Mullvad Says It Doesn’t Keep Logs. I Verified the Claim Using Mullvad’s Policies, Audit Reports, and Legal Records – Here is What I Found
Published
QUICK ANSWER
- No, Mullvad doesn't keep logs that can identify your online activity. After reviewing its privacy policy, every independent audit, and even the 2023 police seizure of its servers, I found no evidence that Mullvad stores your browsing history, DNS queries, connection IPs, or other activity logs. The only caveat is that payment methods like credit cards and PayPal create records with the payment processor (not Mullvad itself). Apart from that, it does not log any data of any kind, not even bandwidth or time stamps.
I've been researching VPN logging policies for a while now, and most of them follow a familiar pattern - a clean privacy policy, a couple of audited checkboxes, and a "no logs" badge on the homepage. After a point, you start wondering how much of it actually holds up when pressure is applied.
Mullvad caught my attention for a different reason. In April 2023, Swedish police showed up at their office with a search and seizure warrant for customer data. Six officers. A valid warrant. The kind of situation most VPN providers only face in hypothetical discussions. They left without anything.
That's not a marketing claim. It's a documented event and it's what pushed me to actually dig into how Mullvad's system works rather than just take the privacy policy at face value. What I found was more detailed than I expected. Eleven independent audits going back to 2018. A signup process that doesn't ask for your name, email, or password. A legal framework that's more nuanced than "Sweden is privacy-friendly" or "Sweden is an EU country, so be careful."
This article goes through all of it - the policies, the audits, the legal landscape, and the edge cases that don't make it into the headline claims. The goal was to actually hunt for what logs does Mullvad keeps and which ones it does not. It is to give you a clear picture of what they actually store, what they don't, and how much of that has been independently verified.
How We Evaluated Mullvad's Logging Practices
We started by examining Mullvad's own privacy policies, technical documentation, and transparency materials to understand exactly what the company says it does - and just as importantly, what it says it doesn't collect. From there, we looked beyond the company's claims, comparing them against independent security audits, legal records, and documented real-world incidents that tested those promises under scrutiny.
This review wasn't built around marketing statements or self-declared policies. Wherever possible, our conclusions were based on evidence that came from third parties with direct visibility into Mullvad's infrastructure, security practices, or legal obligations.
All research for this assessment was completed in June 2026. Our goal was simple: determine whether Mullvad's no-logs policy has consistently held up in real-world situations, not just in its published documentation. To do that, we evaluated the service across the following key areas:
Test Environment:Country: IndiaDate: June 22 - 27, 2026Tested by: Rachita Jain
Policy Documentation: Mullvad publishes more policy documentation than most VPN providers bother with - a no-logging policy, a privacy policy, a cookie policy, and a dedicated page on Swedish legislation as it applies to them specifically. We read all of it, not just the headline claims. The details that matter are often buried like how long payment transaction IDs are kept, what exactly gets deleted after 5 minutes versus 20 days versus 70 days, which Swedish laws apply and which explicitly don't. We pulled all of that apart before drawing any conclusions.
Eleven Independent Audits: Between 2018 and 2026, Mullvad commissioned eleven security audits from three separate firms - Cure53, Assured AB, and X41 D-Sec. We read every one of them. Not the summaries. The actual reports, finding by finding. The audits that carried the most weight for our purposes were the ones where independent testers had direct administrative access to production servers, the real machines handling real user traffic, and specifically looked for logging configurations, data retention mechanisms, and PII exposure. Their findings, not Mullvad's policy documents, are what we used to verify the no-logs claims at the infrastructure level.
The 2023 Police Warrant: A privacy policy tells you what a company intends to do. A police warrant tells you what actually happens when someone demands the data. In April 2023, Swedish police arrived at Mullvad's office with a search and seizure warrant for customer data and left without any. We reviewed Mullvad's published account of that event, the third-party news coverage, and the Swedish legal framework that governed what the police could and couldn't demand to understand what that outcome actually proves and where its limits are.
Swedish Legal Framework: Sweden being Mullvad's home jurisdiction cuts both ways, and we wanted to understand exactly how. We went through the legislation Mullvad themselves publish about - which laws apply to them, which don't, and what tools authorities actually have available if they want user data. The Electronic Communications Act exemption matters. So does the Covert Surveillance of Data Act that became permanent in 2025. We covered both.
