NordVPN vs Surfshark vs PIA: Which VPN Protects Privacy?

Disclosure: This review contains affiliate links. We may earn a commission if you purchase through our links, at no extra cost to you.

The three claims every VPN makes — no logs, no tracking, no data surrendered to governments — are easy to print on a marketing page and impossible to verify without independent evidence. NordVPN, Surfshark, and Private Internet Access all make those claims. The meaningful difference between them is what substantiates the claim: a third-party audit from a recognized firm, an actual court subpoena that produced nothing, or an open-source codebase that lets anyone inspect what the app sends.

This comparison focuses on the three factors that actually predict privacy protection: what the no-logs policy covers and excludes, what independent parties have verified about it, and where the company is incorporated — because jurisdiction determines what a VPN can be legally compelled to hand over regardless of what its policy says.

NordVPN: Panama Jurisdiction and Repeated Audits

NordVPN

Privacy VPN with Linux support and Meshnet.

Visit NordVPN →

NordVPN is incorporated in Panama, a jurisdiction outside the Five Eyes, Nine Eyes, and Fourteen Eyes intelligence-sharing alliances. Panama's law does not require data retention for VPN providers, and the country has no standing data-sharing treaty with the United States or the European Union that would compel NordVPN to respond to a foreign government data request as though it were a domestic one. An agency seeking to identify a NordVPN user would have to pursue Panamanian legal channels — a meaningfully higher bar than a domestic subpoena or a GDPR-backed EU authority demand.

No-logs policy and audits

NordVPN's no-logs policy states that it does not retain connection timestamps, session durations, originating IP addresses, or traffic content. That policy has been independently audited multiple times, including by Deloitte, which has conducted no-logs audits and published findings. A pattern of audits across multiple years carries more weight than a single point-in-time engagement, because it gives auditors visibility into whether policy and operational practice remain consistent as the company scales its server infrastructure.

In October 2019, NordVPN disclosed that a server it had rented from a third-party datacenter in Finland experienced unauthorized access in 2018. The server was not owned or directly managed by NordVPN; the datacenter's management interface was compromised at the provider level. No user data was exposed in the incident, which is consistent with a genuine no-logs policy — there was nothing to take. The disclosure, though delayed by over a year, is relevant context: it shows how NordVPN responded when third-party infrastructure was compromised, and it prompted the company to move toward colocated, dedicated hardware it controls directly.

Who NordVPN fits

NordVPN is the best-documented choice for someone making a VPN decision on the basis of jurisdiction and audit history. The Panama incorporation removes the most common compelled-disclosure mechanism, and repeated Deloitte audits provide the most rigorous third-party paper trail of the three providers reviewed here. It fits users whose threat model includes government surveillance and commercial data collection, and who want audit documentation available to review before trusting a provider.


Surfshark: Unlimited Connections, EU Jurisdiction

Surfshark is incorporated in the Netherlands and has been part of Nord Security — the same corporate group as NordVPN — since the two companies merged in 2022. The Netherlands is a member of the Nine Eyes intelligence-sharing arrangement, which is a meaningful distinction from NordVPN's Panama incorporation. Nine Eyes membership means the Netherlands participates in intelligence-sharing discussions with the Five Eyes core countries, but Dutch law still governs what Surfshark can be compelled to produce in a domestic proceeding. The GDPR further constrains what data Surfshark can collect and retain as an EU-based entity.

Surfshark's no-logs policy states that it collects no data that would identify a user's activity or real IP address. The policy has been audited by Cure53, a German security firm that reviewed Surfshark's server configuration and browser extensions, and by Deloitte, which conducted a dedicated no-logs audit. Audit documentation is available through Surfshark's website.

The unlimited-devices differentiator

Surfshark permits unlimited simultaneous device connections on a single subscription. That removes the device-counting calculation that applies to both NordVPN and PIA, each of which sets a fixed connection limit per account. For a household protecting phones, laptops, and a streaming device simultaneously, unlimited connections is a practical advantage that goes beyond price.

Surfshark's CleanWeb feature blocks ads, trackers, and domains associated with malware at the VPN level — before traffic reaches the client device. This reduces the behavioral data transmitted to advertising networks even while tunneling, though it is not a substitute for a dedicated browser-level ad blocker.

Who Surfshark fits

Surfshark fits households with multiple devices who want a verified no-logs policy without paying per-device, and users who find the EU's regulatory environment for consumer data more legible than Panama's legal landscape — even accounting for the Nine Eyes affiliation. For most residential privacy use cases (protecting traffic on public Wi-Fi, preventing ISP-level tracking, bypassing geographic restrictions), Surfshark's combination of audited policy and unlimited connections is practical and well-documented.


