Comprehensive VPN Evaluation Methodology

Operating jurisdiction publicly disclosed; not a member of a country with legal compulsion to log user activity covertly (e.g. National Security Letters with gag orders).

Headquartered outside 5/9/14 Eyes; jurisdiction without mandatory data-retention law; published transparency report covering government requests; warrant canary.

At least one independent third-party no-logs audit published in the last 24 months OR a real-world legal incident (server seizure, court order) that confirmed no logs were available.

Annual third-party audit by a reputable firm (Cure53, Deloitte, KPMG, Securitum, Leviathan); full audit report published; scope covers infrastructure + policy + operational practice.

WireGuard or OpenVPN (UDP) supported by default; protocol is open-source and publicly documented; legacy protocols (PPTP, L2TP without IPsec) not offered as defaults.

WireGuard with proprietary privacy enhancements (e.g. Mullvad DAITA, NordLynx double-NAT, Proton Stealth); IKEv2/OpenVPN as fallback; obfuscation modes available; protocol upgrades shipped within 30 days of upstream releases.

AES-256-GCM or ChaCha20-Poly1305 for symmetric encryption; RSA-2048+ or ECDSA for key exchange; TLS 1.2+ for control channel; perfect forward secrecy enabled.

AES-256-GCM and ChaCha20-Poly1305 both supported; RSA-4096 or Curve25519; TLS 1.3; PFS by default with key rotation under 60 minutes; documented cipher suite preferences.

Kill-switch available on desktop and mobile and enabled by default; DNS leak protection enabled; passes basic IPv4/DNS leak tests in our lab.

System-level kill-switch (firewall-based, not app-level); IPv6 leak protection; WebRTC leak protection in browser extensions; survives sleep/wake, network changes, app crashes; passes ipleak.net + dnsleaktest.com + browserleaks.com under stress conditions.

At least 25% of advertised server fleet is owned/colocated rather than rented from third-party hosting providers; physical access controls documented.

Majority owned/colocated infrastructure (e.g. Mullvad-style); detailed disclosure of which server locations are owned vs. leased; data-centre-grade physical security with audit trail.

RAM-only or full-disk-encrypted servers across the entire production fleet; documented in technical specifications.

Complete RAM-only architecture (no persistent storage on production servers); independently audited; deterministic boot from signed images; all configuration ephemeral.

Parent company and country of incorporation publicly disclosed; ultimate beneficial owner identifiable through public filings.

Full corporate org chart published; named executives and board members; no shell-company layers; ownership traceable to identifiable individuals; voluntary disclosure exceeds legal minimums.

No documented history of deceptive marketing in the last 24 months; no undisclosed common ownership with VPN review sites that rank the provider.

Active correction of misleading third-party claims; refuses common-ownership review-site listings; published responsible-marketing policy; documented refusal of pay-for-placement deals.

Public security.txt or vulnerability disclosure policy with named contact; commits to acknowledge reports within 14 days.

Public bug bounty program (HackerOne, Intigriti, or self-hosted) with documented payouts; published Hall of Fame; coordinated-disclosure timeline policy; multiple non-no-logs audits (infrastructure, app code, web platform).

No undisclosed incidents in the last 36 months; if an incident occurred, public post-mortem published within 30 days.

Public post-mortem within 7 days of any incident; root-cause analysis with remediation steps; user-affecting events trigger direct customer notification; demonstrated history of self-disclosing rather than waiting for press exposure.

Average throughput retention ≥40% of baseline gigabit connection on nearby endpoints; latency overhead under 50ms intra-region.

≥80% throughput retention via WireGuard on nearby endpoints; under 20ms latency overhead intra-region; consistent performance across peak hours; published independent speed tests.

Native apps for Windows, macOS, iOS, Android with feature parity on core privacy features (kill-switch, protocol selection).

Native apps for all major platforms including Linux GUI + CLI; manual config for routers, NAS, smart TVs; browser extensions with first-class status; app store ratings ≥4.5; CLI tooling for power users; open-source clients on at least one platform.

Reliably accesses Netflix US and at least 2 other major streaming services from at least 5 country endpoints in our lab tests.

Reliable access to Netflix (multiple region libraries), BBC iPlayer, Disney+, Hulu, Amazon Prime, ITVX, Channel 4, sports/local services from 15+ country endpoints; dedicated streaming servers; ongoing maintenance against blocklist updates.

