What standards (ISAE, SOC 2, ISO) and testing scopes are used in VPN no‑logs audits and how do the cited audits for these four providers map to those standards?

1. What the main standards are, and how they differ in purpose and scope

SOC 2 is an AICPA attestation focused on the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) and is scoped to systems and controls the organisation chooses to include; it’s issued as Type I (design at a point-in-time) or Type II (operational effectiveness over a period) and must be performed by an independent licensed CPA firm under attestation standards such as SSAE/ISAE references ^{[3] [5] [1]}. ISO/IEC 27001 is a certifiable international standard for an organisation‑wide Information Security Management System (ISMS) and is continuous by design rather than an attestation snapshot, so it covers broader governance and risk management across the company, which may or may not be aligned exactly with the scoped systems auditors examine for a VPN no‑logs claim ^{[6] [7]}. ISAE family standards (ISAE 3000/3402) are international assurance rules used to frame SOC‑style engagements across jurisdictions — ISAE 3000 commonly underpins SOC‑style non‑financial attestations while ISAE 3402 historically maps to SOC 1 financial‑controls engagements — and auditors will often state which ISAE variant guided their procedures ^{[2] [8]}.

2. What auditors actually test in VPN no‑logs engagements

Auditors combine control design reviews, evidence sampling, configuration checks, process walkthroughs, and often operational testing such as log‑generation checks and retention policy enforcement; many practitioners and guidance documents also expect penetration testing and other technical validation as tangible evidence that controls work under attack‑like conditions, though the scope (production vs staging, breadth of services included) is negotiated with the auditor ^{[9] [4] [10]}. Important scoping choices affect result validity: whether endpoints, third‑party subprocessors, specific VPN modes (e.g., double‑VPN, obfuscated, onion‑over‑VPN) and the full stack of infrastructure are in scope determines how persuasive a “no‑logs” opinion is to customers ^{[7] [11]}.

3. How NordVPN and Tailscale map to these standards in the cited reporting

NordVPN’s recent no‑logs assurance engagement used Deloitte and reported application of the ISAE 3000 (Revised) framework with auditors examining “the full range of NordVPN services,” including standard, Double VPN, Onion Over VPN, and obfuscated servers during a month‑long window ^[11]. Tailscale’s public report describes a SOC 2 Type II audit and the practical reality that the auditors accepted that traffic is encrypted and that some internal items (their endpoints) were out of scope by design, illustrating how scoped exclusions are documented and can leave gaps in what the report asserts ^[12].

4. What the audits do not automatically prove and where implicit agendas appear

An audit under ISAE/SOC2/ISO attests to controls and their operation within the agreed scope and timeframe — it does not create a blanket legal or technical guarantee that no usage metadata could ever exist or be reconstructed outside that scope; media headlines that state a provider “never stores your data” can be accurate to the audit’s scope but overreach if they ignore exclusions, sub‑processors, or periods outside the tested window ^{[1] [2]}. Vendors have an incentive to highlight whichever standard casts them in the strongest light, auditors have commercial motives to win repeat engagements, and customers must therefore read scope descriptions and testing methods closely ^{[8] [5]}.

5. Practical takeaway for evaluating VPN no‑logs reports

Trust the type and scope: prefer Type II/longer window engagements, check whether production systems and all VPN features were in scope, look for evidence of technical testing (pentests, configuration checks) and independent CPA/recognised auditor credentials, and treat ISO 27001 as complementary governance assurance rather than a substitute for a scoped no‑logs attestation ^{[3] [4] [6]}. Reporting reviewed here maps NordVPN to ISAE 3000 operational testing and Tailscale to SOC 2 Type II with explicit scope choices, while publicly available sources do not provide equivalent cited audit details for two other providers mentioned in the user’s prompt, so those cannot be mapped from these materials ^{[11] [12] [2]}.