Who owns your VPN and why is it important?

Have you ever wondered who owns your VPN? This is an important question because, when it comes to VPNs, users need to know they can trust their provider. With millions of people worldwide relying on VPNs for online privacy and data security, understanding who owns your VPN is essential.

In recent years, the VPN industry has seen significant consolidation. Some of the biggest players in the VPN industry have quietly acquired many popular VPN brands. This trend raises important questions about transparency, data privacy, and potential conflicts of interest.

The important thing to remember is that the parent company behind a VPN could change the VPN’s policies and might decide to use acquired data for its own purposes. This is why it is important to know who owns a VPN and whether it has changed hands.

Even if a VPN promises never to share data with third parties, could the potential for internal data processing be enough to deter you from using it? These are important questions to consider, especially as more and more services come under the control of a single organization.

In this guide, we’ll dive deep into the ownership of well-known VPN providers.  You’ll learn who controls the services you trust and what it means for your online security. By the end of this article, you’ll have a complete understanding of who owns the best VPNs – arming you with the knowledge you need to make better decisions about your digital privacy.

Who owns your VPN? Does it matter?

The answer to this question is nuanced.

On the one hand, it shouldn’t matter who owns or runs a VPN service – as long as it has strong security and a watertight no-logging policy. The reason for this is that if the VPN never keeps any logs of user IP addresses, the servers that subscribers use, or any of the browsing data that passes through its servers, there is nothing for the owner of the VPN to leverage for its own purposes (or that could result in security risks if is compromised).

Legal requirements and regulations

On the other hand, it is important to understand that the owner of a VPN is subject to legal requirements and regulations, which depend on the country where that provider is based. The owner of a VPN could be served a warrant that compels it to provide any data it has on file, and if the country where the VPN is based enforces gag orders, it is possible that the VPN could be forced to start logging in secret.

Potential for real-time monitoring

It is also worth understanding that a VPN could monitor the data passing through its servers in real time. Some no-log VPNs may do this to collect aggregated information that is used to improve their services or for other analytics purposes. These VPNs do not keep usage logs that apply to any specific user, meaning they still qualify as no-log VPNs.

Although aggregated connection logs and analytics do not impact individuals’ privacy, they do raise some questions. Studies reveal that anonymized or aggregate data can potentially be re-attributed to individual users. This creates questions and concerns that could make you more uncomfortable, depending on who owns your VPN and what their other interests involve.

Conflicts of interest

For example, if the VPN’s owner were hypothetically an advertising company accustomed to using large amounts of data for profiling purposes and market analysis, this could be a serious conflict of interest. Naturally, a VPN with this kind of owner would lead to rumors and a loss of trust, and there’s even a chance that the VPN could secretly be a data honeypot.

This example might seem extreme. However, similar cases have been uncovered in the past, which is why VPN ownership remains a subject that privacy advocates consider seriously.

Key Considerations regarding VPN ownership

With these points in mind, we are going to carefully consider the following questions when evaluating the wonders of market-leading VPNs:

• Where is the owner based, and what legal requirements or regulations might affect them?
• Who is the owner, and what are their other business interests?
• What is the history of the VPN’s owner, and do they have any skeletons in the closet?
• Does the VPN provider have clear and transparent privacy policies that are easy to understand?
• Has the VPN service undergone independent third-party audits to verify its no-logging claims?
• Has the VPN provider experienced any data breaches or security incidents?
• What do user reviews and industry experts say about the VPN owner’s trustworthiness and performance?
• How have the VPN and its owners responded to legal requests for data in the past?
• Is the VPN provider part of a larger conglomerate, and how might that influence its privacy practices?
• Does the VPN and its owners commit to privacy by design or contribute to privacy advocacy groups and open-source projects?

Who owns your VPN?

Now that we have outlined some of the reasons it is worth considering who owns your VPN, we can examine the ownership behind some of the VPN industry’s leading brands. Keep reading to learn who owns your VPN.

1. NordVPN

NordVPN was co-founded by Tom Okmanas and Eimantas Sabaliauskas in 2012. In 2017, the company rebranded to Nord Security to reflect its expansion into broader cybersecurity solutions, including NordPass and NordLocker.

