Data privacy has become increasingly important as online tracking, data collection and cyberattacks continue to rise. As a result, more consumers are turning to virtual private networks, or VPNs, to keep their internet activity private and secure.
A VPN works by rerouting your internet connection through a specialized remote server operated by the VPN provider. In the process, it encrypts your internet traffic and masks your public IP address, helping protect your browsing activity from internet service providers, advertisers and other third parties.
Like all servers, VPN servers use storage media that can hold information such as bandwidth usage, system logs and randomized, anonymized connection logs. No reputable VPN company should be logging any personal information, such as your public IP address or your internet activity. And data such as connection logs should be randomized if they're tracked, so there’s nothing to trace back to you, but server security is crucial nonetheless.
While hard drive-based servers have traditionally been the norm for VPN companies, an increasing number have adopted RAM-only server architecture, which wipes data on every reboot. However, that doesn't automatically make RAM servers better than traditional hard drive servers, especially those with full-disk encryption.
Understanding the two types of VPN servers
A VPN encrypts your internet traffic and routes it through a secure server. This process masks your real IP address and hides your activity from entities such as your ISP.
Getty Image/Zooey Liao/CNETVPN providers primarily rely on two types of server infrastructure, each with a different approach to data storage and security:
RAM-only servers
A RAM-only server, as the name suggests, operates solely in the computer's random access memory, or RAM. This is the system’s short-term, temporary or volatile memory: Every time the RAM is switched off or rebooted, all the data stored in it is completely wiped off. This isn't simply deleting the data; it's the complete disappearance of everything stored in the RAM when the server is switched off.
A RAM-only server works by downloading a read-only image from a secure remote location every time it boots. Since this is only a read-only image, no data, including sensitive information, is ever written to the VPN server. Next, everything the server requires to run -- from its operating system to applications, encryption keys and temporary files -- gets loaded directly into the system's RAM. As such, there's no concept of persistent storage with RAM-only servers.
Hard drives with full-disk encryption
Hard drives, whether HDDs or SSDs, are the opposite of RAM-based servers. They are physical disks that provide persistent storage, similar to a flash drive that can retain stored information. In the case of VPN servers, the stored information includes applications, files and any data shared during an active session -- even when they are disconnected from the power supply or turned off. Any deletions that need to take place must be done manually.
Although hard drives retain data even when they’re powered off, that doesn’t make them less secure than RAM. That’s because VPN servers use hard drives with full-disk encryption, which converts all the hard drive's data -- originally in plain text -- into ciphertext.
In simple words, it converts all the data into an unreadable format, allowing only users with the required password or secret key to decrypt and read the information. The word "full" simply means that the entire disk's contents are encrypted.
This means that even if an unauthorized user gains access to your stored data on a full-disk-encrypted hard drive, they won't be able to make any sense of it or exploit it.
Why do most VPN providers today use RAM-only servers?
A majority of the biggest names in the VPN industry, including NordVPN, ExpressVPN, Surfshark, Mullvad and IPVanish, have switched to operating almost entirely on RAM-only infrastructure for good reason. (Disclosure: IPVanish is owned by CNET's parent company, Ziff Davis.)
RAM-only servers provide the following benefits:
Better privacy protection
As mentioned earlier, the biggest advantage of RAM-only servers is that they automatically wipe all of the data shared between you and the VPN server, such as bandwidth usage and system logs (which don’t contain personally identifiable information), with every reboot. Some data, like browsing logs, your public IP address, DNS queries and non-randomized and anonymized connection logs -- shouldn’t be logged, but if it is, that info would be lost with a reboot of a RAM-only server. This gives you peace of mind that your sensitive activity isn’t stored long term on the server.
Better protection against physical seizures
The ability of RAM-only servers to have no long-term data storage and to remotely wipe all data on every reboot also makes them more reliable in the case of physical seizures. This is when authorities come knocking at a VPN provider’s door to confiscate its servers or demand they turn over any logged user data.
With RAM-only servers, there is often nothing meaningful to report or leak in the first place. Mullvad is a great real-life example. When Swedish police raided the company’s offices in 2023, no customer data was compromised thanks to the VPN’s RAM-only infrastructure.
The closest thing to a guarantee for no-logs policies
Another huge advantage of RAM-only servers is that, unlike a VPN’s no-logs policy -- which is essentially the VPN’s promise to never log sensitive user information -- RAM-only infrastructure adds a technical layer of assurance.
