Every score on this site is derived from public, verifiable information — audit reports, jurisdiction records, published pricing, and provider documentation. No first-party lab speed tests. No paid placement. This page explains exactly what goes into each number.
If a score seems wrong, tell us — and link the source. We'll update it.
Each VPN receives eight sub-scores (0–100), which are combined into a single weighted score:
Weights reflect the priorities of the median privacy-conscious consumer, not a gamer or a casual user. Privacy is weighted highest because it is the fundamental promise of a VPN. Speed is weighted second because a VPN that is secure but unusable fails its users. The weights are locked — they do not change based on which providers perform well. See /ethics for the formal versioning policy.
Privacy is the highest-weighted category because it is the core function of a VPN. We assess four sub-factors: jurisdiction, no-logs policy, independent audit, and additional privacy features.
A VPN's privacy guarantee is only as strong as the legal environment it operates in. We penalise providers based on their registered jurisdiction's intelligence-sharing relationships:
| Jurisdiction tier | Examples | Effect on privacy score |
|---|---|---|
| Privacy-friendly (outside 5/14-Eyes) | Switzerland, British Virgin Islands, Panama, Iceland, Romania | No penalty. Full score available. |
| 14-Eyes member (not 5-Eyes) | Germany, France, Netherlands, Sweden | Up to −5 points depending on domestic data retention laws |
| 5-Eyes member | USA, UK, Canada, Australia, New Zealand | −10 to −15 points. Compelled disclosure risk is structurally higher. |
We check whether the provider's privacy policy explicitly states a no-logs commitment. A clear, unambiguous policy adds baseline points. A vague or partial policy (e.g., "we do not log browsing activity but do log connection timestamps") is treated as a partial claim and scored accordingly.
A no-logs claim that has been independently audited is structurally more credible than one that has not. We recognise audits from established security firms: Cure53, Securitum, Deloitte, KPMG, PWC, and others. Audit recency matters — an audit from 2019 is discounted relative to one from 2024 or 2025.
| Audit status | Score effect |
|---|---|
| Recent (within 18 months) named-firm audit covering no-logs claims | +15 to +20 points |
| Older audit (18–36 months) | +8 to +12 points |
| Audit of infrastructure only (not no-logs policy) | +4 to +6 points |
| No independent audit | 0 additional points |
Warrant canary (+3), RAM-only servers (+5), cryptocurrency payment accepted (+3), open-source client (+4). These are additive, not substitutes for an audit.
We do not run first-party speed tests. Speed is an editorial score derived from three public-data inputs:
Speed scores will be updated when protocol changes are announced or when a meaningful new benchmark dataset is published. The current scores reflect the protocol state as of June 2026.
Security scoring covers the technical controls a VPN deploys to prevent data leakage. All information is sourced from provider documentation, support pages, and independent security write-ups.
| Control | Assessed from | Score effect |
|---|---|---|
| AES-256 or ChaCha20 encryption | Provider technical docs | Baseline expectation. Absence is a heavy penalty. |
| Kill switch (system-level) | Provider feature pages | +8 points. Required for serious privacy use. |
| DNS leak protection | Provider docs + leak-test reputation | +6 points |
| IPv6 leak protection | Provider docs | +4 points |
| Perfect Forward Secrecy | Protocol documentation | +5 points. Prevents retroactive decryption if long-term keys are compromised. |
| Multi-hop / double VPN | Provider feature pages | +4 points |
| Obfuscation (stealth mode) | Provider feature pages | +3 points. Critical for China/UAE use cases. |
| Independent security audit | Published audit reports | +6 to +10 points (overlaps with Privacy audit) |
Streaming is lower-weighted because it is a secondary use case — important to many users, but not the core privacy and security function of a VPN. Scores are based on:
We explicitly do not claim to have tested each provider against each platform. If we have run a specific test, it will be disclosed on the relevant page with a date and testing conditions.