Alongside the establishment of NordVPN, Okmanas and Sabaliauskas registered another company called Tefincom & Co., S.A (Tefincom). Tefincom was registered in Panama and set up to serve as NordVPN’s parent company, managing the legal and financial aspects of the operation. This strategic business structure capitalizes on Panama’s privacy-friendly laws, which are crucial for NordVPN to offer privacy services without the risk of data requests and warrants common in other jurisdictions.

NordVPN has also acknowledged early operational relationships with Tesonet, a Lithuanian tech company (Tom Okmanas also founded that). Tesonet is a business acceleration company that provided initial infrastructure support to NordVPN. However, it is essential to note that NordVPN is a separate entity without any legal ties to Tesonet.

Despite their corporate independence, NordVPN’s relationship with Tesonet has previously led to confusion over potential conflicts of interest. These concerns were partly caused by Tesonet’s role as a business accelerator for around 50 different projects—not all of which align with NordVPN’s focus on privacy services.

Fortunately, independent audits carried out by PricewaterhouseCoopers have addressed any potential worries regarding Tesonet’s involvement in the early stages of NordVPN’s development.

Those audits confirmed Nord Security and Tefincom’s operational independence and NordVPN’s adherence to a strict no-logs policy. The audit also verified Tefincom’s base in Panama, ensuring the VPN isn’t subject to mandatory data retention regulations.

Finally, it is worth noting that Tefincom’s only role is to support NordVPN, with no other significant business activities. This focus ensures that there are no conflicts of interest.

Key takeaways:

• NordVPN is legally based in Panama, a country that lacks mandatory data retention directives or invasive surveillance
• NordVPN has a no-logging policy that PwC has independently audited.
• NordVPN operates a self-owned and managed network of diskless servers
• NordVPN’s apps and servers have been independently audited
• NordVPN has a proven track record of providing privacy for its users and has continually sought to upgrade its services to address vulnerabilities.

2. Surfshark VPN

Surfshark was originally founded by Vytautas Kaziukonis in 2018. The VPN company was initially based in the British Virgin Islands but relocated to the Netherlands in February 2021.

This relocation was supposed to improve the VPN’s reputation by aligning Surfshark with the EU’s privacy-friendly General Data Protection Regulation (GDPR). However, the move creates some concerns because Holland is a member of the NINE EYES—a surveillance treaty that includes countries like the US and the UK.

The good news is that independent audits conducted by Deloitte have confirmed Surfshark’s commitment to privacy. These audits validated the VPN’s strict no-logs policy, with Deloitte confirming that Surfshark does not collect or store user data. This means that even if Dutch authorities were to approach the VPN, it would have no valuable usage data to hand over.

To further bolster its reputation. Surfshark has transitioned to RAM-only server infrastructure. This ensures that any data stored on its servers can be wiped with each reboot, increasing security by giving the provider greater control in an emergency or server-location raid.

In February 2022, Surfshark was acquired by Nord Security, the parent company of NordVPN. Despite this merger, Surfshark and NordVPN continue to operate as independent entities. Each has a separate infrastructure, ensuring they maintain distinct operations and avoid potential conflicts of interest.

The merger between NordVPN and Surfshark is a sign of ongoing consolidation within the VPN industry, potentially leading to concerns regarding market monopolization, reduced competition, and reduced consumer choices. While these concerns are valid, we can at least be happy that Surfshark was acquired by Nord Security – a company with a decent track record of providing privacy services.

The Surfshark brand now offers a range of cybersecurity solutions beyond its VPN service. These include Surfshark Antivirus, Surfshark Search, and Surfshark Alert. These service expansions help to underscore Surfshark’s focus on digital security services.

Key takeaways:

• Surfshark is legally based in the Netherlands, which benefits from solid privacy protections under the GDPR. However, the Netherlands is a member of the NINE EYES, which raises concerns over the potential for surveillance.
• Surfshark has a rock-solid no-logs policy that Deloitte has independently audited.
• Despite being acquired by Nord Security in 2022, Surfshark operates independently with its own infrastructure and product development. This reduces concerns over industry monopolization but is worth monitoring in the future.
• Surfshark has a proven track record of providing privacy for its users and there have been no reported cases of the VPN supplying data to authorities.

