[11][12] NordVPN is developed by Nord Security (formerly Nordsec Ltd),[13] a company that creates cybersecurity software and was initially supported by the Lithuanian startup accelerator and business incubator Tesonet.

[25] The bug bounty was launched in December 2019, offering researchers monetary rewards for reporting critical flaws in the service.

[26] In December 2019, NordVPN became one of the five founding members of the newly formed VPN Trust Initiative, promising to promote online security as well as more self-regulation and transparency in the industry.

[27] In 2020, the initiative announced five key areas of focus: security, privacy, advertising practices, disclosure and transparency, and social responsibility.

[28] In August 2020, Troy Hunt, an Australian web security expert and founder of Have I Been Pwned?, announced a partnership with NordVPN as a strategic advisor.

"[29] In 2022, NordVPN closed its physical servers in India in response to the CERT-In's order for VPN companies to store consumers' personal data for a period of five years.

[33] NordVPN routes users' internet traffic through a remote server run by the service, thereby hiding their IP address and encrypting all incoming and outgoing data.

When the Dark Web Monitor feature finds any leaked credentials, it sends a real-time alert, prompting the user to change the affected passwords.

[55] In June 2022, NordVPN launched the Meshnet feature that allows users to create their own private network by linking up to 60 devices.

[63] In response, NordVPN confirmed that one of its servers based in Finland was breached in March 2018, but there was no evidence of an actual man-in-the-middle attack ever taking place.

[64][65] The exploit was the result of a vulnerability in a contracted data center's remote administration system that affected the Finland server between January 31 and March 20, 2018.

[64] Evidence suggests that when the data center became aware of the intrusion, all accounts that had caused the vulnerabilities were deleted and NordVPN was not notified about the mistake.

[62][61][71] NordVPN stated that the company initially planned to disclose the breach after it completed the audit of its 5,000 servers for any similar risks[62] and later put regular updates on its blog.

[73][74] In 2019, the Advertising Standards Authority (United Kingdom) (ASA) advised NordVPN not to repeat claims that public WiFi is so insecure it is equivalent to handing out your personal information to the people around you.

The 2023 update clarified that, while the no-logs policy continued, NordVPN would comply with law enforcement requests when required by local legal authorities.

This change reflected increased regulatory pressures on VPN providers to support investigations related to cybersecurity and criminal activities.

[80] Transparency statements from the company outlined strict compliance conditions, aiming to reassure users about privacy safeguards under the revised policy.