Edge Cases and Exceptions: The things that didn't fit neatly into the positive picture got their own attention. The Leta search proxy logging four characters of a UUID at quota limits. The OpenVPN authentication script temporarily recording IPs of invalid login attempts. The compressed log files a cleanup script was missing. These came up in audits and we documented them rather than glossing over them because understanding the actual limits of a no-logs policy is more useful than a clean but incomplete summary.
Community and External Sources: We also looked at what people outside Mullvad's own communications were saying - privacy forums, Reddit discussions, security researcher commentary, industry coverage of the 2023 police warrant. This helped us check whether anything was surfacing in the community that the official documentation wasn't addressing, and whether user experiences were broadly consistent with the policy claims.
Putting It All Together: The final step was looking across everything at once, policies, audits, legal incidents, edge cases, community feedback, and checking for consistency. Where the sources agreed, that built confidence. Where they didn't line up perfectly, we said so. The picture that emerged wasn't constructed from any single source. It came from all of them pointing in the same direction.
Mullvad Logging Policy Summary
What I Found in Mullvad's Privacy Policy Regarding Logs
To get a clear picture of whether Mullvad actually keeps logs, I went through every policy document they publish, the no-logging policy, the privacy policy, the cookie policy, the Swedish legislation page, and cross-referenced all of it against eleven independent security audits conducted between 2018 and 2026. What follows is everything I found, broken down by when and how data is handled, and what it actually means for your privacy.
1. On Their Website
The moment you land on Mullvad website, most VPN providers are already collecting data about you, such as browser fingerprints, IP addresses, referral sources, and other information that often feeds into Google Analytics or similar tracking platforms. Mullvad takes a very different approach.
There are no third-party analytics scripts running on the website:
- No Google Analytics
- No Facebook Pixel
- No external tracking services
- No fingerprinting technologies
Any minimal server-level information processed by their Nginx web server, including the page requested, response code, and timestamp, is automatically deleted after just five minutes. Once that period expires, only aggregated statistics remain, such as:
- Total number of requests received
- Number of successful requests
None of this information can be linked back to an individual visitor.
The cookie policy is equally minimal. Across the entire website, only five cookies are used, and all serve functional purposes rather than tracking users.
Three session cookies are automatically removed when you close your browser:
- A cookie that keeps you logged into your account
- A cookie that remembers your language preference
- A security token that protects against cross-site request forgery (CSRF) attacks
The remaining two cookies only appear when using the Stripe payment page:
- They belong to Stripe, not Mullvad
- They are only present during card payment processing
- Users who never pay by card will never encounter them
Privacy Impact: None. Server logs are deleted within five minutes, there are no trackers, analytics tools, or fingerprinting mechanisms, and the website leaves no lasting record of your visit.
2. When you sign up
This is where Mullvad genuinely diverges from almost every other service on the internet, VPN or otherwise. When you create an account, there is no form asking for your name, no email field, no password to set. The website generates a random 16-digit number (your account number), and that is it. That number is the only thing that identifies your account. You write it down, you keep it somewhere safe, and that's your login.
What makes this meaningful from a privacy perspective isn't just that Mullvad doesn't ask for your details. It's that the system is designed so that even if someone wanted to link your account to you, the information simply doesn't exist to make that connection. Multiple people can share one account. One person can create hundreds of accounts. There's no way to establish who created any given account or who is using it.
Where things get more nuanced is payment. Mullvad accepts a wide range of payment methods, and they are not equal from a privacy standpoint.
- Cash is the gold standard. You put money in an envelope with a payment token (not your account number) and mail it in. Mullvad opens it, adds time to the account, and shreds the envelope. They have no record of who sent it. The GDPR doesn't even apply because no personal data ever enters a filing system.
- Monero is the crypto equivalent - Mullvad runs its own full node, no third parties involved, and the transaction hash is stored only temporarily before deletion.
- Bitcoin and Bitcoin Cash work similarly but with one difference: the unique receiving address generated for each payment is stored alongside the transaction, then deleted after 20 days.
- Credit card, PayPal, Swish, and bank wire are a different story. These go through Stripe, PayPal, and Mullvad's bank (SEB). Those processors log everything, that's just how they operate. Mullvad stores the transaction reference on their end and deletes it after 20 days, but the payment processor still has a record that links your real identity to a payment made to Mullvad. If anonymity is important to you, these methods undermine it at the payment stage regardless of what Mullvad does afterward.
