Italian hacktivist-founded VPN (Perugia, 2010), no-logs, port forwarding, but no longer serves Italian residents (Piracy Shield).
- FROM
- €7/Mt.
- CLOUD ACT
- NONE
Zusammenfassung aus Eigentümerschaft und CLOUD-Act-Risiko.
Swedish founder-owned VPN (Mullvad VPN AB / Amagicom AB, Gothenburg, 2009), anonymous numbered accounts, Cure53-audited, flat €5/month.
Mullvad VPN aus der Kategorie VPN ist ein EU-eigener Dienst mit Sweden als Hosting-Standort und ohne erkennbares CLOUD-Act-Risiko.
Mullvad VPN, operated by Mullvad VPN AB (parent Amagicom AB) in Gothenburg, Sweden, founded March 2009 by Fredrik Strömberg and Daniel Berntsson and 100% founder-owned with no PE/VC/parent-company on record. Anonymous numbered accounts (no email, no username, no personal data), Cure53-audited no-logs policy (2018 apps, 2020 infrastructure, 2024 apps + WireGuard/OpenVPN relay code), flat €5/month price unchanged since 2009, open-source apps, cash/Monero accepted. EU-owned and EU-hosted under Swedish jurisdiction with no CLOUD Act exposure. The only US-jurisdiction sub-processors are the optional card-payment processors (Stripe, PayPal), which are ancillary and never touch the no-logs service data, and the anonymous-account/no-logs architecture means no user identity or activity is ever linked to a payment (cash and Monero are accepted specifically to avoid them), so under a customer-data-at-rest definition CLOUD Act exposure is none. A gold-standard privacy profile on ownership, jurisdiction, and no-logs architecture. The one gap in the signal set: Mullvad does not publish a publicly accessible DPA. The anonymous-account architecture means no traditional controller-to-processor relationship is established, and only a privacy policy and no-logging data policy are available; no processor agreement exists for EU buyers to self-serve.
Wie stark Kundendaten US-Behörden nach dem CLOUD Act (Clarifying Lawful Overseas Use of Data Act) ausgesetzt sind.
Wo die letztliche Kontrolle über das Betreiberunternehmen liegt.
Mullvad VPN is one of the most-cited privacy-maximalist VPN providers in the world, operated by Mullvad VPN AB and parent Amagicom AB in Gothenburg, Sweden (Box 53049, 400 14 Gothenburg). Launched in March 2009 by Fredrik Strömberg and Daniel Berntsson, the company remains 100% founder-owned. There is no private equity, no venture-capital backing, no parent conglomerate, and no acquisition pressure. Mullvad's product philosophy is built on a single radical idea: a VPN can be useful without ever collecting customer identity. The account system reflects this: accounts are random numbered tokens; there is no email address, no username, no password recovery, no personal-data field at signup. Users can generate as many accounts as they wish on the website at any time.
The no-logs commitment is more rigorous than most competitors and externally verified. Mullvad does not log activity, traffic, DNS queries, connection events, IP addresses, bandwidth, or timestamps. Cure53 (the German cybersecurity firm) has audited Mullvad multiple times: a 2018 penetration test of the macOS / Windows / Linux apps; a 2020 infrastructure audit; a 2024 desktop-application audit that rated security "high"; and a 2024 audit of the WireGuard and OpenVPN relay-code that found no PII retention or privacy leaks (only two low- and medium-severity issues, both unrelated to logging). Nginx access logs on web infrastructure are deleted after 5 minutes without IPs; support emails are auto-deleted after 70 days; cash-payment envelopes are shredded after processing; cryptocurrency transaction records are deleted after 20 days. All apps are open-source on GitHub.
Pricing is famously simple and never-changing: €5/month flat, regardless of commitment length (1 month, 1 year, or 1 decade, all the same monthly rate). The company explicitly does not run sales, holiday promotions, "Black Friday" discounts, or affiliate programmes. These are excluded as a matter of principle to avoid marketing-influence bias. Payment methods include cash (mail), cryptocurrencies (Bitcoin, Bitcoin Cash, Monero with a 10% discount), credit cards, PayPal, and regional bank transfers. 14-day money-back guarantee (except cash payments). 5 simultaneous devices. No port forwarding. Best fit: privacy-maximalist users worldwide who specifically want anonymous-account architecture and a Swedish-EU-jurisdiction founder-owned provider, and any procurement-grade buyer for whom "ownership simplicity + audited no-logs" beats feature breadth.
PayPal payment processing; ancillary
Credit-card payment processing; ancillary
Bank wire and Swish payment processing
| Vendor | Country | Purpose | Owner |
|---|---|---|---|
| PayPal | United States | PayPal payment processing; ancillary | US |
| Stripe | United States | Credit-card payment processing; ancillary | US |
| SEB (Skandinaviska Enskilda Banken) | Sweden | Bank wire and Swish payment processing | EU |
Italian hacktivist-founded VPN (Perugia, 2010), no-logs, port forwarding, but no longer serves Italian residents (Piracy Shield).
Swedish privacy VPN (Stockholm, est. 2012): Blind Operator, RAM-only, audited no-logs; acquired by Malwarebytes (US) 7 Nov 2024.
Romanian-operated VPN (CyberGhost S.R.L., 2011) under Kape Technologies (UK; ex-Crossrider) → Unikmind/Teddy Sagi (IM) since 2023; listed as a warning.