Tools we refuse to affiliate with. And why.
Short answer
We turned down NordVPN, Surfshark, and ExpressVPN. NordVPN concealed a server breach for over a year. ExpressVPN’s CIO worked in UAE government surveillance. Surfshark merged with Nord Security. Our rule: would we use this tool ourselves if our security depended on it? For these three, the answer is no.
This article costs us money. That’s the point.
Most privacy sites affiliate with every VPN that will have them. The commissions are high. The audits are nonexistent. The reviews are written to convert, not to inform. The bottom of that market is described in how free VPNs sell your data. The same logic that makes a free VPN a data broker makes an unaudited paid VPN a brand exercise.
We run three affiliate programmes. Total. We turned down the rest. This is the full list of what we said no to, and exactly why.
The rule we applied
Would I use this tool myself in a situation where my security actually depended on it?
Not ‘would I recommend it to someone who doesn’t know better.’ Would I use it. Personally. When it mattered.
If the answer is no, it doesn’t appear on this site. No exceptions. No ‘but the commission is really good.’
Why we refused NordVPN
NordVPN is the most recognised consumer VPN brand in the world. It is also, by any serious OPSEC standard, a marketing company that happens to operate a VPN.
In 2019, one of their servers in Finland was compromised. The breach was concealed for over a year. No user notification. No public disclosure until a third party surfaced it.
A company that hides a breach from its users is not a company that has your security as a priority. It has its brand as a priority. Those are not the same thing.
We don’t affiliate with NordVPN.
Why we refused Surfshark
Surfshark merged with Nord Security in 2022. Same parent company. Same concerns about corporate incentive structure.
Surfshark has never undergone a full independent infrastructure audit in the way Mullvad and Proton have. Their no-logs claims are marketing claims, not audit-verified facts.
We don’t affiliate with Surfshark.
Why we refused ExpressVPN
In 2021, Kape Technologies acquired ExpressVPN for $936 million. Kape’s previous entities, HSNI and Crossrider, were involved in adware distribution and browser hijacking. The people running those businesses are now running your VPN.
Additionally, Daniel Gericke, ExpressVPN’s CIO at the time of the acquisition, was named in a US Department of Justice agreement related to his work conducting surveillance operations for the UAE government. He paid a fine. He remained in his role.
We don’t affiliate with ExpressVPN.
What we do affiliate with and why
Proton: Swiss-based, open source, independently audited, consistently transparent about infrastructure and ownership. Used by journalists, lawyers, and security professionals with real operational requirements. The full review and the operational caveats are in our Proton VPN review for 2026.
Mullvad: the only major VPN that accepts cash payment by mail, requires no email address to register, and has undergone multiple independent infrastructure audits. Mullvad runs no affiliate programme. We mention them because they’re the most operationally serious option available at consumer price point. There is no commercial relationship. Full review in our Mullvad VPN review for 2026, head-to-head in Proton versus Mullvad in 2026.
1Password: used by security professionals in enterprise environments. Transparent about architecture. Audited. Not the cheapest option. The right option. The operational review for journalists, including Travel Mode, sits in our 1Password review for journalists.
DeleteMe: the only data removal service we found where the process is verifiable. They remove your data and document the removal. Others claim to. DeleteMe does.
Why we publish this quarterly
Because the VPN market changes. Companies get acquired. Audit results surface. New information comes in.
Every three months, we review this list. If something changes, if one of our three programmes does something that fails the test, we remove it and say why.
We lose commissions. We do it anyway. That’s the only way this site means anything.
Trust is earned by what you refuse. Not by what you promote.
Frequently asked questions
Why did you turn down NordVPN specifically?
NordVPN concealed a server breach in Finland for over a year before disclosing it publicly. A VPN provider that hides a breach from its users is not a provider we recommend, regardless of subsequent audits.
Does refusing affiliate income affect your editorial independence?
The opposite. Refusing high-paying affiliates like NordVPN, Surfshark, and ExpressVPN is what makes our editorial independence credible. We only affiliate with tools we would use ourselves if our security depended on it.
How often do you review your affiliate decisions?
Quarterly. If a tool we affiliate with is breached, changes ownership, or fails an audit, we reassess immediately. This article is updated when our position changes.
Will you ever recommend a VPN we have refused if it changes ownership?
Possibly, but only after a clean ownership change, a full independent audit published in full, and a sustained period without further incidents. Trust is earned twice as slowly as it is lost. None of the three providers on this refusal list currently meet that bar. If they ever do, we will say so on this page, and explain what changed.
Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.