Privacy Impact: None to Medium, depending on payment method. The account system itself collects nothing personal. What you expose depends entirely on how you choose to pay.
3. When You Actively Use the VPN
This is the point where most VPN providers start collecting at least some operational data. Even services with strict no-logs policies often keep track of things like bandwidth usage, connected servers, session duration, or connection timestamps to help manage their networks.
When I dug into Mullvad's documentation and audit reports, I found that the only thing they actively track during a VPN session is the number of simultaneous connections tied to an account, and even that information never makes it to permanent storage.
Simultaneous Connection Count
Every Mullvad account supports up to five simultaneous connections. To enforce that limit, the VPN server performs a real-time check whenever you connect. During this process, it verifies:
- Your account number
- Whether your subscription time is still valid
- How many active connections are currently associated with the account
What stood out to me is what happens next. Once the check is complete, nothing is written to a database or stored for future reference. The information exists only in temporary memory for as long as the session remains active.
According to Mullvad's own explanations, they cannot tell you how many connections your account had a few minutes ago because that information no longer exists anywhere in their infrastructure.
As I continued reviewing their technical documentation and third-party audits, I found no evidence of the typical metrics many VPNs collect behind the scenes. There is:
- No bandwidth counter tracking how much data you use
- No record of which server you connected to
- No timestamp showing when you connected or disconnected
- No session duration logs
- No historical activity profile built over time
The 2022 Assured relay infrastructure audit independently verified this design, confirming that connection-limit enforcement operates entirely in RAM with no persistent storage. In other words, the system works exactly as Mullvad claims it does.
Privacy Impact: None - The only information tracked during active use is a live connection count used to enforce the five-device limit. That data exists solely in memory while the session is active and disappears the moment the connection ends, leaving no historical record of your VPN activity behind.
4. While You Are Actively Connected
This is the section that mattered most to me while researching Mullvad, what actually happens while your traffic is flowing through their servers. Their policy states it plainly:
- no traffic logging,
- no DNS request logging,
- no IP address logging,
- no connection timestamps.
But policies are just words. What made Mullvad's position credible to me was that independent security firms have actually gone onto those servers and verified these claims.
The 2022 Assured AB relay audit, which covered two WireGuard servers and one OpenVPN server with full administrative access, found that customer logging was disabled entirely across every core service: the WireGuard daemon, the OpenVPN daemon, the SOCKS proxy, the BIND DNS server, the blocklist service, and the WireGuard manager. Not just minimal logging. Not just anonymized logging. Disabled. Their conclusion was unambiguous: the configuration showed no signs of any customer data being recorded.
The DNS servers were audited separately during the same period. Auditors confirmed that the BIND daemon's query logging, the feature that would normally record the websites users look up, is switched off. DNS queries simply are not written down.
When I reviewed the findings from the 2024 Cure53 relay infrastructure audit, I found that the auditors went even further. They carried out extensive attempts to leak or inject traffic into protected parts of the network. Every attempt failed. They described the infrastructure as being in "exemplary condition" and confirmed that no method existed for compromising user traffic anonymity.
There is, however, one narrow exception that is worth being transparent about. The OpenVPN authentication script, which is used to identify and block brute-force attempts, temporarily logs the IP address of connection attempts made with completely invalid account numbers, accounts that do not exist in the system at all. Valid accounts and expired accounts are not logged. This temporary log is automatically cleared every hour. From what I found, this functions as an operational security measure rather than a surveillance mechanism, but it is still worth knowing about.
Privacy Impact: None - Based on everything I reviewed, no traffic, DNS queries, IP addresses, or session data are logged during active use. More importantly, this has been verified by multiple independent auditors with direct server access, rather than simply being taken on Mullvad's word.
5. What Persists After You Leave
After digging through Mullvad's privacy policy, technical documentation, and audit findings, I wanted to answer a simple question: what actually remains in their systems after you disconnect? The answer turned out to be surprisingly straightforward.
When your VPN session ends, there is no session summary generated and stored somewhere in the background. There is no bandwidth total attached to your account, no "last seen" timestamp, and no record showing that you connected at all. What remains is limited to information that already existed before you ever opened the app.
