[01CGAT]

I think this is true. We want to be as honest and open as possible, that includes being honest about the laws we have to comply too. On the other hand, we have a strict no log policy, we have nothing to hand over to authorities accept for the registered email address, a hashed password and the last 4 numbers of a creditcard. Authorities will need to find different ways to get the information they want.

[jacquesm]

A 'no log policy' is a hard one, it may be true but you can't really prove a negative. So it is as good as your word and your reputation, which in this case may be very good but it may not be enough to reduce skepticism.

FWIW I do tech DD for a living and I've seen several places that had 'no log' policies on the outside and yet they would occasionally - or even structurally - log data in order to comply with the law.

The 'WBT' (Retenion duty for Telecommunicationsdata) has been disbanded, which should work to your advantage, but the GDPR makes explicit room for the accomodation of legal and regulatory requirements and this in turn may transcend your 'no log' policy. Please make sure you have appropriate legal advice on the subject, it is complex and getting it wrong can really bite you.

Best of luck with your company!

[j3th9n]

Your comment makes me think of a "Warrant canary" which we could set up to inform our customers that we have been served with a government subpoena: https://en.wikipedia.org/wiki/Warrant_canary

Thanks!

[mike_hock]

Is anything a VPN company says any better than their reputation? We can't see what's going on behind closed doors.

Even the authorities asking for data have an interest in keeping the VPN's reputation alive in case the VPN does cooperate.