Email or ticket support with first response under 24 hours during business hours; published knowledge base covering common setup tasks.

24/7 live chat with first response under 5 minutes; knowledgeable support agents (not script-bound); searchable knowledge base; community forum or Discord; published troubleshooting decision trees.

Final price (incl. tax / FX) shown before checkout; renewal price disclosed at signup; refund window of at least 14 days for new customers.

Same monthly price regardless of plan length (no anchoring); 30-day money-back guarantee with no usage limits; pro-rated refunds beyond the window for technical failures; transparent comparison of plan durations.

Credit cards + at least one alternative (PayPal, Apple Pay) accepted; sign-up requires only an email address.

Cryptocurrency (Bitcoin, Monero) accepted; cash by mail accepted; account creation possible without email (token-based); no requirement to link any personally identifiable information.

No documented history of bundled adware, browser hijacking, undisclosed user data sales, or contractual cooperation with surveillance vendors in the last 24 months.

Active contributions to privacy advocacy (EFF, Tor Project, OTF); transparent corporate behaviour during legal challenges; published positions on privacy legislation; no Kape-style ownership entanglements.

Optional DNS-level ad/tracker blocking using a maintained blocklist (e.g. EasyList, AdGuard, Pi-hole-compatible).

Customisable blocklist categories (ads, trackers, malware, adult, social); per-domain allowlist; phishing/malicious-domain blocking with real-time reputation feed; transparent disclosure of which blocklists are used and how often updated.

At least one of: split tunnelling, multi-hop, dedicated server categories (P2P, streaming), or auto-connect on untrusted networks.

Multi-hop with user-selectable entry/exit countries; granular split tunnelling (app + IP + domain); port forwarding without weakening tunnel security; meshnet / LAN-over-VPN; obfuscation modes for restrictive networks.

At least one obfuscated protocol (Stealth, Shadowsocks, OpenVPN over TLS, NordWhisper) tested working in restrictive networks within the last 12 months.

Multiple obfuscation modes; documented working status in China, Iran, Russia, Turkey, UAE within the last 90 days; bridge servers / pluggable transports; rapid response (under 14 days) to new blocking techniques.

At least one official client (desktop or mobile) is open-source under an OSI-approved licence; source mirrors public release versions.

All clients across all platforms open-source; reproducible builds; daemon and GUI separated; build pipeline publicly auditable; F-Droid availability for Android.

Public technical position on PQC migration; pilot or beta deployment of NIST-finalist algorithms (ML-KEM/Kyber, ML-DSA/Dilithium) on at least one protocol path.

PQC hybrid key exchange (e.g. X25519 + ML-KEM) shipped in production for WireGuard; rollout schedule published; transparent benchmarks vs. classical handshake; engagement with IETF standardisation.

Dedicated IP available as an add-on or premium tier; clear documentation on how dedicated IPs interact with the no-logs policy.

Dedicated IPs across multiple regions; allocation does not bind to a real identity beyond what's needed for billing; private dedicated IPs (not shared with other users); option to rotate.

Acknowledges and integrates with at least one decentralised privacy network (Tor support, mesh routing, or third-party dVPN compatibility).

Native dVPN client (Mysterium, Orchid, Sentinel) or first-class Tor integration; user-runnable nodes; payment in privacy coins; documented threat model for decentralised vs. centralised trade-offs.

Documented use of automated/ML systems for at least one security purpose (DDoS detection, malicious-domain reputation, anomaly detection on the management plane).

Published technical detail on AI/ML usage; data inputs do not include user payload or routing metadata; opt-out controls documented; vendor and model lineage disclosed.

Native CLI or GUI Linux client available for major distributions (Ubuntu, Debian, Fedora, Arch); core privacy features (kill-switch, protocol selection) functional.

Native GUI + CLI with full feature parity; package manager distribution (apt/dnf/AUR); systemd-resolved integration; Wayland support; reproducible-build provenance; first-class Flatpak/Snap availability.

Manual configuration guides for OpenWrt, DD-WRT, Asus-Merlin, or pfSense; OpenVPN/WireGuard config files downloadable from account dashboard.

Custom router firmware or first-class router app (FlashRouters partnership, native pfSense plugin, Vilfo); per-device routing rules; support for split tunnelling at router level; tested across mainstream router hardware with published compatibility matrix.