Data That Persists
1. Your account information
- Your account number
- Your account expiry date
This is the minimum information required to allow you to access your account and continue using the service.
2. WireGuard configuration data (if applicable)
If you use WireGuard, Mullvad stores:
- Your WireGuard public key
- Your assigned tunnel address
This information is necessary for the protocol to function. During my research, I found no indication that these details are used to track activity, and on their own they do not identify who you are.
3. Payment records
One area where data retention does exist is accounting. Swedish law requires companies to retain certain financial records for up to seven years. Mullvad complies with this requirement, but according to their documentation, the retained information is limited to the minimum fields necessary for accounting and regulatory purposes.
What is stored is not a detailed activity history linked to your VPN usage. It is simply the information required to meet legal bookkeeping obligations.
4. Support emails
If you contact Mullvad's support team, those communications are not kept indefinitely.
- Support emails are automatically deleted 70 days after a ticket is closed
- No manual action is required for this deletion process
Privacy Impact - None - Once a session ends, your activity disappears with it. The only data that remains is account information, protocol-related configuration data, and the minimum payment records required by law. There is no retained activity trail that could later be used to reconstruct your VPN usage.
What Does Mullvad NOT Log?
One thing I wanted to verify while researching Mullvad was whether its no-logging claims actually extended beyond marketing language. Their policies are unusually specific about what is not collected, their infrastructure is built around minimizing data retention, and multiple independent audits have examined the server configurations directly.
Below is a breakdown of one of the most important categories of data Mullvad says it does not log, along with the evidence supporting that claim.
1. Browsing Activity
Mullvad's no-logging policy is unambiguous on this point. The company states that it does not store:
- Websites visited
- DNS requests made while connected
- Browsing history of any kind
- Internet activity records
While reviewing their documentation, the DNS aspect stood out as particularly important. DNS logging is one of the easiest ways for a VPN provider to build a picture of user activity without technically logging traffic content.
Every website visit starts with a DNS lookup, where your device asks a server to translate a domain name into an IP address. If those requests are recorded, browsing habits can effectively be reconstructed even when the traffic itself is encrypted.
Mullvad operates its own DNS servers and performs DNS resolution internally. According to the 2022 Assured AB DNS server audit, auditors were given direct access to the servers handling these requests and verified that the BIND daemon, the software responsible for DNS resolution, had query logging disabled entirely.
The audit found:
- DNS query logging was turned off
- Auditors reviewed the server configuration directly
- No mechanism was found for recording DNS queries
Not reduced. Not anonymized. Simply off.
2. Source IP Addresses
This is often where VPN providers' no-log claims quietly break down. As I worked through Mullvad's documentation and audit reports, this was one of the areas I paid the closest attention to.
IP addresses have a habit of showing up in authentication logs, security systems, DDoS mitigation tools, and error reports, places that are not always covered in detail by a privacy policy because they fall under incidental rather than intentional data collection.
Mullvad's position is that source IP addresses are not logged anywhere in their infrastructure. Their no-logging policy explicitly lists IP address logging as something they do not do, and independent audits have specifically looked for this type of incidental logging.
There is one narrow and clearly disclosed exception.
The OpenVPN authentication script temporarily records the IP addresses of connection attempts made using account numbers that do not exist in Mullvad's system at all. These are completely invalid credentials, typically associated with brute-force attempts. This functions as a Fail2Ban security measure.
Importantly, the fact that it scripts temporary IPs applies only to:
- Invalid account numbers
- Connection attempts that do not correspond to real accounts
Hpwever, the scripting of temporary IPs does not apply to:
- Active accounts
- Expired accounts
- Legitimate users
The log is automatically cleared every hour.
The 2022 Assured AB relay audit identified this behavior, documented it, and recommended either shortening the retention period or disabling the log entirely. While it is worth being aware of, it is categorically different from logging the IP addresses of actual Mullvad users.
3. Historical VPN Session Logs
Mullvad keeps no record of your VPN sessions once they end. There is no log being built anywhere that documents:
- When you connected
- Which server you used
- Where you connected from
- How long your session lasted
- How much data you transferred
The architecture is designed to make this impossible rather than simply choosing not to look. Connection enforcement, tracking how many simultaneous sessions your account is running, happens entirely in temporary memory on the server. The moment your session ends, that data is gone. It is not summarized, not archived, not moved to a different storage layer.