VPN providers that regularly audit their no-logs policies are the gold standard. However, VPN audits don’t paint the full picture, and they don’t guarantee performance outside the audit period.
With RAM-only servers, however, it becomes nearly impossible for VPNs to store user information long term. RAM-only servers are a strong complement to a VPN’s no-logs policy by helping ensure the VPN abides by it at all times.
In addition to privacy and security benefits, RAM-only servers also offer a handful of operational advantages:
- VPN providers can boot all their RAM-only servers from a single cryptographically signed read-only image, ensuring consistency across thousands of servers throughout their network.
- This also makes it easier to deploy updates and patches, as all it requires is replacing the read-only boot image.
The security gap between RAM-only and encrypted servers isn’t as big as you think
One argument in favor of hard drives, whether HDDs or SSDs, compared to RAM-only servers, is their cost-effectiveness. Companies spend less if their servers use physical hard drives instead of RAM, which could also trickle down to end users in the form of lower subscription fees.
However, a RAM-only server is not inherently more private or secure than a full-disk encrypted hard drive. In fact, while they are running and actively handling data, both RAM-only servers and full-disk encrypted hard drives are equally vulnerable to data exposure.
That’s because RAM-only servers get rid of all stored data only when they are rebooted or turned off. If that doesn't occur regularly, and the VPN keeps them running for longer periods, malicious actors can still exploit the data on these servers if they manage to gain access to them while they're running.
It’s a similar story with encrypted hard drives. While the data on them remains encrypted when the server is off, everything gets decrypted while the server is running, making them susceptible to data exposure. Likewise, if a malicious actor or government authority seizes encrypted hard drives while they're off, the effect is largely the same as seizing RAM-only servers. Because of the encryption, there is no readable data to harvest.
Why a VPN’s server infrastructure isn’t everything
Even though RAM-only servers offer a few additional operational benefits compared to encrypted hard drives, neither is inherently more secure than the other. Ultimately, server infrastructure is not the main thing you should look at when choosing a VPN.
A strong, audited no-logs policy matters more
As explained earlier, RAM-only servers wipe data only when they are rebooted or turned off. If they are kept running for longer periods, their data can still be vulnerable to exposure.
In other words, RAM-only servers are ultimately a supporting actor to a VPN’s no-logs policy, which is what truly dictates whether your data is at risk. In fact, a clear-cut, detailed no-logs policy that explains a VPN provider’s privacy practices in simple terms -- without hiding behind technical jargon -- is one of the biggest hallmarks of a trustworthy VPN.
At the same time, because a no-logs policy is, in its rawest form, still a promise the VPN makes to protect your privacy, it’s important not to stop there. In fact, even a VPN with RAM-based servers can log user data if it doesn’t intend to abide by its no-logs policy.
To avoid shady VPN apps, look for providers that regularly submit their no-logs policies to independent audits. This is when a reputable third-party cybersecurity firm inspects the VPN’s claims and verifies how it handles user data both on its servers and beyond.
Why VPN jurisdiction matters more than server type
The type of server a VPN uses matters less than where those servers -- and the VPN’s headquarters -- are located. Fortunately, this isn’t a concern with our top-rated VPNs -- ExpressVPN, NordVPN, Proton VPN, Surfshark and Mullvad. All these are based in privacy-friendly jurisdictions that do not require VPN companies to store IP connection logs or other identifiable user activity. If a VPN’s jurisdiction is a country where the government mandates that VPN companies log customer data, the VPN’s users may not benefit from the automatic data wipe-off of RAM-based servers -- or the encryption of encrypted hard drives.
This also applies to the jurisdiction of specific servers, even if the VPN’s main offices are elsewhere. For example, countries like India have made it mandatory for VPN companies to collect user data. This is why almost every reputable VPN provider has pulled its physical servers from such locations and instead offers virtual servers. These are servers located in neighboring privacy-friendly countries that still provide users with the experience of connecting to a local server.
Here, it’s also worth remembering that whether a country is part of an international data-sharing alliance such as the Five Eyes, Nine Eyes and 14 Eyes -- groups whose member countries cooperate on mass surveillance and data sharing -- matters less than its own privacy laws. For example, even though Mullvad is based in Sweden -- a 14 Eyes country -- it benefits from the country’s strong privacy laws that do not compel companies to log user data.