Tools we refuse to affiliate with. And why.

This article costs us money. That’s the point.

Most privacy sites affiliate with every VPN that will have them. The commissions are high. The audits are nonexistent. The reviews are written to convert, not to inform.

We run three affiliate programmes. Total. We turned down the rest. This is the full list of what we said no to, and exactly why.

The rule we applied

Would I use this tool myself in a situation where my security actually depended on it?

Not ‘would I recommend it to someone who doesn’t know better.’ Would I use it. Personally. When it mattered.

If the answer is no, it doesn’t appear on this site. No exceptions. No ‘but the commission is really good.’

NordVPN. why we refused

NordVPN is the most recognised consumer VPN brand in the world. It is also, by any serious OPSEC standard, a marketing company that happens to operate a VPN.

In 2019, one of their servers in Finland was compromised. The breach was concealed for over a year. No user notification. No public disclosure until a third party surfaced it.

A company that hides a breach from its users is not a company that has your security as a priority. It has its brand as a priority. Those are not the same thing.

We don’t affiliate with NordVPN.

Surfshark. why we refused

Surfshark merged with Nord Security in 2022. Same parent company. Same concerns about corporate incentive structure.

Surfshark has never undergone a full independent infrastructure audit in the way Mullvad and Proton have. Their no-logs claims are marketing claims, not audit-verified facts. (See: Proton VPN review 2026.) (See: Mullvad VPN review 2026.)

We don’t affiliate with Surfshark.

ExpressVPN. why we refused

In 2021, Kape Technologies acquired ExpressVPN for $936 million. Kape’s previous entities. HSNI and Crossrider. were involved in adware distribution and browser hijacking. The people running those businesses are now running your VPN.

Additionally, Daniel Gericke, ExpressVPN’s CIO at the time of the acquisition, was named in a US Department of Justice agreement related to his work conducting surveillance operations for the UAE government. He paid a fine. He remained in his role.

We don’t affiliate with ExpressVPN.

What we do affiliate with and why

Proton: Swiss-based, open source, independently audited, consistently transparent about infrastructure and ownership. Used by journalists, lawyers, and security professionals with real operational requirements.

Mullvad: the only major VPN that accepts cash payment by mail, requires no email address to register, and has undergone multiple independent infrastructure audits. Mullvad runs no affiliate programme. We mention them because they’re the most operationally serious option available at consumer price point. There is no commercial relationship.

1Password: used by security professionals in enterprise environments. Transparent about architecture. Audited. Not the cheapest option. The right option.

DeleteMe: the only data removal service we found where the process is verifiable. They remove your data and document the removal. Others claim to. DeleteMe does.

Why we publish this quarterly

Because the VPN market changes. Companies get acquired. Audit results surface. New information comes in.

Every three months, we review this list. If something changes. If one of our three programmes does something that fails the test. We remove it and say why.

We lose commissions. We do it anyway. That’s the only way this site means anything.

Trust is earned by what you refuse. Not by what you promote.

This article contains no affiliate links. Specific tool recommendations are on our Resources page.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.