Mullvad has noted in their own documentation that they cannot tell you how many connections your account had five minutes ago. That is not a policy choice they could reverse - the information genuinely does not exist.
4. Traffic Metadata
As I dug deeper into Mullvad's no-logging claims, I found that the conversation goes beyond just browsing activity. Traffic metadata, the patterns surrounding your traffic, can often be just as revealing as the traffic itself.
This includes things like:
- Connection duration
- Data volume
- Timing patterns
- Exit IP associations
Even without inspecting the contents of traffic, this kind of information can be used to build a profile of a user's activity over time.
According to Mullvad, none of this information is retained. There is no bandwidth counter associated with your account that accumulates over time. No session duration records stored after the fact. No exit IP address tied to your account history. All Mullvad exit IPs are shared among multiple users simultaneously, and because no session history is maintained, there is no way to work backward from a particular piece of traffic and determine which account generated it, even from within Mullvad's own infrastructure.
The 2024 Cure53 relay infrastructure audit tested this directly. Auditors conducted extensive attempts to leak or correlate traffic across protected network segments and were unable to do so. Their conclusion was that no mechanism existed to compromise user traffic anonymity, and they described the infrastructure as being in exemplary condition.
5. What About While You Are Actually Connected?
While reviewing Mullvad's architecture, I found this distinction particularly important.
A VPN cannot function without temporarily knowing certain things. Your device's IP address, the fact that a connection is active, and the traffic being routed through the VPN must exist somewhere while the service is operating. The real question is what happens to that information afterward.
During an active session, Mullvad's servers hold connection state in temporary memory. This allows the service to:
- Route your traffic
- Maintain the active connection
- Enforce the five-connection limit per account
None of this information is written to disk. Once the session ends, it is discarded, leaving no persistent record behind.
Across four years of server-side audits by two independent firms, no evidence emerged that session data was being retained beyond the lifetime of the connection.
The separation is clear:
- Some information must exist temporarily for the VPN to function
- That information exists only while the session is active
- According to the audits, it is not retained once the connection ends
Mullvad's position, and the conclusion repeatedly reached by auditors, is that this temporary information never survives the session.
Independent Audits & Real-World Proof
Privacy policies tell you what a company says it does. Independent audits tell you what actually happens when experienced security researchers are invited to pull the entire system apart. After spending time going through Mullvad's audit history, I've come to think those third-party assessments are far more valuable than any marketing promise.
Between 2018 and 2026, Mullvad underwent eleven independent security assessments spanning virtually every critical component of its infrastructure. The scope evolved over time, starting with desktop applications before expanding to mobile clients, backend infrastructure, VPN relay servers, DNS systems, APIs, and eventually Mullvad's own in-house WireGuard implementation. I've reviewed audit histories from a number of VPN providers, and it's rare to see this level of sustained, transparent scrutiny across such a broad attack surface.
One thing became clear very quickly: not every audit answers the same question. Security audits look for vulnerabilities, insecure configurations, and exploitable code. No-logs audits focus on something entirely different - whether customer activity or identifying information is actually being stored. Throughout this section, I've separated those objectives because they matter for different reasons.
1. Cure53 - VPN Client Applications (September 2018)
This was the first time anyone outside Mullvad had looked at their code, and eight testers from two firms spent eighteen days going through the newly developed desktop client across all three platforms.
The most serious finding, a critical privilege escalation vulnerability on Windows, was reported, fixed, and verified while the test was still running. That kind of turnaround during an active engagement tells you something about how a team responds to scrutiny. Auditors noted it as a positive signal, and the Rust codebase overall drew praise for its quality and the inherent security advantages the language brings.
Worth being clear about what this audit couldn't tell us though: it covered client software only. No verdict was possible on whether the servers were logging anything. That question would have to wait for later engagements - but establishing that the app itself wasn't leaking data or behaving unexpectedly was a necessary first step.
Full report: VPN Client Applications (September 2018)
2. Cure53 - Apps, Clients & API (May 2020)
Two years later, Cure53 came back with a much broader scope - five platforms, the API layer, twenty days, six testers. The improvement in severity compared to 2018 was real: nothing above Medium, everything resolved before the final report landed.
