{"id":571,"date":"2024-05-16T08:56:55","date_gmt":"2024-05-16T08:56:55","guid":{"rendered":"https:\/\/privascore.org\/?page_id=571"},"modified":"2026-01-13T11:51:30","modified_gmt":"2026-01-13T11:51:30","slug":"priva-score-vpn-dienste","status":"publish","type":"page","link":"https:\/\/privascore.org\/en\/priva-score-vpn-dienste\/","title":{"rendered":"PRIVA SCORE: VPN services"},"content":{"rendered":"<p class=\"has-base-2-background-color has-background\"><strong>Update January 2026<\/strong><br><strong>Summary<\/strong>The PRIVA SCORE evaluates VPN services regarding their privacy features and can achieve a maximum of 294 points. <strong>Proton VPN, Express VPN<\/strong> and <strong>CyberGhost<\/strong> have the highest level of data protection. <strong>Mullvad<\/strong> and <strong>SurfShark<\/strong> miss due to <a href=\"#jurisdiktion\">Jurisdiction<\/a> just shy of the top rating, but due to the <a href=\"#protokoll\">No-logs policy<\/a> Still, solid options. <\/p>\n\n\n\n<p><br><strong>The PRIVA SCORE can receive a maximum of 294 points based on the calculation used to evaluate VPN services. <\/strong><br>As always, the PRIVA SCORE evaluates how well apps\/services <a href=\"#datenschutzfunktionen\">Data protection features<\/a> fulfill. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<details class=\"wp-block-mamaduka-toggles wp-block-toggles\"><summary><strong>What is a VPN and why should you use a VPN? <\/strong>(Click to open and close)<\/summary><div class=\"wp-block-toggles__content\">\n<ul class=\"wp-block-list\">\n<li>Virtual private networks (VPNs) offer a good mix of security and privacy by routing Internet traffic through a secure &quot;tunnel&quot;. The secure tunnel leads to the provider&#039;s VPN server and encrypts all data between the end device (smartphone, computer, tablet...) and this server. This ensures that someone monitoring the traffic will not find any usable, unencrypted data.<\/li>\n\n\n\n<li><strong>Data protection is increased by using such a server<\/strong>. Since the data traffic appears to originate from the VPN server, it is more difficult for websites to track users, collect data about them and determine their locations. A VPN service should also always be used when using a public WiFi network - for example in a caf\u00e9, on the train or in a shopping center. Without the VPN, the Internet provider of the public WiFi network can see the addresses of all the pages accessed, for example. <\/li>\n\n\n\n<li><strong>While VPNs offer greater privacy and security, they do not provide complete anonymity.<\/strong> VPNs are not a perfect anonymity solution - even if some providers advertise them as such. It is true that VPNs can hide your IP address and location. This is helpful for data protection and security (see above) or when accessing blocked content. Because a VPN can bypass geographical restrictions, it is possible to access content that is blocked in your own country. This ranges from the content of streaming services to bypassing firewalls. In some autocratic states, firewalls are used to deny the population access to unadulterated information. These firewalls can be bypassed using a VPN in order to obtain unadulterated information.<\/li>\n\n\n\n<li><strong>VPNs do not protect against all types of surveillance<\/strong>, such as browser fingerprinting (a digital fingerprint is essentially a list of characteristics that are unique to individual users, their browsers and devices used), malware or physical surveillance.<\/li>\n\n\n\n<li>Even if the VPN provider does not keep logs, a certain level of trust in the provider is still required. Because it is not absolutely certain how the provider will behave in the event of an official summons. Another reason: logging in with your login details on a site like Amazon results in clear identification, which a VPN obviously does not protect against. <\/li>\n\n\n\n<li><strong>Complete anonymity on the Internet is virtually impossible to achieve, as there are always ways to identify users beyond a VPN.<\/strong> <strong>However, a VPN reduces the \u201cattack surface\u201d.<\/strong><\/li>\n<\/ul>\n<\/div><\/details>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><strong>This update<\/strong> <strong>Stricter traffic light thresholds apply:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Green (Highly recommended):<\/strong> 294 points \u2013 Only VPN services that <strong>all<\/strong> Perfectly fulfills criteria<\/li>\n\n\n\n<li><strong>Yellow (Recommended with reservations):<\/strong> 273-259 points \u2013 VPN services with individual weaknesses in jurisdiction, audits or tracking<\/li>\n\n\n\n<li><strong>Red (Not recommended):<\/strong> &lt;135 points \u2013 Fundamental data protection deficiencies<\/li>\n<\/ul>\n\n\n\n<p>This strict interpretation reflects the reality that even small data protection gaps can be problematic in today&#039;s surveillance landscape.