3. IPVanish

IPVanish was founded in 2012 by Mudhook Media Inc., an independent subsidiary of Highwinds Network Group based in Orlando, Florida.

In 2017, IPVanish and its parent company, Mudhook, were acquired by StackPath, a security services provider. StackPath later sold IPVanish to J2 Global, a conglomerate with several other VPN services. In 2021, J2 Global rebranded to Ziff Davis, which is now the legal parent company of IPVanish.

This acquisition is part of the ongoing trend of many VPN companies merging or being bought out. It makes IPVanish the sister service of several well-known VPN brands in Ziff Davis’ portfolio, including Encrypt.me, StrongVPN, SaferVPN, Namecheap VPN, Buffered VPN, and VPNHub.

While some legitimate concerns surround VPN market consolidation and how it affects consumers, it is worth noting that IPVanish continues to operate independently. However, the VPN runs on servers owned by its parent company, Ziff Davis.

As a US-based company, Ziff Davis is part of the Five Eyes Alliance and must comply with American laws, which may raise privacy concerns for some users. Despite the potential for US companies to be served gag orders and warrants, IPVanish maintains a strict no-logs policy, meaning it stores no long-term records of its users’ activities. In 2020, the third-party security company Leviathan Security Group independently verified IPVanish’s no-logging policy.

Key takeaways:

• IPVanish and its owner, Ziff Davis, are headquartered in the United States.  This raises potential privacy concerns due to the threat of warrants and gag orders.
• IPVanish’s no-logs policy has been independently verified by a third-party audit carried out by Leviathan Security Group.
• IPVanish continues to operate independently of its parent company but runs on proprietary servers provided by Ziff Davis.
• IPVanish’s previous owner (StackPath) was forced to help US authorities with a criminal investigation. The VPN has since changed hands. Despite this, the incident serves as a reminder of the potential risks associated with US-based VPN.

4. ExpressVPN

ExpressVPN was initially founded by Peter Burchhardt and Dan Pomerantz in 2009. The business was set up in the British Virgin Islands to benefit from the country’s lack of mandatory data retention directives, making it a solid location for a privacy service to be headquartered.

In September 2021, ExpressVPN’s ownership changed hands when Kape Technologies acquired it for a whopping $936 million. Kape Technologies is a UK-based holding company that owns several well-known VPN services, such as CyberGhost and Private Internet Access (PIA).

Kape Technologies has faced criticism due to its history as an ad-tech company, Crossrider. Admittedly, a company known for developing adware can be seen as a bad fit for a privacy service. Crossrider’s previous ventures could be perceived as a conflict of interest.

However, the company rebranded to Kape in 2018, when it had already ceased its ad-tech business to focus on developing privacy services. To this day, there is no evidence that any VPNs owned by Kape have ever been negatively influenced by its previous incarnation as an ad-tech company, and Kape is no longer involved in ad tech.

As of 2024, ExpressVPN continues to operate independently of Kape and its other VPN interests. It is managed by the same team that controlled it before the acquisition. It is still based in the British Virgin Islands and continues to provide watertight privacy services to its subscriber base.

The VPN is known for its strict no-logs policy, which promises never to store records of users’ IP addresses, servers used, or activity data. PricewaterhouseCoopers (PwC) independently verified this policy, and the VPN has a clean track record of providing privacy for its subscribers from 2009 until the present day.

Key takeaways:

• ExpressVPN is based in the British Virgin Islands, benefiting from strong privacy protections.
• Kape Technologies acquired ExpressVPN in September 2021, but it continues to operate independently.
• ExpressVPN’s no-logs policy has been independently audited by PwC, ensuring user privacy.
• ExpressVPN has a proven track record of providing privacy for its users, with no reports of having handed data to authorities.
• ExpressVPN runs on a network of diskless servers, allowing the VPN to delete all data passing through its servers by pulling the plug. This helps to secure its servers in an emergency and ensures that all data on the server is in a constant state of flux.

5. CyberGhost VPN

CyberGhost VPN was founded in 2011 by Robert Knapp in Bucharest, Romania. The company established its reputation as one of the first VPNs to publish a transparency report and has continued emphasizing its commitment to privacy ever since.

