to an individual, said VPN provider will have no information to hand over, even if it is legally compelled to do so.
Does NordVPN log user data?
In short, no. On its website, NordVPN reassures us that absolutely no identifying data is collected or stored when users connect to any server:
‘NordVPN guarantees a strict no-logs policy for NordVPN services, meaning that your activities using NordVPN Services are provided by automated technical process, are not monitored, recorded, logged, stored or passed to any third party. We do not store connection time stamps, session information, used bandwidth, traffic logs, IP addresses or other data. … Further, NordVPN have a strict no logs policy when it comes to seeing user activity online: NordVPN is based in Panama, which does not require data storage.”
So, that all sounds very positive, then. But can we really trust NordVPN to do what it says it does? For that, we need an independent audit to back up these claims.
NordVPN logs: Has NordVPN had an independent audit?
Independent security audits are one of the only ways a VPN provider can prove its claims. Essentially, the provider allows an independent auditing firm (PricewaterhouseCoopers and Cure53 are examples) to inspect source code, investigate logging practices, investigate servers and more besides. The depth of these audits does vary – in our Surfshark review, for instance, we found the provider has only had its browser extensions audited – but without an audit of any kind, you need to take your VPN’s claims at face value.
NordVPN has undertaken not one, but three independent audits of its servers and central infrastructure – much better than the vast majority of VPN providers on the market. This is only really matched by ExpressVPN, TunnelBear, VyprVPN and a select few others – and in truth, NordVPN is most up to date.
The most recent of these was made public in June 2021. Undertaken by VerSprite, it assessed NordVPN's client security using the PASTA method (Process for Attack Simulation and Threat Analysis). No critical issues were found, and a single high severity issue was detected along with a few lower risk problems.
It's worth noting that finding issues isn't necessarily a bad thing – while NordVPN would of course have preferred to have had no issues, for users this only means an improvement of the product. All the vulnerabilities found by VerSprite have also been fixed through updates or software tweaks, and that's only good news.
NordVPN logs: What issues has NordVPN had in the past?
Back in April 2019, the world was notified of a hack involving a single NordVPN server located in Finland – which actually occurred over a year earlier in 2018. In its own statement, NordVPN claimed the hack was the result of a third party’s poor security protocols – so, nothing was truly NordVPN’s ‘fault’.
That data center shut down its operation as soon as it became aware of the issue, but NordVPN came under fire for taking a long time to publish any information on this.
While it’s possible that NordVPN wasn’t aware of the issue until it went public with this, there are a number of conflicting opinions on this. To learn more, read our sister site TechRadar’s article on the truth about the NordVPN breach.
However, since then, NordVPN has gone a long way to regain the trust of its users – not in the least with two audits – and although this is certainly a blot on the provider’s copy book, we’re confident that it’s learned its lesson and has taken even more stringent measures to ensure it remains a private VPN and that nothing like this happens in the future.
What other privacy features does NordVPN offer?
In comparison to most other providers, NordVPN delivers a comprehensive list of dedicated security features to help you stay safe and private online. As standard, you’re covered by AES-256 encryption – commonly called ‘military grade’ – and you’ll have a choice of a number of protocols, including the superfast and secure WireGuard-based NordLynx.
Beyond that, though, are a number of additional features not often found in consumer VPNs. Onion over VPN, for instance, reroutes your traffic through the Tor network, further obfuscating your identity and location. Double VPN uses two servers so that even if one is compromised, your activity still can’t be linked back to you.
Then we come to the hardware on Nord’s side. Apart from ExpressVPN and Surfshark, NordVPN is one of the only providers to have upgraded its server network to 100% RAM disks. If that's all Greek to you, essentially it means all data is wiped after power-off rather than being stored on a traditional hard disk. This means NordVPN can’t store data on its users, even if it wanted to.
So, overall, apart from the historic data breach that the provider has taken great pains to rectify, NordVPN remains as one of the safest VPN services on the market today – but competitors like ExpressVPN, ProtonVPN and Mullvad certainly give it a run for its money.
Why use NordVPN?