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p id=\"die-perfekten-nur-drei-vpn-dienste-erfllen-alle-an\"><strong>The Perfect Ones: Only three VPN services meet all requirements (GREEN)<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>ExpressVPN<\/strong> is one of only three VPN services to achieve the highest rating in a rigorous evaluation. <a href=\"#jurisdiktion\">Jurisdiction<\/a> The British Virgin Islands are outside all surveillance alliances (5\/9\/14 Eyes) and do not mandate data retention. <a href=\"#protokollierung\">No-logs policy<\/a> was through <strong><a href=\"#audits\">23 independent audits<\/a><\/strong> Verified, including three KPMG audits (most recently in February 2025). TrustedServer technology uses exclusively RAM-based servers without hard drives. The real proof: When Turkish authorities seized the servers in 2017, no user data was found.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>CyberGhost<\/strong> Based in Romania, the company benefits from EU data protection laws that do not require data retention. The company underwent audits in 2022 and 2024. <a href=\"#audits\">independent audits<\/a> through <strong>Deloitte Romania<\/strong>, who confirmed that no user activity is logged. The kill switch is permanently active and cannot be deactivated for security reasons. The transparency reports are exemplary: In Q2 2024, <strong>534,449 legal inquiries<\/strong> one, which all had to be rejected because no user data existed.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>ProtonVPN<\/strong> uses the <strong>strict Swiss data protection laws<\/strong> It looks ideal. Switzerland lies outside all surveillance alliances and is considered one of the most privacy-friendly countries. <a href=\"#jurisdiktion\">Jurisdictions<\/a> worldwide. Successive audits by <strong>Security<\/strong> (2022-2024) confirmed the <a href=\"#protokoll\">No-logs policy<\/a> through inspection of server configurations and management systems. The transparency report documents that all official requests for information on user activity had to be rejected.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p id=\"die-guten-mit-vorbehalten-acht-vpn-dienste-mit-ein\"><strong>The good ones with reservations: Eight VPN services with individual weaknesses (YELLOW)<\/strong><\/p>\n\n\n\n<p><strong>NORD VPN: Why only a YELLOW rating despite its Panama headquarters and Deloitte audits?<\/strong> An investigation by IT security researcher Mike Kuketz (October 2025) revealed that the NordVPN app <strong>immediately after the start<\/strong> Establishes data connections to Google Firebase, Firebase Crashlytics and AppsFlyer \u2013 still <strong>before<\/strong> User consent is not required. This violates German data protection law and GDPR principles.<\/p>\n\n\n\n<p>On the plus side, Panama is outside the Eyes alliances, and the no-logs policy for VPN traffic has been confirmed by five audits (PwC, Deloitte). However, the app tracking disqualifies NordVPN from a green rating. <strong>stricter<\/strong> Interpretation of the criterion \u201c<a href=\"#datenweitergabe\">No data sharing<\/a>&#8222;.<\/p>\n\n\n\n<p>\u200b<strong>SurfShark:<\/strong> <strong>Why only YELLOW?<\/strong> Surfshark moved from the British Virgin Islands to the <strong>Netherlands<\/strong> um. The Netherlands are part of the <strong>Nine Eyes Alliance<\/strong>This poses theoretical surveillance risks. Strictly speaking, the fact that there is no legal obligation to retain data is not sufficient to compensate for Eyes membership.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>On the positive side: A Deloitte audit in January 2023 confirmed the no-logs policy; all servers run in RAM-only mode. However, the jurisdiction prevents a green rating.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<p><strong>Mullvad:<\/strong> <strong>Why only YELLOW despite the legendary police raid?<\/strong> Mullvad is in <strong>Sweden<\/strong> resident, a <strong>14-Eyes member<\/strong>. Under strict assessment, membership in a surveillance alliance carries significant weight, even though Swedish law does not oblige Mullvad to store data.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The spectacular police raid in April 2023 practically proved the no-logs policy (six officers left the office without any data), and Cure53\/Assured AB conducted positive audits. But the jurisdiction prevents it from being certified green.<\/p>\n\n\n\n<p>\u200b<strong>Bitdefender Premium VPN: Why only YELLOW?<\/strong> Bitdefender uses the partner&#039;s infrastructure. <strong>Pango<\/strong>The audits were conducted at the infrastructure level (Aon Cyber Solutions, November 2022), not directly for Bitdefender itself. Under strict criteria, an indirect audit via a third-party provider is insufficient for a green rating.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<p>Positive aspects: Romanian headquarters (privacy-friendly), all technical tests passed, AES-256 encryption. However, the lack of direct Big Four audits prevents a green rating.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<p><strong>Perfect Privacy:<\/strong> <strong>Why only YELLOW?<\/strong> Perfect Privacy has <strong>no formal audits<\/strong> by renowned auditing firms. Under strict assessment, the lack of independent audits is a deal-breaker for green certification, even if the server seizure in 2016 served as a &quot;practical stress test&quot;.