Aller au contenu
Vérifié indépendamment · Ré-audit trimestriel
EU VETTED

Mullvad VPN

VéRIFIé
VPN · Sweden
Fondé en 2009 · mullvad.net ↗

Swedish founder-owned VPN (Mullvad VPN AB / Amagicom AB, Gothenburg, 2009), anonymous numbered accounts, Cure53-audited, flat €5/month.

En bref

Mullvad VPN, dans la catégorie VPN, est un service sous contrôle européen avec Sweden comme lieu d’hébergement et aucune exposition identifiée au CLOUD Act.

Notes d’évaluation

Mullvad VPN, operated by Mullvad VPN AB (parent Amagicom AB) in Gothenburg, Sweden, founded March 2009 by Fredrik Strömberg and Daniel Berntsson and 100% founder-owned with no PE/VC/parent-company on record. Anonymous numbered accounts (no email, no username, no personal data), Cure53-audited no-logs policy (2018 apps, 2020 infrastructure, 2024 apps + WireGuard/OpenVPN relay code), flat €5/month price unchanged since 2009, open-source apps, cash/Monero accepted. EU-owned and EU-hosted under Swedish jurisdiction with no CLOUD Act exposure. The only US-jurisdiction sub-processors are the optional card-payment processors (Stripe, PayPal), which are ancillary and never touch the no-logs service data, and the anonymous-account/no-logs architecture means no user identity or activity is ever linked to a payment (cash and Monero are accepted specifically to avoid them), so under a customer-data-at-rest definition CLOUD Act exposure is none. A gold-standard privacy profile on ownership, jurisdiction, and no-logs architecture. The one gap in the signal set: Mullvad does not publish a publicly accessible DPA. The anonymous-account architecture means no traditional controller-to-processor relationship is established, and only a privacy policy and no-logging data policy are available; no processor agreement exists for EU buyers to self-serve.

CLOUD ACT
OWNERSHIP
SUB-PROCS
3 · 2 US
Signaux vérifiés
Juridiction
  • Hébergement UE / adéquation
  • Opérateur UE / adéquation
  • Aucune exposition au CLOUD Act
Transparence
  • DPA public
  • Sous-traitants divulgués
  • Clients open source
  • Certification tierce
JUMP TO
OVERVIEW

À propos de Mullvad VPN

Mullvad VPN is one of the most-cited privacy-maximalist VPN providers in the world, operated by Mullvad VPN AB and parent Amagicom AB in Gothenburg, Sweden (Box 53049, 400 14 Gothenburg). Launched in March 2009 by Fredrik Strömberg and Daniel Berntsson, the company remains 100% founder-owned. There is no private equity, no venture-capital backing, no parent conglomerate, and no acquisition pressure. Mullvad's product philosophy is built on a single radical idea: a VPN can be useful without ever collecting customer identity. The account system reflects this: accounts are random numbered tokens; there is no email address, no username, no password recovery, no personal-data field at signup. Users can generate as many accounts as they wish on the website at any time.

The no-logs commitment is more rigorous than most competitors and externally verified. Mullvad does not log activity, traffic, DNS queries, connection events, IP addresses, bandwidth, or timestamps. Cure53 (the German cybersecurity firm) has audited Mullvad multiple times: a 2018 penetration test of the macOS / Windows / Linux apps; a 2020 infrastructure audit; a 2024 desktop-application audit that rated security "high"; and a 2024 audit of the WireGuard and OpenVPN relay-code that found no PII retention or privacy leaks (only two low- and medium-severity issues, both unrelated to logging). Nginx access logs on web infrastructure are deleted after 5 minutes without IPs; support emails are auto-deleted after 70 days; cash-payment envelopes are shredded after processing; cryptocurrency transaction records are deleted after 20 days. All apps are open-source on GitHub.

Pricing is famously simple and never-changing: €5/month flat, regardless of commitment length (1 month, 1 year, or 1 decade, all the same monthly rate). The company explicitly does not run sales, holiday promotions, "Black Friday" discounts, or affiliate programmes. These are excluded as a matter of principle to avoid marketing-influence bias. Payment methods include cash (mail), cryptocurrencies (Bitcoin, Bitcoin Cash, Monero with a 10% discount), credit cards, PayPal, and regional bank transfers. 14-day money-back guarantee (except cash payments). 5 simultaneous devices. No port forwarding. Best fit: privacy-maximalist users worldwide who specifically want anonymous-account architecture and a Swedish-EU-jurisdiction founder-owned provider, and any procurement-grade buyer for whom "ownership simplicity + audited no-logs" beats feature breadth.

SUB-PROCESSORS

Carte des sous-traitants · 3

Source ↗
  • PayPal US
    United States

    PayPal payment processing; ancillary

  • Stripe US
    United States

    Credit-card payment processing; ancillary

  • SEB (Skandinaviska Enskilda Banken) EU
    Sweden

    Bank wire and Swish payment processing

2 sous-traitants sur 3 sont incorporés aux États-Unis. Il s'agit de sous-traitants accessoires qui ne détiennent pas de données client protégées ; ils ne modifient donc pas l'évaluation : l'exposition au CLOUD Act est jugée nulle.
CERTIFICATIONS

Référentiels & certifications · aucune répertoriée

Nous avons vérifié le site de l'éditeur et les registres des organismes de certification. Aucune certification active trouvée à la date du dernier audit (2026-05-18).
FEATURES

Matrice de fonctionnalités

Serveurs 548 serveurs
Pays 50 pays
Appareils simultanés 5 appareils
Protocoles WireGuard
Kill switch Oui
No-logs audité Oui
Port forwarding Non
Plateformes iOS macOS Windows Android Linux
INTéGRATION & ACCèS
REST API No
SSO (SAML / OIDC) No
CONFORMITé & GOUVERNANCE
Audit log No
Self-host / on-prem option No
PRICING

Tarifs & paliers

PAYANT
à partir de €5/mois
Voir la page tarifs ↗
PUBLIC DOCUMENTS

Documents publics

L'éditeur ne publie pas de DPA public. Sans contrat de sous-traitance accessible publiquement, les petits clients européens ne peuvent pas signer eux-mêmes l'accord : cela est consigné comme absence de DPA publique (voir Notre méthode).
  • Contrat de sous-traitance (DPA)
    — manquant
    manquant
  • Liste des sous-traitants
    mullvad.net/en…
    Ouvrir ↗
  • Conditions d'utilisation
    mullvad.net/en…
    Ouvrir ↗
ALTERNATIVES

Alternatives dans cette catégorie

AirVPN
Italy · Fondé en 2010
SOUVERAIN UE

Italian hacktivist-founded VPN (Perugia, 2010), no-logs, port forwarding, but no longer serves Italian residents (Piracy Shield).

DPA public Sous-traitants Open source
FROM
€7/mois
CLOUD ACT
NONE
AzireVPN
Sweden · Fondé en 2012
HéBERGé UE

Swedish privacy VPN (Stockholm, est. 2012): Blind Operator, RAM-only, audited no-logs; acquired by Malwarebytes (US) 7 Nov 2024.

DPA public Sous-traitants Open source
FROM
CLOUD ACT
MATERIAL
CyberGhost
Romania · Fondé en 2011
BASé UE

Romanian-operated VPN (CyberGhost S.R.L., 2011) under Kape Technologies (UK; ex-Crossrider) → Unikmind/Teddy Sagi (IM) since 2023; listed as a warning.

DPA public Sous-traitants Open source
FROM
€2/mois
CLOUD ACT
MINOR