Short answer: yes, NordVPN is safe. Six independent no-logs audits by Big 4 firms, RAM-only servers, a Cure53 security assessment, and a HackerOne bug bounty program back that up. But "safe" without evidence is meaningless — so this article examines every major concern one by one.
"NordVPN is dangerous" — search for it and you will find no shortage of articles making that claim. Most of them either stoke fear without technical evidence, or conclude "it's safe" without substantiation. When I started digging into each claim, the picture turned out to be more nuanced than either side suggests.
Why NordVPN Is Called "Dangerous"
Concerns about NordVPN fall into four categories:
- The 2018 server breach — one server was accessed without authorization
- No-logs skepticism — is the no-logs claim actually true?
- Company transparency — Panama incorporation, Tesonet/Oxylabs ties
- VPN limitations — a VPN does not make everything safe
Items 1–3 are NordVPN-specific. Item 4 applies to all VPN services. We examine each below.
The 2018 Server Breach: What Actually Happened
Any discussion of NordVPN's trustworthiness must address the 2018 incident. I went through the primary sources — NordVPN's official response, datacenter records, and independent reporting — to piece together what actually occurred.
What Happened
Between January and March 2018, a single NordVPN server at a Finnish datacenter (Creanova Hosting Solutions) was accessed without authorization. The key intrusion occurred on March 5, 2018.
The cause was a remote management system (iLO/iDRAC) left in place by the datacenter provider without NordVPN's knowledge. This was not a vulnerability in NordVPN's own software or systems — it was the hosting provider's oversight.
What Was Exposed
The attacker obtained three TLS keys and the OpenVPN CA key on that server (all valid at the time and expired in October 2018). However:
- Decrypting VPN traffic was impossible (TLS keys and VPN encryption keys are separate)
- No logs were stored, so zero user data was exposed
- Only one server was affected — NordVPN estimates 50–200 customers used it
NordVPN's Response
- Immediately terminated the datacenter contract
- Conducted a full infrastructure audit
- Accelerated the transition to RAM-only servers (completed in 2022)
- Launched a HackerOne bug bounty program with rewards up to $50,000
- Completed migration to colocated servers — fully self-managed hardware, eliminating third-party datacenter risks
The Legitimate Criticism
The incident itself is less concerning than the delayed disclosure. Creanova did not notify NordVPN of the breach until April 2019 — over a year after the incident. NordVPN then took until October 2019 to disclose publicly, stating they waited for the infrastructure audit to complete. That is roughly 18 months from breach to public disclosure. Even accounting for Creanova's delay, NordVPN could have disclosed sooner after learning of it.
Is the No-Logs Claim Real? Inside the Audits
Many VPNs claim a no-logs policy. Few submit to independent verification. This is the area where I was most skeptical going in — "no-logs" has become a marketing buzzword.
Six Audit Engagements
NordVPN has completed six independent no-logs audits between 2018 and 2025, detailed in their audit report page.
| # | Year | Auditor | Standard |
|---|---|---|---|
| 1 | 2018 | PricewaterhouseCoopers (PwC) | — |
| 2 | 2020 | PricewaterhouseCoopers (PwC) | — |
| 3 | 2022 | Deloitte | ISAE 3000 |
| 4 | 2023 | Deloitte | ISAE 3000 |
| 5 | 2024 | Deloitte | ISAE 3000 |
| 6 | 2025 | Deloitte | ISAE 3000 |
The first two were conducted by PwC (Big 4), with Deloitte (Big 4) taking over from the third audit onward. The shift to ISAE 3000 — a globally recognized non-financial assurance standard — raised the bar significantly.
What the Auditors Inspected
The sixth audit (November 10 – December 12, 2025) by Deloitte Lithuania examined:
- VPN servers — standard VPN, Double VPN, Onion over VPN, and obfuscated servers
- Configuration files — server settings and deployment processes
- Technical logs — what system logs exist and their retention periods
- Staff interviews — operational team processes and procedures
Conclusion: "NordVPN's architecture deliberately omits any collection of user-identifying metadata such as IP addresses or timestamps."
Cure53 Security Assessment (2025)
Separate from the no-logs audits, Cure53 — a well-known Berlin-based security firm — conducted an extensive penetration test in May, June, and October 2025. The scope covered Android, iOS, Windows, macOS, and Linux apps; browser extensions; Threat Protection components; core APIs; and server infrastructure.
The result: zero critical vulnerabilities. Five high-severity issues were found (command injection paths, session management, and privilege escalation), all of which NordVPN fixed and Cure53 verified. Commissioning this level of external scrutiny voluntarily is a strong signal.
What RAM-Only Servers Mean
Since 2022, all NordVPN servers run on diskless RAM-only infrastructure across their entire 8,000+ server network. Pulling the power erases everything. Even physical seizure of a server yields no recoverable data.
Six audits combined with RAM-only servers represent the strongest no-logs evidence in the VPN industry. That said, a "complete proof" of no logging is technically impossible — keep that in mind.
If the audit track record checks out for you, NordVPN offers a 30-day money-back guarantee to test it yourself.
Company Transparency: Panama, Tesonet, and Nord Security
Why Panama
NordVPN's operating company, nordvpn S.A., is incorporated in Panama. Some view this with suspicion, but the choice is legally intentional.
Panama has:
- No data retention laws applicable to VPN providers
- No membership in Five Eyes / Nine Eyes / Fourteen Eyes alliances
This means NordVPN has no legal obligation to store or surrender user data, and since no logs exist, there is nothing to hand over even if requested.