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Positive: Swiss jurisdiction, server seizure in 2016 yielded zero data, RAM disk operation. But without a formal audit, only a yellow rating.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Norton Secure VPN:<\/strong> <strong>Why only YELLOW?<\/strong> Norton is in the <strong>USA<\/strong> based in a founding member of the <strong>Five Eyes Alliance<\/strong>And given the behavior of the administration-Big Tech alliance, US jurisdiction is a fundamental problem, even if the technical implementation is flawless.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Positive: The VerSprite audit of 2025 confirmed a no-logs policy (data privacy risk: &quot;None&quot;), and all technical safeguards are in place. However, in the USA, the company automatically receives a yellow rating under strict assessments.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p id=\"die-nicht-empfehlenswerten-zwei-vpn-dienste-mit-fu\"><strong>The Not Recommended: Two VPN Services with Fundamental Flaws (RED)<\/strong><\/p>\n\n\n\n<p><strong>Ivacy: Why RED?<\/strong> Ivacy only inadequately meets several critical criteria:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Singapore jurisdiction<\/strong>Close cooperation with Five Eyes countries<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>No independent audits<\/strong>Zero verification of the no-logs claims<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Problematic parent company<\/strong>Gaditek also operates other VPN services with questionable data protection practices.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/www.01net.com\/en\/vpn\/ivacy\/\"><\/a><\/p>\n\n\n\n<p>Under strict evaluation, the combination of unverified no-logs promises and problematic corporate structure completely disqualifies Ivacy.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Avira Phantom VPN:<\/strong> <strong>Why RED?<\/strong> Avira Phantom is the worst VPN service in the test:<\/p>\n\n\n\n<p><strong>Explicitly stores IP addresses<\/strong>No true no-logs policy<\/p>\n\n\n\n<p>\u200b<strong>No audits<\/strong>Zero independent verification<a href=\"https:\/\/www.01net.com\/en\/vpn\/avira-phantom\/safe\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Tracking possible<\/strong>IP address storage enables user tracking<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/www.01net.com\/en\/vpn\/avira-phantom\/safe\/\"><\/a><\/p>\n\n\n\n<p>Avira Phantom does not meet the minimum requirements for a privacy-oriented VPN service and is not suitable for security-conscious users. <strong>Not recommended<\/strong>.<\/p>\n\n\n\n<p>\u200b<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69def524a52eb&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"69def524a52eb\" class=\"wp-block-image size-medium wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"182\" height=\"300\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/privascore.org\/wp-content\/uploads\/2026\/01\/VPN_Update_260109-182x300.webp\" alt=\"\" class=\"wp-image-845\" srcset=\"https:\/\/privascore.org\/wp-content\/uploads\/2026\/01\/VPN_Update_260109-182x300.webp 182w, https:\/\/privascore.org\/wp-content\/uploads\/2026\/01\/VPN_Update_260109-622x1024.webp 622w, https:\/\/privascore.org\/wp-content\/uploads\/2026\/01\/VPN_Update_260109-768x1263.webp 768w, https:\/\/privascore.org\/wp-content\/uploads\/2026\/01\/VPN_Update_260109-7x12.webp 7w, https:\/\/privascore.org\/wp-content\/uploads\/2026\/01\/VPN_Update_260109.webp 837w\" sizes=\"auto, (max-width: 182px) 100vw, 182px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewbox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"datenschutzfunktionen\">Data protection features<\/h3>\n\n\n\n<p id=\"datenweitergabe\"><strong>No data sharing<\/strong><\/p>\n\n\n\n<p>The VPN provider must be technically and legally unable to share your data with third parties. This is determined by jurisdiction, infrastructure (RAM servers), and business practices.<\/p>\n\n\n\n<p id=\"protokoll\">\u200b<strong>No logging<\/strong><\/p>\n\n\n\n<p>The provider does not store any data about your online activities (websites visited, downloads, connection times). Even in the case of official inquiries, no information is available.<\/p>\n\n\n\n<p id=\"jurisdiktion\">\u200b<strong>Jurisdiction<\/strong><\/p>\n\n\n\n<p>The legal location determines which monitoring laws the provider is subject to. <strong>5-Eyes<\/strong> (USA, UK, Canada, Australia, New Zealand), <strong>9-Eyes<\/strong> (+Netherlands, France, Denmark, Norway) and <strong>14-Eyes<\/strong> Germany, Sweden, Belgium, Italy, and Spain have surveillance agreements. More privacy-friendly: Switzerland, Panama, the British Virgin Islands, and Romania.<\/p>\n\n\n\n<p id=\"audits\">\u200b<strong>Independent audits<\/strong><\/p>\n\n\n\n<p>External security experts (KPMG, Deloitte, Cure53, Securitum) verify whether the promises are kept. Audits inspect servers, code, and processes.