For businesses relying on VPNs to safeguard sensitive data, the choice often comes down to trust—and NordVPN has become a lightning rod for skepticism.
The backlash stems from two key concerns: its connection to Tesonet, a venture builder with a history tied to data-mining controversies, and its legal registration in Panama despite operating primarily in Lithuania. While the corporate structure is unusual, independent audits—including one by Deloitte in late 2025—confirm NordVPN adheres to its no-logs policy, using RAM-only servers that erase activity logs with each reboot.
Yet the perception persists. Tesonet’s ownership of both Nord Security and Oxylabs—a company accused of large-scale data scraping—has led some users to question whether NordVPN could inadvertently expose them to privacy risks. No evidence has surfaced linking NordVPN directly to Oxylabs’ practices, but the shared founders and past funding raise eyebrows.
The Panama-based registration, meanwhile, is a strategic move common among multinational firms. It allows NordVPN to operate under laws that protect user data from international requests for disclosure. Lithuania, where its headquarters are located, follows EU GDPR retention rules—a legal gray area for privacy-focused services but not necessarily a breach of Nord’s stated policies.
For small businesses prioritizing performance-per-watt efficiency in their IT setups, the NordVPN debate serves as a reminder that even well-audited services face compatibility risks if corporate structures seem opaque. The takeaway? While the criticism is loud, the engineering and legal safeguards appear to hold—provided users verify the claims themselves.