Actual development takes place in Lithuania (Vilnius), with offices in Berlin and Amsterdam. Panama incorporation is a legal strategy to protect user privacy — one that other privacy-focused services use as well (Proton uses Switzerland for similar reasons).
The Tesonet Question
Another concern is NordVPN's relationship with Tesonet, a Lithuanian IT company.
Tesonet is also the parent company of Oxylabs, a proxy and data scraping service. This raises an obvious question: "A VPN provider sharing a corporate group with a data collection company?"
The facts:
- Tesonet was an early investor and incubator for Nord Security — the two share common co-founders
- Nord Security now operates as an independent entity with its own management
- There is no evidence that NordVPN shares user data with Oxylabs
- Six no-logs audits detected no data-sharing mechanisms
The suspicion is understandable. The evidence of actual data sharing is nonexistent. If the Deloitte auditors — who had full access to NordVPN's systems for five weeks — found nothing, it is reasonable to treat this concern as addressed.
What a VPN Cannot Protect You From
Finally, limitations that apply to all VPNs, not just NordVPN. If you are new to VPNs, see our beginner's guide to what a VPN actually does.
What a VPN Does Not Stop
- Malware — a VPN encrypts traffic, it does not scan files. Enable Threat Protection Pro or use separate antivirus software
- Phishing — if you enter credentials on a fake site, VPN or not, they are compromised
- Account takeover — password reuse and social engineering bypass any VPN
- Destination logging — a VPN hides your IP from your ISP, but logging into Google still records your activity in Google's systems
Does a VPN Make You Anonymous?
A VPN changes your IP address and encrypts your traffic. It does not provide complete anonymity.
- Browser fingerprinting, cookies, and login states can still identify you
- For true anonymity, consider Tor Browser + VPN + OS-level measures (Tails OS, etc.)
A VPN is a privacy enhancement tool, not an anonymity tool. This distinction matters — and confusing the two is how people end up disappointed with any VPN service.
The world's leading VPN — fast, secure, and easy to use
- 6,400+ servers across 111 countries
- NordLynx protocol (WireGuard-based)
- Threat Protection Pro (ads & malware blocking)
Frequently Asked Questions
Is NordVPN safe to use in 2026?
Yes. Six independent no-logs audits by PwC and Deloitte, a Cure53 penetration test with zero critical findings, RAM-only servers, and a HackerOne bug bounty program with rewards up to $50,000 make NordVPN one of the most thoroughly audited VPN providers available.
Was NordVPN hacked?
In March 2018, one server at a Finnish datacenter was accessed through a remote management tool left by the hosting provider. Zero user data was exposed because no logs existed on the server. NordVPN has since moved to fully colocated, self-managed RAM-only servers.
Does NordVPN keep logs?
No. NordVPN's no-logs policy has been verified six times by independent Big 4 auditors (PwC and Deloitte) under the ISAE 3000 standard. The RAM-only server architecture means data cannot persist even if someone tried to store it — pulling the power erases everything.
Is NordVPN owned by a Chinese company?
No. NordVPN is developed by Nord Security, which was incubated by the Lithuanian IT company Tesonet. The operating entity is incorporated in Panama for privacy jurisdiction. There is no Chinese ownership or investment.
Can NordVPN see my traffic?
No. The RAM-only server architecture and audited no-logs policy mean NordVPN's servers do not store connection logs, traffic data, or browsing activity. The Deloitte and Cure53 audits confirmed this architecture.
Is NordVPN safe for online banking?
Yes. NordVPN encrypts your connection, which is especially valuable on public Wi-Fi networks where traffic interception is a real risk. However, a VPN does not replace basic security hygiene — use strong passwords and enable two-factor authentication.
Why is NordVPN based in Panama?
Panama has no data retention laws applicable to VPN providers and is outside the Five Eyes / Nine Eyes / Fourteen Eyes surveillance alliances. This means NordVPN has no legal obligation to store or hand over user data — a deliberate choice for privacy protection.
Wrapping Up
A summary of each concern and what the evidence shows:
| Concern | Finding |
|---|---|
| 2018 server breach | Zero user data exposed. Response included RAM-only migration, audits, and bug bounty |
| No-logs credibility | Confirmed by six independent Big 4 audits (ISAE 3000). RAM-only servers across 8,000+ servers |
| Cure53 security audit | Zero critical vulnerabilities. Five high-severity issues found and fixed |
| Panama incorporation | A legal choice for privacy protection. Outside Five Eyes jurisdiction |
| Tesonet connection | Early investment relationship. No evidence of data sharing across six audits |
NordVPN is not perfect. The delayed breach disclosure deserves criticism. But six no-logs audits, a Cure53 penetration test, RAM-only colocated servers, and a $50K bug bounty program put its security practices at the top of the VPN industry.
The answer to "is NordVPN dangerous?" — based on evidence, its technical security is industry-leading.
Related articles:
- NordVPN Review: Pricing, Security, and Performance Tested
- How to Use NordVPN: Setup, Settings, and Troubleshooting
- NordVPN and Netflix: Setup Guide and Troubleshooting
- NordVPN on Linux: CLI Commands, Post-Quantum Encryption, and Docker
- VPN Protocols Compared: WireGuard vs OpenVPN vs IKEv2 Under the Hood
- NordVPN vs ExpressVPN vs Surfshark: An Honest Comparison
- Are Free VPNs Safe? Real Incidents and How to Choose