A VPN's jurisdiction (where its operating company is based) and its owner shape how much data it can be compelled to keep or hand over. No-retention jurisdictions outside the 5/9/14 Eyes — Panama, Switzerland, the BVI — are favourable; the US, Netherlands and EU states warrant more thought. Ownership matters because several brands share a parent: Kape Technologies owns ExpressVPN, CyberGhost and PIA, while NordVPN and Surfshark share the Nord Security group.
Why jurisdiction matters (and the 5/9/14 Eyes in plain terms)
A VPN is bound by the laws of the country its operating company is based in. Some countries mandate that communications providers retain user data; others do not. A VPN based in a no-retention jurisdiction can credibly run a no-logs policy, because it is not legally required to keep records — which is why jurisdiction is one of the four facts we score.
The "5/9/14 Eyes" refers to intelligence-sharing alliances among groups of countries. A VPN based inside one of these (the US is 5 Eyes; the Netherlands is 9 Eyes) is more exposed to cross-border data requests than one outside them. It is not a disqualifier on its own — a strong audited no-logs posture can matter more — but it is a factor worth weighing. Panama, Switzerland and the British Virgin Islands sit outside these alliances and outside mandatory retention.
Who owns the major VPNs — a verified map
Ownership is the trust fact broad listicles most often skip, yet it is decisive for anyone who cares about not concentrating their privacy across brands with a single owner. Here is what we have verified, as of June 2026.
- Kape Technologies — owns ExpressVPN (BVI), CyberGhost (Romania) and Private Internet Access (US). Three well-known brands, one owner.
- Nord Security group — NordVPN (Panama) and Surfshark (Netherlands) sit within the same group after a February 2022 merger; operated as independent brands.
- Proton — Proton VPN (Switzerland) is majority-owned by the non-profit Proton Foundation, a notably different governance structure.
- Mullvad — founder-owned via Amagicom AB (Sweden); no portfolio-owner incentives.
- Takeaway: choosing two brands under the same owner (e.g. ExpressVPN and CyberGhost, or NordVPN and Surfshark) does not diversify ownership. If that matters to your threat model, pick across owners.
Frequently asked questions
What are the 5, 9 and 14 Eyes for VPNs?
They are intelligence-sharing alliances among groups of countries. A VPN based inside one (the US is 5 Eyes; the Netherlands is 9 Eyes) is more exposed to cross-border data requests than one outside them. It is a factor to weigh, not an automatic disqualifier — a strong audited no-logs posture can outweigh a less ideal jurisdiction.
Which VPNs are owned by the same company?
Kape Technologies owns ExpressVPN, CyberGhost and Private Internet Access. NordVPN and Surfshark both sit within the Nord Security group after a February 2022 merger. Proton VPN is majority-owned by the non-profit Proton Foundation, and Mullvad is founder-owned. Choosing two brands under one owner does not diversify ownership.
Does a VPN's jurisdiction matter more than its audits?
Neither alone tells the whole story. A no-retention jurisdiction outside the 5/9/14 Eyes reduces what a provider can be compelled to log, but a strong, recent, independently audited no-logs posture in a less ideal jurisdiction (as with PIA's court-tested record in the US) can matter more than a weak claim in a perfect one. Weigh jurisdiction, audits and ownership together.
Sources & further reading
An independent publisher comparing VPN services. Our editorial desk verifies every claim against primary sources — the provider's own documentation and the actual audit report — and never accepts payment for a better assessment.