In March 2017, CyberGhost was acquired by Kape Technologies (formerly Crossrider) for approximately $10.5 million. This acquisition was part of Kape’s transition from ad-tech to focus exclusively on digital privacy and security services. Kape Technologies is now a significant player in the VPN industry, owning other well-known VPN services such as ExpressVPN, Private Internet Access (PIA), and ZenMate (which has now been incorporated into CyberGhost and is no longer available).

CyberGhost continues to operate independently under Kape Technologies. The company maintains its headquarters in Bucharest, Romania, benefiting from favorable data protection regulations.

CyberGhost has a strict no-logs policy that Deloitte has independently verified. This audit validated the VPN’s privacy claims, proving that it does not harvest, store, or process any data that could negatively affect its users’ privacy.

Kape Technologies’ acquisition of CyberGhost is part of a broader consolidation trend in the VPN industry. While this raises concerns about reduced competition and consumer choice, CyberGhost remains independent.

That said, it is worth noting that Kape closed down another VPN it acquired, ZenMate. Subscribers with a subscription with ZenMate were allowed to switch to CyberGhost (or get a refund), which Kape maintained was an advantage for its users due to Cberghost’s better policies, infrastructure, and technologies.

This case highlights the possibility that VPNs acquired by Kape (or any other parent company involved in industry consolidation) could be shut down or merged with other services during restructuring. This is why it is essential to stay informed about your VPN’s ownership and how it could impact the service now or in the future.

Key takeaways:

• CyberGhost was founded in 2011 by Robert Knapp and is based in Bucharest, Romania.
• CyberGhost was acquired by Kape Technologies in March 2017 but continues to operate independently.
• CyberGhost’s no-logs policy has been independently audited by Deloitte, ensuring user privacy.
• CyberGhost VPN runs on RAM-only servers to enhance security.
• CyberGhost has maintained a clean record for consumer privacy throughout its existence.

6. PrivateVPN

PrivateVPN was founded in 2009 by Martin Müller and is headquartered in Sweden. Since its inception, the company has built a reputation for providing robust privacy features and strong security protocols.

In June 2022, PrivateVPN was acquired by Miss Group, a company known for its web hosting and online services. This acquisition aimed to expand Miss Group’s portfolio of online services while providing secure in-house server infrastructure to the VPN—designed to increase security for users while maximizing profits and reducing expenditures.

PrivateVPN continues to operate independently under Miss Group. The VPN service benefits from Sweden’s strong privacy laws, which do not mandate data retention. This allows PrivateVPN to maintain a strict no-logs policy. However, it is worth noting that although the VPN has an entirely blip-free history of providing privacy for its users, it has not completed any third-party security audits.

Key takeaways:

• PrivateVPN was founded in 2009 and is based in Sweden.
• Miss Group acquired PrivateVPN in June 2022 but continues to operate independently.
• PrivateVPN has a strict no-logs policy and has decent privacy protection under Swedish law. However, it has not completed any third-party audits.

7. PureVPN

PureVPN was founded in 2007 by Uzair Gadit and is headquartered in the British Virgin Islands (BVI). From the outset, the VPN was set up under the parent company GZ Systems to benefit from the BVI’s favorable privacy laws (which lack mandatory data retention directives and invasive surveillance agencies).

PureVPN operates independently under GZ Systems, which exclusively manages the legal and financial aspects of the business. GZ Systems has no outside business interests or activities that could cause a conflict of interest with the VPN.

In March 2017, PureVPN faced a significant privacy controversy when it provided logs to the FBI that helped identify a cyberstalker. This incident, which allowed the VPN to help the authorities carry out a time-correlation attack, occurred due to connection logs that were kept per its logging policy at the time.

This led to substantial criticism, which led PureVPN to overhaul its privacy policy so that the VPN no longer kept connection logs alongside subscriber IPs. The VPN has since committed to a strict no-logs policy verified by independent audits carried out by Altius IT and KPMG.

Key takeaways:

• PureVPN was founded in 2007 by Uzair Gadit and is based in the British Virgin Islands.
• PureVPN has a strict no-logs policy, ensuring user privacy is always protected.
• PureVPN has completed two separate audits of its service to verify its commitment to privacy.

