Most VPN review sites spend pages comparing speeds and prices. Almost none of them tell you where the VPN company is legally registered: and why that address could make the difference between your data staying private and ending up in a government database.
This guide explains what VPN jurisdiction means, which countries protect your privacy by law, which ones do not, and how to verify where your VPN is actually based before you trust it with your traffic.
What Is VPN Jurisdiction?
VPN jurisdiction refers to the country where a VPN provider is legally incorporated and therefore subject to local laws. It is not about where the VPN servers are located: a VPN headquartered in the United States can operate servers in Switzerland, but it remains bound by US law. Jurisdiction determines which government can compel the VPN company to hand over user data, respond to court orders, or comply with national surveillance programs. A VPN based in a Five Eyes country: the US, UK, Canada, Australia, or New Zealand: can be required to log and share user data under laws like the US PATRIOT Act or the UK Investigatory Powers Act. A VPN based in Switzerland or Panama operates under different legal frameworks with no equivalent mandatory disclosure requirements. For users who rely on a VPN for privacy, the provider's jurisdiction is as important as its no-logs policy.
The Intelligence-Sharing Alliances
The Five Eyes, Nine Eyes, and 14 Eyes are intelligence-sharing agreements between Western governments. Member countries routinely share signals intelligence: including internet surveillance data: with each other. A VPN based in any of these countries is potentially subject to cross-border data requests even if its home country does not have strict data retention laws of its own.
| Alliance | Members | Risk for VPN users |
|---|---|---|
| Five Eyes | US, UK, CA, AU, NZ | High: full data sharing, legal compulsion |
| Nine Eyes | Five Eyes + FR, NL, DK, NO | Medium-High: extended sharing agreements |
| 14 Eyes | Nine Eyes + DE, BE, IT, ES, SE | Medium: coordinated surveillance programs |
| Outside all alliances | CH, PA, IS, RO, BVI | Low: no mandatory data sharing treaties |
Privacy-Friendly Jurisdictions
These countries have no data retention mandates and are not part of any major intelligence-sharing alliance. VPNs registered here are not legally required to log user activity or respond to foreign government data requests.
- Switzerland: Not a member of the EU or Five/Nine/14 Eyes. Governed by the Federal Act on Data Protection (FADP), which is one of the strictest privacy frameworks in the world. Swiss courts require a high burden of proof before ordering data disclosure. ProtonVPN is incorporated here.
- Panama: No data retention laws. No intelligence-sharing treaties with the US or EU. NordVPN is incorporated in Panama.
- Iceland: Strong constitutional privacy protections. Not a Five Eyes member despite close ties with NATO. Favorable for privacy-focused businesses.
- British Virgin Islands: Independent legal system from the UK. No data retention requirements. ExpressVPN is incorporated here.
Higher-Risk Jurisdictions
VPNs based in these countries are subject to laws that can compel data logging, disclosure, or ongoing surveillance: regardless of what their privacy policies claim. A no-logs policy does not protect you if the government can legally require the company to start logging tomorrow.
- United States: National Security Letters (NSLs) allow the FBI to demand user data with no judicial oversight and include a gag order preventing the company from disclosing the request. The PATRIOT Act enables broad surveillance authority.
- United Kingdom: The Investigatory Powers Act 2016 (the "Snoopers Charter") requires internet providers to retain connection records for 12 months and grants government agencies bulk data collection powers.
- Australia: The Telecommunications and Other Legislation Amendment Act 2018 requires companies to build backdoor access into encrypted products on government request.
- Germany: A 14 Eyes member with active data retention legislation. German courts have compelled VPN providers to log users in criminal investigations.
How to Verify Your VPN's Jurisdiction
VPN providers do not always make their jurisdiction obvious. Some registered in privacy-friendly countries have parent companies in higher-risk ones. Here is how to check what you are actually dealing with.
- Check the About page: Look for the registered company name and country: not just the server locations listed on the website.
- Search the national business registry: Most countries have public company registries. Search the VPN's parent company name to confirm incorporation country.
- Read the privacy policy carefully: Look for language about government requests, warrant canaries, and what law governs the policy.
- Check for a parent company: Some VPNs are owned by larger companies registered elsewhere. Kape Technologies (UK/Israel) owns several VPN brands registered in privacy-friendly countries.
Which VPNs Passed Our Jurisdiction and Leak Tests?
In our 2026 VPN testing, we cross-referenced jurisdiction with real leak test results. The five VPNs that passed all five technical checks: Mullvad (Sweden/14 Eyes), ProtonVPN (Switzerland), ExpressVPN (British Virgin Islands), NordVPN (Panama), and IVPN (Gibraltar): cover a range of jurisdictions. Mullvad is the outlier: Sweden is a 14 Eyes member, but Mullvad has a proven track record of refusing government requests and operates a strict no-logs architecture verified by independent audit.
Jurisdiction matters, but it is one factor among several. A VPN in Panama with a weak no-logs policy is less trustworthy than a VPN in Sweden with court-tested privacy protections and a published audit. Read our full no-logs VPN policy guide to understand how to evaluate both factors together.
Frequently Asked Questions
Does VPN jurisdiction affect server locations?
No. A VPN can have servers in any country regardless of where it is incorporated. Jurisdiction refers to the company's legal home, not its server network. You can connect to a Swiss server through a US-based VPN and still be subject to US law.
Is a VPN in the British Virgin Islands safe?
The BVI has an independent legal system separate from the UK and no data retention laws. However, the BVI can respond to requests through mutual legal assistance treaties (MLATs) in criminal cases. For most users, a reputable BVI-based VPN with a verified no-logs policy is a low-risk choice.
Can a VPN in a Five Eyes country still protect my privacy?
Yes, if it has a verified no-logs policy. If there is nothing to hand over, a government request produces nothing useful. Mullvad (Sweden, 14 Eyes) and IVPN (Gibraltar, UK territory) both operate with strict no-logs architectures that have been independently audited and court-tested.
What is a warrant canary?
A warrant canary is a statement in a VPN's transparency report confirming it has not received a secret government request. When the canary disappears from future reports, it signals: without violating a gag order: that a request has been received. Not all VPNs maintain warrant canaries.
Does Switzerland protect VPN users from US requests?
Switzerland processes US data requests through a formal MLAT procedure that requires Swiss judicial approval. This provides stronger protection than VPNs subject to US law directly, but it is not an absolute shield in serious criminal cases. The Swiss FADP provides strong baseline privacy protections for most users.