The detail that jumped out at me for logging purposes: auditors confirmed that the AccountData cache (the in-memory store the app uses during an active session) was never written to disk. It lived in RAM and nowhere else. That's the technical reality behind Mullvad's claim that session data doesn't persist anywhere.
They also went through the Android and iOS device logs looking for anything that might leak. The only thing they found was a static internal VPN IP appearing in Android's system log - something the Android OS itself generates, not Mullvad, and something you'd need physical access to the device to retrieve. Their overall verdict: "No PII leaks were found." Straightforward and unqualified.
Full report: Cure53 - Apps, Clients & API (May 2020)
3. Cure53 - VPN Servers & Infrastructure (December 2020)
This was the first audit that genuinely tested Mullvad's privacy claims because researchers were no longer limited to the applications - they were inspecting the servers responsible for handling customer traffic.
Several infrastructure issues were identified, including container configuration weaknesses and an attack capable of disconnecting OpenVPN users. Those deserved fixing, and Mullvad addressed them.
What mattered more to me, however, was what investigators didn't find.
They examined server logging practices directly, including compressed backup logs that a cleanup script had failed to remove. Even those leftover logs contained no personally identifiable information. The oversight wasn't that data had been retained - it was simply that empty compressed logs hadn't been deleted.
The audit concluded without identifying evidence of customer data exposure or privacy leaks.
Full report: Cure53 - VPN Servers & Infrastructure (December 2020)
4. Assured AB - VPN Relay Servers (June 2022)
If I had to point to one audit that most directly answers the question of whether Mullvad logs user activity, it's this one. Assured AB was given remote administrative access to the actual production relay servers, the real machines through which real user VPN traffic flows, and their stated primary objective was to determine whether any customer data was being logged or leaked.
What they found was that logging was disabled entirely across every core service: the WireGuard daemon, the OpenVPN daemon, the SOCKS proxy, the BIND DNS server, the blocklist service, and the WireGuard manager. Not reduced. Not anonymized. Completely disabled. Their conclusion: "the configuration is sound and did not display signs of any direct customer information."
WireGuard, OpenVPN, DNS services, SOCKS proxies, and management components showed no evidence of recording customer activity.
The only exceptions were operational safeguards that I found entirely reasonable after reading the report. Failed authentication attempts using completely invalid account numbers were temporarily logged for brute-force protection before being automatically deleted every hour. Separately, a dormant debug option existed that could log client IP addresses if an administrator manually enabled verbose logging - a feature that auditors confirmed was inactive.
Neither finding altered the overall conclusion. The relay infrastructure itself showed no evidence of logging real customer traffic.
Full report: Assured AB - VPN Relay Servers (June 2022)
5. Assured AB - DNS Servers (September 2022)
DNS logging is something I think a lot of people overlook when evaluating VPN privacy. Every website you visit begins with a DNS lookup. If those lookups are recorded, your browsing habits are effectively documented even without anyone reading a single packet of your traffic. This audit went specifically after that question.
The answer was clean. Auditors confirmed the BIND daemon had query logging switched off. Some technical log categories were still active, DNSSEC operations, zone transfer events, security-related messages, but none of those touch user activity. The DNS configuration itself was found to follow best practices across the board: DNSSEC implemented, queries restricted to authorized sources, strong cryptographic algorithms throughout.
One finding worth mentioning for completeness: the primary server had a cloud-init installation log containing a password hash from the server setup process. This was a server administration issue, the hash belonged to an admin account intended to be removed after setup, and had nothing to do with user data. Auditors flagged it and recommended disabling debug logging during future installations.
Full report: Assured AB - DNS Servers (September 2022)
6. Mullvad API Penetration Test (December, 2022)
The API acts as the bridge between customer applications, payments, and VPN infrastructure, making it another place where sensitive information could potentially accumulate. Across both independent API assessments, I found a consistent design philosophy: collect as little information as possible.
Auditors confirmed that the backend stored no personally identifiable information beyond operational necessities, payment metadata was removed after refund windows expired, and VPN relay servers remained architecturally separated from customer account identities.
The most serious issue uncovered - a race condition allowing voucher reuse across multiple accounts - was a genuine business logic flaw, but it affected billing rather than privacy. Importantly, it didn't expose customer information or compromise traffic anonymity.
