Where a VPN company is incorporated determines which governments can compel it to hand over data. Here is what that actually means, what offshore incorporation changes, and what matters more than location.
8 min read
Jurisdiction refers to the country whose laws a VPN company is subject to. It determines which courts can issue orders against the company, which agencies can request data, and what legal protections apply to their users.
A VPN company incorporated in the United States operates under US law. If a US court issues a subpoena for user data, the company must comply or mount a legal challenge. The same applies to a company in Germany under German law, in the UK under UK law, and so on.
This matters to VPN users because the practical value of a no-logs policy depends in part on whether the company can be compelled to start logging. A company under aggressive data retention law faces a different risk profile than one operating under strong privacy legislation.
When law enforcement wants data from a VPN company, they follow a legal process that varies by country but typically requires:
A court order or subpoena: In most democratic countries, a judge must approve a data request. The threshold for approval varies widely. Some countries require demonstrating specific criminal intent. Others permit broad requests with minimal judicial oversight.
Mutual Legal Assistance Treaties (MLATs): When law enforcement in one country wants data from a company in another, they use MLATs: formal agreements between governments that govern how evidence can be requested across borders. This process is slow, often taking months, and requires the request to meet the legal standards of both countries.1
The CLOUD Act: US legislation from 2018 that requires American companies to produce data stored abroad when served with a valid court order. Importantly, it applies to companies with US operations or ownership, not just those incorporated in the US. A VPN headquartered in the British Virgin Islands but with US investors and US staff may still be subject to CLOUD Act requests.2
The key point: if a VPN company has data to hand over, legal mechanisms exist to compel them to do so, regardless of where they are incorporated. Jurisdiction determines the difficulty and speed of that process, not whether it is possible.
The Five Eyes is an intelligence-sharing alliance between the United States, United Kingdom, Canada, Australia, and New Zealand. The Nine Eyes and Fourteen Eyes extend this to include additional European and non-European countries, each with varying levels of cooperation.
VPN marketing often treats being outside the Five Eyes as a significant privacy advantage. The reality is more nuanced.
Intelligence-sharing agreements are primarily relevant to national-security-level surveillance, not ordinary law enforcement. For the vast majority of VPN users, the more relevant question is not whether a country shares intelligence with the US, but what that country's domestic data retention laws require and how cooperative their courts are with foreign law enforcement requests.
A VPN incorporated in a non-Five Eyes country may still be compelled to hand over data by their own government, which may then share it through other channels. Jurisdiction is one factor in a larger picture, not a binary safe or unsafe distinction.
Incorporating in a privacy-friendly jurisdiction like the British Virgin Islands, Panama, or the Cayman Islands does offer some genuine advantages:
No mandatory data retention laws: Some countries require ISPs and service providers to retain user data for defined periods. Offshore jurisdictions used by privacy-focused companies often have no such requirement, meaning the company has no legal obligation to collect data in the first place.
Higher friction for foreign law enforcement: Getting data from a company in a small offshore jurisdiction requires using the MLAT process, which is slow and requires meeting the legal threshold of the offshore country. This creates a meaningful barrier for opportunistic or low-priority requests.
No direct domestic surveillance apparatus: Major surveillance programs tend to operate through major economies with large intelligence budgets. A company in a small offshore jurisdiction is less likely to face informal pressure outside formal legal channels.
What offshore incorporation does not change: if a company is logging activity, that data exists and can be obtained. The IPVanish case from 2016 illustrated this clearly. The company claimed a no-logs policy and was incorporated in a US-adjacent jurisdiction. When served with a court order, they produced connection logs that they had been keeping.4 Jurisdiction could not protect what the company had already collected.
Jurisdiction is relevant, but it is secondary to the more fundamental question: does the VPN have data to hand over?
A company with a genuine no-logs policy that has been verified by an independent audit provides stronger protection than a company in a favorable jurisdiction that has never been audited and whose policy cannot be verified. If there are no connection logs, IP assignment logs, or activity logs, there is nothing to produce regardless of what a court orders.
Independent audit: Has a credible third party verified the no-logs claim by reviewing server configurations, database schemas, and logging infrastructure? A self-asserted policy is not the same as a verified one.
Transparency reports: Does the company publish data about government requests received and how they responded? Transparency reports are not conclusive proof of anything, but their absence is informative.
Warrant canary: Some companies publish a statement that they have not received a secret government order. If the canary disappears, it may signal that something has changed. Imperfect but useful as one signal among many.
Track record: Has the company faced law enforcement requests before? How did they respond? Real-world cases are more informative than policy documents.
If you want to understand this topic further, the no-logs VPN article covers what audits actually examine and what questions to ask any provider.
BuycatVPN operates under a verified no-logs policy, independently certified by KPMG.5 The audit covers logging infrastructure and confirms that user activity, DNS queries, connection timestamps, and IP addresses are not retained. KPMG conducts assessments on an ongoing basis under an Always-On Audit clause, meaning it is not a one-time snapshot.
The service is GDPR compliant. Beyond policy, the practical protection here is the same as with any verified no-logs provider: if the data does not exist, it cannot be produced.
Explains how cross-border law enforcement cooperation works and what it requires from foreign companies. Relevant to understanding whether offshore incorporation actually prevents data requests.
2018 US legislation requiring American companies to produce data stored abroad when served with a lawful order. Directly relevant to any VPN provider with US operations or ownership.
International framework governing how evidence can be requested across national borders in civil matters.
Case study of a VPN provider that claimed no-logs but produced connection logs to law enforcement. Demonstrates why policy claims alone are insufficient.
Overview of KPMG's security audit practice, the firm conducting BuycatVPN's independent no-log certification.