8. ProtonVPN

ProtonVPN was founded in 2017 in Switzerland by the team behind ProtonMail, which includes Dr. Andy Yen, a scientist who met his co-founders while working at CERN. The fact that the VPN is developed by the team behind the private email service ProtonMail helps to bolster its reputation and positions it as a VPN popular with privacy enthusiasts.

ProtonVPN is operated by Proton AG, an employee-owned nonprofit company (primarily owned by the Proton Foundation). Proton AG’s company motto is privacy by default, and Switzerland’s strong privacy laws make it a decent location for a privacy-focused service like a VPN to be based. The current members of the board of trustees for the Proton Foundation are listed online, and there are no notable concerns at the time of writing.

In Switzerland, VPNs are excluded from mandatory data retention laws under the Federal Act on the Surveillance of Postal and Telecommunications Traffic (BÜPF). Following a decision made in 2020 by the Swiss courts, VPNs do not need to keep any records, meaning that ProtonVPN is free to enforce a strict no-logging policy.

Securitum, a leading European security auditing company, has independently verified ProtonVPN’s privacy policy. The most recent audit, completed in 2021, verified ProtonVPN’s policies and security features, finding that the service acts in accordance with its commitment to privacy.

Key takeaways:

• ProtonVPN was founded in 2017 by Dr. Andy Yen and the team behind ProtonMail.
• ProtonVPN is based in Switzerland, a country that lacks mandatory data retention directives that apply to VPNs.
• Proton VPN maintains an up-to-date transparency report and a warrant canary.
• Proton VPN is owned by Proton AG, whose main shareholder is the Proton Foundation (an employee-owned non-profit)
• ProtonVPN has a strict no-logs policy that Security has independently verified.

Who owns other VPNs?

Below, we have provided up-to-date information about the current owners of other well-known VPN brands:

• Private Internet Access: Kape Technologies (BVI)
• Hotspot Shield: Aura (USA)
• VyprVPN: Golden Frog (USA)
• Windscribe: Windscribe Limited (Canada)
• TunnelBear: McAfee (USA)
• Mullvad: Amagicom AB (Sweden)

The problem with VPN audits – Why VPN provider trust is crucial

A third-party VPN audit is an excellent way for VPN providers to increase trust in their service. This is why many leading VPNs have chosen to pay for these security audits. The benefit of a third-party audit is that it can uncover any potential security flaws and allow the VPN to improve its apps or infrastructure to prevent leaks and protect against cyberattacks before they happen.

We are incredibly bullish on VPNs that invest in these audits because they highlight that VPNs care about security and reputation. That said, we acknowledge that the results of a VPN audit are somewhat limited due to how a VPN is set up. Keep reading to find out why.

Flexible configuration

The way a VPN server is set up to work is based on implementation choices, and these choices are often flexible. The hardware used to set up a VPN server is physical, which guarantees a certain amount of stability. Still, even then, a VPN provider could decide to rip out its server infrastructure and start again, if not for the entire network, in a single location.

The convertible nature of a VPN server’s configuration is even more acute regarding the software and security choices. A VPN provider could theoretically set up a server to keep no logs one day and then reconfigure that server to start keeping logs the next day. A VPN server could even be set up to use robust encryption one day and reconfigured with flaws and backdoors the next.

The flexibility surrounding the implementation of a VPN means that the results of an audit are only valid for the time it takes place and does not guarantee how the VPN is treating user data or protecting the data that passes through its servers.

Limited value

This makes VPN audits a double-edged sword. On the one hand, they help to increase trust in the VPN by providing a snapshot of evidence that the network and applications are safe and acting in accordance with the VPN’s policies on the day the audit is undertaken.

On the other hand, VPN audits underscore the importance of trusting your VPN provider. A VPN could pass an audit one day and then change its server configurations the next day, potentially turning it into a data honeypot collecting information about its users’ activities.

This potential risk underscores the need for ongoing trust in the VPN provider. That is why it is important to stick to VPNs with a strong reputation, well-written and trustworthy privacy policies, and a proven track record of providing privacy for their users.

Who owns my VPN? FAQs