Full report: Mullvad API Penetration Test (December, 2022)
7. Mullvad Leta Penetration Test (April, 2023)
Leta is Mullvad's own search proxy, a privacy-focused alternative to using Google or Bing directly while connected to the VPN. This audit examined whether using it left any trace of your search activity.
The baseline was good. Nginx access and error logging were explicitly disabled, meaning search queries and the IP addresses making them weren't being recorded in the obvious places. But two things came up that are worth knowing about.
First, when a user hits their daily search quota, four characters of their internal UUID get logged. It's partially anonymized, but auditors flagged it as potentially insufficient for full anonymity, four characters of a unique identifier is more than zero, even if it's not a complete fingerprint.
Second, search terms and results were being stored in a cache database, and expired entries weren't being automatically cleaned out. In practice this meant a history of search terms could sit in that cache until someone manually cleared it or the service restarted. For a service built around privacy, that was a meaningful gap - the kind of thing you only find when someone actually goes looking for it.
Full report: Mullvad Leta Penetration Test (April, 2023)
8. Cure53 - Relay Infrastructure (June, 2024)
This is the most recent infrastructure audit, and in some ways the most direct stress test of Mullvad's core privacy guarantee. Cure53's explicit goal was to determine whether user traffic anonymity or integrity could be compromised. They ran extensive attempts to leak traffic, correlate connections, and inject data into protected network segments.
Every attempt failed. No mechanism was found that could compromise user traffic anonymity. Cure53 described the infrastructure as being in "exemplary condition," language that's rarely used lightly in professional security assessments.
Full report: Cure53 - Relay Infrastructure (June, 2024)
9. Mullvad VPN Web Application Pentest (September, 2025)
This assessment shifted the focus away from VPN infrastructure and onto something users interact with before they even connect: Mullvad's website. The review covered both the standard mullvad.net website and its Tor onion service, which exists for people who want to avoid exposing their identity before establishing a VPN connection.
What I found most reassuring wasn't the absence of vulnerabilities, but the way privacy had been built into the web infrastructure itself.
The auditors examined the system logs and found no personally identifiable information being recorded about people visiting the website. For the Tor onion service, they verified an important privacy safeguard that most users would never notice. The service strips the X-Forwarded-For header before requests reach the web application. That matters because this header can reveal a visitor's real IP address. If it isn't removed, the backend could potentially see information that Tor is supposed to conceal. By stripping it at the edge, Mullvad ensures the application never receives the user's IP address in the first place.
Another detail that stood out to me was how the onion service intentionally limits certain payment methods. At first glance that might seem restrictive, but the reasoning is entirely privacy-driven. Some payment options can leak identifying information through external providers, so disabling them on the Tor version reduces another potential source of exposure.
Like many of Mullvad's later audits, this one wasn't memorable because it uncovered major problems. It was memorable because it confirmed that privacy considerations had been carried through into areas that many VPN providers rarely think to have independently verified.
Full report: Mullvad VPN Web Application Pentest (September, 2025)
10. X41 D-Sec - API Security Review (January, 2026)
X41's review confirmed something architecturally important: VPN relays only ever see WireGuard keys. They never learn which account those keys belong to. The API never sees VPN traffic. Log messages and statistics are intentionally structured to exclude account information. Payer metadata from external processors gets scrubbed from the database once the refund window closes.
The most significant finding was a voucher race condition - X41 verified they could redeem a single voucher across 16 different accounts simultaneously in a production environment. That's a real financial integrity problem, and it pointed to broader concurrency issues in the codebase that needed architectural attention. But it's a billing vulnerability, not a privacy one. No user data was exposed.
Full report: X41 D-Sec - API Security Review (January, 2026)
11. Assured AB - GotaTun Code Review (February 2026)
Of all the audits I went through, this one left the strongest impression on me. Not because it uncovered a serious flaw, but because it barely found anything at all.
GotaTun is Mullvad's own implementation of WireGuard, built entirely in-house rather than relying on existing software. Developing a networking protocol implementation from scratch introduces additional risk, so I was particularly interested to see how it held up under independent review.
Assured AB examined the source code in early 2026, and the results were remarkably clean. There were no Critical, High, or Medium severity findings. The only issues identified were two low-severity code quality concerns: one related to session identifier generation not fully matching the WireGuard specification, and another involving a broken buffer pool implementation. Neither issue affected user privacy, traffic security, logging, or data retention.
