NordVPN

NordVPN is the flagship product of Nord Security, the Lithuanian cybersecurity group that also operates NordPass, NordLayer, NordLocker, NordStellar and — since the 2022 merger — Surfshark. It is one of the largest consumer VPN services in the world (Nord Security reports more than 20M users across its products with NordVPN accounting for around 15M). It is included in this directory as a **privacy-pick rather than an EU-sovereignty pick** — and the distinction matters, because the ownership chain is unusually layered. The legal entity that operates the VPN service is **NordVPN S.A.**, registered in **Panama** — historically named Tefincom S.A., this entity was deliberately set up in Panama for its absence of mandatory data-retention laws, which is itself a privacy positioning. The group **holding company** is Nord Security in **Amsterdam, Netherlands**. Day-to-day operations and the bulk of the engineering team are in **Vilnius, Lithuania**. And the cap-table includes US venture capital: the 2022 $100M round was co-led by **General Catalyst** (US) alongside Novator (Iceland) and Burda (Germany). None of those layers makes NordVPN US-incorporated — the CLOUD Act does not apply directly to a Panamanian entity — but the company is also clearly not EU-owned in the way Mullvad (founder-owned Swedish AB) or ProtonVPN (Swiss non-profit Foundation) are. Where NordVPN is genuinely strong is product security and audit history. Independent **no-logs audits by Deloitte (December 2023) and PwC** validated the no-retention claim; the entire server fleet has been transitioned to **colocated, diskless RAM-only servers** so configuration is loaded fresh on every boot and nothing persists; Nord Security holds **ISO/IEC 27001**; and the product offers WireGuard (NordLynx), kill-switch, multi-hop, Tor-over-VPN, and threat-protection extras. cloud_act_exposure is set to `minor` rather than `material` to reflect the Panama incorporation + RAM-only architecture (no data-at-rest exposure) — the US-VC stake and likely US payment / CDN sub-processors keep it above `none`. Pricing is paid-only (no free tier; 30-day money-back): Basic from around €3.99/month on a 2-year plan, Plus and Complete tiers above. The affiliate programme is one of the most lucrative in the entire VPN category — see affiliate block. Best fit: mainstream privacy-conscious buyers who want a heavily audited, RAM-only no-logs VPN with broad device coverage and aggressive pricing on long commitments. EU buyers who specifically want sovereignty rather than just privacy should prefer Mullvad (SE), ProtonVPN (CH), IVPN, or AirVPN (IT) — all elsewhere in this directory.