Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Mullvad VPN

VERIFIED
VPN · Sweden
Founded 2009 · mullvad.net ↗

Swedish founder-owned VPN (Mullvad VPN AB / Amagicom AB, Gothenburg, 2009), anonymous numbered accounts, Cure53-audited, flat €5/month.

In short

Mullvad VPN, in the VPN category, is an EU-owned service with Sweden as its hosting location and no identified CLOUD Act exposure.

Assessment notes

Mullvad VPN, operated by Mullvad VPN AB (parent Amagicom AB) in Gothenburg, Sweden, founded March 2009 by Fredrik Strömberg and Daniel Berntsson and 100% founder-owned with no PE/VC/parent-company on record. Anonymous numbered accounts (no email, no username, no personal data), Cure53-audited no-logs policy (2018 apps, 2020 infrastructure, 2024 apps + WireGuard/OpenVPN relay code), flat €5/month price unchanged since 2009, open-source apps, cash/Monero accepted. EU-owned and EU-hosted under Swedish jurisdiction with no CLOUD Act exposure. The only US-jurisdiction sub-processors are the optional card-payment processors (Stripe, PayPal), which are ancillary and never touch the no-logs service data, and the anonymous-account/no-logs architecture means no user identity or activity is ever linked to a payment (cash and Monero are accepted specifically to avoid them), so under a customer-data-at-rest definition CLOUD Act exposure is none. A gold-standard privacy profile on ownership, jurisdiction, and no-logs architecture. The one gap in the signal set: Mullvad does not publish a publicly accessible DPA. The anonymous-account architecture means no traditional controller-to-processor relationship is established, and only a privacy policy and no-logging data policy are available; no processor agreement exists for EU buyers to self-serve.

CLOUD ACT
OWNERSHIP
SUB-PROCS
3 · 2 US
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Mullvad VPN

Mullvad VPN is one of the most-cited privacy-maximalist VPN providers in the world, operated by Mullvad VPN AB and parent Amagicom AB in Gothenburg, Sweden (Box 53049, 400 14 Gothenburg). Launched in March 2009 by Fredrik Strömberg and Daniel Berntsson, the company remains 100% founder-owned. There is no private equity, no venture-capital backing, no parent conglomerate, and no acquisition pressure. Mullvad's product philosophy is built on a single radical idea: a VPN can be useful without ever collecting customer identity. The account system reflects this: accounts are random numbered tokens; there is no email address, no username, no password recovery, no personal-data field at signup. Users can generate as many accounts as they wish on the website at any time.

The no-logs commitment is more rigorous than most competitors and externally verified. Mullvad does not log activity, traffic, DNS queries, connection events, IP addresses, bandwidth, or timestamps. Cure53 (the German cybersecurity firm) has audited Mullvad multiple times: a 2018 penetration test of the macOS / Windows / Linux apps; a 2020 infrastructure audit; a 2024 desktop-application audit that rated security "high"; and a 2024 audit of the WireGuard and OpenVPN relay-code that found no PII retention or privacy leaks (only two low- and medium-severity issues, both unrelated to logging). Nginx access logs on web infrastructure are deleted after 5 minutes without IPs; support emails are auto-deleted after 70 days; cash-payment envelopes are shredded after processing; cryptocurrency transaction records are deleted after 20 days. All apps are open-source on GitHub.

Pricing is famously simple and never-changing: €5/month flat, regardless of commitment length (1 month, 1 year, or 1 decade, all the same monthly rate). The company explicitly does not run sales, holiday promotions, "Black Friday" discounts, or affiliate programmes. These are excluded as a matter of principle to avoid marketing-influence bias. Payment methods include cash (mail), cryptocurrencies (Bitcoin, Bitcoin Cash, Monero with a 10% discount), credit cards, PayPal, and regional bank transfers. 14-day money-back guarantee (except cash payments). 5 simultaneous devices. No port forwarding. Best fit: privacy-maximalist users worldwide who specifically want anonymous-account architecture and a Swedish-EU-jurisdiction founder-owned provider, and any procurement-grade buyer for whom "ownership simplicity + audited no-logs" beats feature breadth.

SUB-PROCESSORS

Sub-processor map · 3

Source ↗
  • PayPal US
    United States

    PayPal payment processing; ancillary

  • Stripe US
    United States

    Credit-card payment processing; ancillary

  • SEB (Skandinaviska Enskilda Banken) EU
    Sweden

    Bank wire and Swish payment processing

2 of 3 sub-processors are US-incorporated. These are ancillary processors that do not hold protected customer data, so they do not change the assessment. CLOUD Act exposure is rated none.
CERTIFICATIONS

Frameworks & certifications · none listed

We checked the vendor's website and standard certification body registries. No active certifications found at the time of last audit (2026-05-18).
FEATURES

Capability matrix

Servers 548 servers
Countries 50 countries
Simultaneous devices 5 devices
Protocols WireGuard
Kill switch Yes
Audited no-logs Yes
Port forwarding No
Platforms iOS macOS Windows Android Linux
INTEGRATION & ACCESS
REST API No
SSO (SAML / OIDC) No
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
from €5/mo
View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    mullvad.net/en…
    Open ↗
  • Terms of Service
    mullvad.net/en…
    Open ↗
ALTERNATIVES

Alternatives in this category

AirVPN
Italy · Founded 2010
EU-SOVEREIGN

Italian hacktivist-founded VPN (Perugia, 2010), no-logs, port forwarding, but no longer serves Italian residents (Piracy Shield).

Public DPA Sub-processors Open source
FROM
€7/mo
CLOUD ACT
NONE
AzireVPN
Sweden · Founded 2012
EU-HOSTED

Swedish privacy VPN (Stockholm, est. 2012): Blind Operator, RAM-only, audited no-logs; acquired by Malwarebytes (US) 7 Nov 2024.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL
CyberGhost
Romania · Founded 2011
EU-BASED

Romanian-operated VPN (CyberGhost S.R.L., 2011) under Kape Technologies (UK; ex-Crossrider) → Unikmind/Teddy Sagi (IM) since 2023; listed as a warning.

Public DPA Sub-processors Open source
FROM
€2/mo
CLOUD ACT
MINOR