That article is complete bullshit.

The organization that officially offers ProtonVPN is ProtonVPN AG, which is located in Lithuania, Switzerland. It shares the same office address as Tesonet (J. Jasinskio g. 16C, Vilnius 03163, Lithuania).

TIL that the country Lithuania somehow coexists with a town in Switzerland that doesn't actually exist.

I tracked down the Hacker News thread where some guy claims to source this. But his link to what I guess is some kind of corporate registry in Lithuania is to a company called "CYBER ALLIANCE, UAB." Protonmail acknowledges in the HN thread that they rented office space from Tesonet, which is maybe why some of the addresses come up?

The article also makes some wildly misleading quotes. It attempts to conflate references to physical "addresses" to IP addresses, despite there being 0 evidence presented to indicate that ProtonVPN used any servers owned by Tesonet. It also claims that the same CEO is listed for the Cyber Alliance company as Tesonet, but fails to show how this contradicts what ProtonVPN is saying in the thread, namely that they piggybacked on Tesonet's corporate presence. Meanwhile, contrary to what the article says, ProtonVPN's main HQ is with ProtonMail's in Switzerland.

I was curious who "PIA" was in the article you linked. From the HN thread, it turns out that it's Private Internet Access....a U.S.-based competitor to ProtonMail. Moreover, these claims were brought up by one of PIA's co-founders in response to a suggestion that PIA was secretly working for U.S. intelligence in some capacity. He never actually denied anything, but jumps right into how ProtonVPN is super shady or whatever. So the only "source" we have is a competitor to ProtonVPN, who only brings this stuff up on some thread that's questioning his company's integrity. If they have so much evidence, why is there no mention of ProtonVPN on their blog? Two of his comments are flagged, and he claims that an Ars Technica piece with a misleading headline somehow shows that your e-mail isn't safe in Switzerland, either. And in case you think I'm misrepresenting the Ars article, it has that headline yet says almost immediately that:

So can a Swiss company provide better e-mail security and privacy than many European Union countries or the United States? Again, it’s a tough question, but after examining the relevant Swiss law and talking with Swiss lawyers and one privacy-minded Swiss e-mail provider, the answer is probably yes, but with one big caveat: user notification of surveillance is not always transparent.

Which is of course super different from the United States. (If anyone still had questions about why I'm skeptical about Ars Technica's journalistic standards, this is a perfect example.) This person clearly has no idea what he's talking about, and it's frightening to think that a significant number of people are trusting him to keep their data private.

But anyway, it's clear this is a credulous blogger reposting a hit piece by one of ProtonVPN's competitors as if it were gospel. Call me unconvinced.

Regardless of whether any of the claims in this article are true, it just goes to show that you can not trust commercial VPN providers. They have no reason to really protect you the way they claim, and time after time they are proven to be lying about that protection.

Only trust a VPN you set up yourself, or a network like Tor, which is designed to not require trusted nodes.