Private Internet Access: Court-Tested No-Logs, US Jurisdiction

Private Internet Access (PIA) is based in the United States — Five Eyes territory — and is owned by Kape Technologies, which acquired it in 2019. Kape's corporate history includes operating under a previous name, Crossrider, which was associated with advertising-injection software. That background is worth noting as context, even though PIA predates the acquisition and has maintained its policies across ownership changes.

The reason PIA merits consideration despite the US jurisdiction and ownership history is that its no-logs claim has been validated through actual adversarial legal proceedings, not just audit documentation. Law enforcement agencies have subpoenaed PIA user data at least twice. On both occasions, PIA responded that it had no logs to produce — because none existed. A no-logs policy that survives real subpoenas is a stronger proof point than one that has only been reviewed by an auditor with access to what the company chose to show.

Open-source clients

PIA publishes its client applications as open-source software, which allows independent developers to inspect the code for data-collection behavior. Open-source clients do not prove that the server infrastructure collects no data — server-side behavior is not visible in client code — but they do close the "what is the app actually sending?" question in a way that closed-source clients cannot. Users or independent researchers who want to verify client-side behavior can audit the code directly or rely on community reviews that open-source publication makes possible.

PIA's MACE feature blocks malicious domains and known tracking hosts at the DNS level, providing a layer of ad and malware blocking comparable in principle to Surfshark's CleanWeb.

Who PIA fits

PIA fits technically oriented users who weight court-validated evidence and open-source transparency over clean jurisdiction, and who are not satisfied by audit documents alone. It also fits users whose primary privacy concern is commercial tracking and ISP data collection rather than government surveillance. For that threat model, the US jurisdiction concern is secondary to whether the no-logs policy holds under pressure — and PIA's has been tested in actual legal proceedings. Users whose threat model specifically includes US government access should weight Panama (NordVPN) or Sweden (Mullvad) more heavily.


Head-to-Head Summary

NordVPNSurfsharkPIA
JurisdictionPanama (outside 14 Eyes)Netherlands (Nine Eyes)USA (Five Eyes)
No-logs verified byDeloitte (multiple audits)Cure53, DeloitteCourt subpoenas — no logs produced
Simultaneous devicesFixed limitUnlimitedFixed limit
Open-source clientsNoNoYes
Known incident2018 datacenter breach, disclosed 2019None knownNone known
OwnershipNord Security (Panama)Nord Security (Netherlands)Kape Technologies (UK-listed)

No provider listed here has been caught logging user data or producing identifying records in response to law enforcement. The differences are in the strength and type of that evidence — a recognized-firm audit, a real subpoena, or a public code repository — and in the jurisdiction governing compelled disclosure. Those two variables are the actual purchase decision.


Frequently Asked Questions

Does a VPN make me anonymous? No. A VPN masks your IP address from the sites you visit and encrypts traffic between your device and the VPN server. It does not make you anonymous: the VPN provider sees your real IP address, account credentials, and payment information. A genuine no-logs policy limits what is retained from that relationship, but the relationship itself remains visible to the provider.

What does "no logs" mean in practice? At minimum, it means the provider does not store connection records that would link a real IP address to a browsing session. Some providers log aggregate bandwidth statistics without logging individual users; others log nothing. Reading the specific policy language — and the scope of whatever audit has reviewed it — tells you which category a provider falls into.

Does PIA's US jurisdiction make it unsafe to use? It raises the risk surface for users whose threat model specifically includes US government access. For most consumers primarily concerned with commercial tracking, ISP data collection, or public Wi-Fi security, the jurisdiction question is secondary to whether the no-logs policy is real under pressure — and PIA's has been tested in court. If surveillance by a state actor is part of your threat model, the Panama or Swedish options deserve more weight.

Are NordVPN and Surfshark the same company? They operate as separate products with separate infrastructure and separate privacy policies, but they share a parent entity — Nord Security — following a 2022 merger. Users who want complete organizational independence between their VPN provider and any other company should factor that into the decision.

Should I choose a VPN based on speed? Speed matters for streaming and gaming, but the performance gap between major providers has narrowed significantly as WireGuard-based protocols have become standard. Establish your privacy and jurisdiction baseline first; treat speed benchmarks as a final tie-breaker between providers that are otherwise equivalent on the criteria that matter.


Keep reading

Posts in this series