Value scores are calculated from published long-term plan pricing (typically 1-year or 2-year plans), verified directly from provider websites as of 2026-06-09. We do not use promotional pricing that may expire, and we note when a displayed price requires a multi-year commitment.
| Monthly equivalent price (long-term plan) | Score |
|---|---|
| Free (with meaningful free tier) | 95–100 |
| Under $2.00/mo | 88–94 |
| $2.00–$3.50/mo | 78–87 |
| $3.51–$5.00/mo | 65–77 |
| $5.01–$7.00/mo | 52–64 |
| Above $7.00/mo | 40–51 |
Value is adjusted upward for generous money-back guarantees (45-day or longer = +3 points) and downward when the long-term price requires a 2-year commitment to achieve the advertised rate (single-year pricing is used as the baseline if it differs significantly).
Ethics is the most opinionated category, and we are deliberate about documenting exactly how it works. It covers ownership transparency, corporate structure, audit history, and incident record.
Providers whose parent company, investors, and key executives are publicly disclosed score higher than those with opaque ownership structures. This is binary at the extreme ends: fully transparent (+10) vs. entirely opaque (−15).
KAPE Technologies (formerly Crossrider, a company with a documented history distributing adware) owns ExpressVPN, CyberGhost, Private Internet Access, and Zenmate. We apply a structural penalty of −15 points to KAPE-owned providers.
This does not mean these VPNs are unsafe today — ExpressVPN has a recent KPMG audit and strong technical controls. It means the ownership history is a material fact that users deserve to know. The penalty reflects the information asymmetry, not a prediction of misconduct. See /ethics for full details and how we'd revise this.
Proton AG (Proton VPN) operates under Swiss foundation law with a non-profit parent. This is a structurally different incentive model from a VC-backed commercial provider. We award +10 points for verified non-profit or mission-locked structures.
Open-source client applications can be independently audited by anyone. We award +5 points for fully open-source clients (not just open-source protocols). Mullvad and Proton VPN qualify. NordVPN and ExpressVPN do not (proprietary clients).
Security incidents, data breaches, or court-ordered disclosure events are penalised. The penalty scales with recency and severity. We cite specific incident reports; see DATA-SOURCES.md for details.
Apps scoring reflects platform breadth. The baseline expectation in 2026 is Windows, macOS, iOS, and Android. Additional platform support adds points:
| Platform | Score effect |
|---|---|
| Windows + macOS + iOS + Android (baseline) | Baseline 70 points |
| Native Linux app (not just manual config) | +8 points |
| Router firmware or native router app | +6 points |
| Browser extensions (Chrome/Firefox) | +4 points |
| Smart TV / Fire TV app | +5 points |
| Android TV | +3 points |
Simultaneous device connections determine how many devices a single subscription can protect at once. Families and multi-device users place high value on this. The scoring is straightforward:
| Simultaneous connections | Score |
|---|---|
| Unlimited | 95–100 |
| 10 or more | 80–90 |
| 6–9 | 70–79 |
| 5 | 62–68 |
| 3–4 | 50–60 |
| 1–2 | 35–45 |
Providers offering unlimited connections (Surfshark, PIA, Windscribe, Atlas VPN, IPVanish) score 95+ in this category. The 5% weight means this has limited effect on the composite score — it is a tiebreaker, not a determinant.
Composite scores map to the following editorial labels:
| Score range | Label | What it means |
|---|---|---|
| 90–100 | Exceptional | Best-in-class across most categories. Suitable for high-risk users, journalists, or anyone who needs strong all-round protection. |
| 80–89 | Excellent | Strong performance, minor trade-offs. Appropriate for most users. |
| 70–79 | Good | Adequate for general use. Usually a significant weakness in one category (e.g., jurisdiction or no audit). |
| 60–69 | Average | Usable but not recommended when better options exist at similar prices. |
| Below 60 | Below average | Material concerns in one or more categories. Proceed with caution. |
Transparency requires acknowledging limits:
We believe transparency about limits is more valuable than false confidence. If you disagree with a score, contact us with a source link.
Scores change when:
When scores change, we update the DATA-SOURCES.md file with the specific change and rationale. Provider data lives in data/vpn-data.js — the canonical source of record. Every update to scores is tracked in the site's git history.
The scoring weights (Privacy 25%, Speed 20%, etc.) are locked and versioned. They will not change without a public notice on this page and a new version entry in DATA-SOURCES.md. This is to prevent weight manipulation in favour of providers with whom we may have future affiliate relationships. See /ethics.