<\/p>\n\n\n\n<p>\u200b<strong>Kill Switch<\/strong><\/p>\n\n\n\n<p>Emergency shutdown that blocks the entire internet in case of a VPN connection failure to prevent accidental data transmission over the unprotected connection.<\/p>\n\n\n\n<p>\u200b<strong>IP leak protection<\/strong><\/p>\n\n\n\n<p>Prevents your real IP address (which reveals your location) from being visible despite an active VPN connection.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>DNS leak protection<\/strong><\/p>\n\n\n\n<p>Prevents DNS queries (website requests) from going to your internet provider&#039;s servers, where they could be logged. Good VPNs use their own encrypted DNS servers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Conclusion: Strict assessment for maximum safety<\/h3>\n\n\n\n<p>At <strong>strict interpretation<\/strong> Only those who meet the data protection criteria can achieve them. <strong>ExpressVPN, CyberGhost and Proton VPN<\/strong> The green rating. These three VPN services perfectly meet all seven criteria without exception and are highly recommended for the highest data protection requirements.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>rated yellow<\/strong> Eight VPN services (NordVPN, Surfshark, Mullvad, Bitdefender, Perfect Privacy, Norton) also offer good data protection, but have individual weaknesses: problematic jurisdictions (Eyes alliances), app tracking, lack of direct audits, or US location. For most users, they are still acceptable, but not perfect.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Ivacy and Avira Phantom<\/strong> are under strict evaluation <strong>Not recommended<\/strong>: Missing audits, problematic data logging and unfavorable jurisdictions disqualify these services for privacy-conscious users.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Recommendation:<\/strong> Choose one of the three green-rated VPN services for maximum data protection. If budget or specific requirements are a factor, the yellow-rated services can also be considered \u2013 but be sure to check their respective limitations.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\" id=\"datenschutzfunktionen\">Explanation of data protection features<\/h2>\n\n\n\n<p id=\"audits\"><strong>Independent audits<\/strong>: Some VPN providers have their systems and practices audited by independent third parties to ensure transparency and trust. Such audits confirm that privacy promises are being kept.<\/p>\n\n\n\n<p id=\"protokollierung\"><strong>No logging<\/strong>: VPN providers that do not keep logs of their users do not store any information about their activities (sites visited, etc.).<\/p>\n<\/div>\n\n\n\n<p id=\"datenweitergabe\"><strong>No data transfer to third parties<\/strong>: Trustworthy VPN providers do not share their users&#039; data with governments, authorities or other third parties. They protect the privacy of their customers.<\/p>\n\n\n\n<p><strong>Kill Switch<\/strong>: Its function is to automatically interrupt the Internet connection if the VPN connection is unexpectedly lost. The kill switch prevents the device&#039;s real IP address from being revealed if the VPN connection is lost. This ensures that users&#039; data remains protected.<\/p>\n\n\n\n<p id=\"ip\"><strong>IP leak protection<\/strong>: This feature prevents users&#039; real IP addresses from accidentally leaking outside the VPN tunnel and thus revealing their identity. An IP address is a unique numerical identifier assigned to each device on a computer network or the Internet to enable communication and identification between devices.<\/p>\n\n\n\n<p id=\"dns\"><strong>DNS leak protection<\/strong>: This protection ensures that DNS requests are not directed to the user&#039;s actual Internet provider, but to secure DNS servers of the VPN provider. A DNS (Domain Name System) is a distributed directory system that translates domain names into the corresponding IP addresses to enable communication between computers on the Internet.<\/p>\n\n\n\n<p id=\"jurisdiktion\"><strong>Jurisdiction<\/strong>: The location of the VPN provider and the laws that apply there are important for data protection. Providers in countries with strict data protection laws offer greater security.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Update January 2026 Summary: The PRIVA SCORE evaluates VPN services based on their privacy features and can achieve a maximum of 294 points. Proton VPN, ExpressVPN, and CyberGhost have the highest level of privacy. Mullvad and SurfShark narrowly miss the top score due to jurisdiction, but are still solid options thanks to their no-logs policies. The PRIVA SCORE can vary depending on the calculation method used in the evaluation [\u2026]<\/p>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"class_list":["post-571","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/pages\/571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/comments?post=571"}],"version-history":[{"count":0,"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/pages\/571\/revisions"}],"wp:attachment":[{"href":"https:\/\/privascore.org\/en\/wp-json\/wp\/v2\/media?parent=571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}