You don't and you never will know for sure. This goes for us and every other provider on the internet. And there is no way we can prove it to you either. The same goes for companies that publish all their source as well, they still control the servers and end/exit points. So let's consider this:
To get as close to 100% sure your VPN isn't compromised you will have to:
- Learn to code.
- Have lots of money. We mean LOTS of money.
- Audit existing protocols & source stacks - don't trust anything!
- Build your own infrastructure & develop your own applications & crypto.
Honestly this is the only way to be close to 100%. Let's say 99.3% because some spook would still just slip $100 into the pocket of your night watchman and walk into your colo center with a rubber ducky. Or just tap your POP or MOS. Consider Bezo's when the Saudi's used WhatsApp to take control over his phone. So even then, they'll get you (assuming 'they' is some faceless big government agency that is targeting you).
Certain providers have VERY clear lines (dotted and otherwise) to various countries and agencies (mountainous plans and expressive firms anyone?) Our approach has been to use Open Source protocols, and allow dedicated 'throw away' servers using that open source. Can you be 100%? No. Could we be a front for some alphabet soup? Sure. Pick your battles and side.
A VPN is really best to protect you from (a) cybercrime capturing transitory information (b) embarrassment of your information from one location or another being leaked (c) getting in trouble seeing things someone doesn't want you to see. So a VPN offers some protection and plausible deniability.
At its core a VPN is a TRANSPORT security layer. It is meant to protect information in transit from A>B. It is not a 'remove all traces of me from the internet' magic wand.