What stood out to me wasn't simply the outcome. It was the timing. Mullvad chose to hand brand-new code to an external security firm before rolling it out more broadly. That tells me the company treats independent review as part of its development process rather than something performed after the fact to satisfy a compliance checklist.
After reading through years of audits, that willingness to invite scrutiny before deployment feels just as meaningful as the clean report itself.
Full report: Assured AB - GotaTun Code Review (February 2026)
Real-World Tests of Mullvad's No-Logs Claims
Privacy policies and audits are useful, but nothing cuts through the noise quite like watching what actually happens when law enforcement shows up at the door. With Mullvad, we don't have to speculate about that scenario. It already happened and the outcome was about as clear a validation of a no-logs policy as you're ever going to see in this industry.
1. The Swedish Police Search Warrant (April 2023)
It's April 18, 2023. At least six officers from Sweden's National Operations Department (not local police, the national unit) walk into Mullvad's office in Gothenburg carrying a search and seizure warrant. They're there for customer data.
What happened next is the part that matters. Mullvad didn't lawyer up and stall. They didn't fight it in court for years. They did something far simpler: they showed the officers exactly how the service works and explained that the data being requested didn't exist. There was nothing to hand over because nothing had ever been stored.
They made three moves. They told the officers plainly that their no-logs policy wasn't just a marketing claim - it was the actual state of their systems. They argued the legal point, making the case that seizing computers would be unlawful under Swedish law precisely because no user information lived on them. And they walked the officers through the architecture in person, demonstrating how the service operates.
The officers stepped outside, consulted with a prosecutor, came back in, and left. No computers taken. No customer data provided. Empty-handed.
I find this case more convincing than any audit. Audits examine systems at a point in time. This was real officers with a real warrant testing whether the policy actually held - and it did, not because of clever legal footwork, but because the data genuinely wasn't there to be taken.
What Mullvad Could and Couldn't Provide
The 2023 police visit makes the following tables concrete rather than theoretical. This is what Mullvad actually holds on any given user and what it doesn't.
What Mullvad Could Provide
What Mullvad Could Not Provide
That gap between the two columns is the entire point of how Mullvad built their system. An account number sitting in a database, with no name attached, no email, no IP history, no session record, tells an investigator nothing useful about the person using it. The 2023 warrant proved that isn't just a claim. It's how the system actually behaves under pressure.
What Swedish Law Actually Means for Your Privacy
A lot of people see "Sweden" and immediately wonder whether being in an EU country creates legal risk. It's a fair question, and the answer is more nuanced than a simple yes or no.
Here's what works in your favor. Mullvad is not classified as an electronic communications provider under Swedish law. That classification matters enormously because it's what would normally give authorities the power to demand data retention and disclosure from telecoms and ISPs. Without it, those legal tools don't apply to Mullvad. When the NOA came in 2023, they needed a physical search warrant rather than a standard data disclosure order because the disclosure route had no legal basis.
The physical seizure route, as we saw, hits a dead end when there's nothing identifying on the machines to seize.
There is one genuine exposure worth being straight about. Sweden's Covert Surveillance of Data Act, which became permanent in April 2025, allows law enforcement to secretly install software directly onto a suspect's device. That captures data before it ever reaches the VPN tunnel, before encryption even kicks in. This isn't a Mullvad problem specifically. No VPN on earth protects against device-level surveillance. But it's worth understanding clearly: if someone installs monitoring software on your machine, the VPN isn't your shield at that point.
Everything above the device level, though (your traffic, your DNS queries, your connection history, your IP address), Mullvad genuinely doesn't have it. The police visit proved that. The audits confirmed it. The architecture was designed to make it true.
Is Mullvad Really a No-Logs VPN?
Yes. After reviewing every piece of evidence I could find, I couldn't find a single instance where Mullvad logged identifiable user activity.
I expected to uncover at least one overlooked log, temporary identifier, or infrastructure exception that contradicted its no-logs claims. Instead, every source I examined, from Mullvad's own documentation to eleven independent security audits and even the 2023 police seizure of its servers, pointed to the same conclusion: Mullvad does not retain browsing history, DNS queries, source IP addresses, connection timestamps, or historical VPN session data. The police left empty-handed not because the company refused to cooperate, but because there was no customer activity data to hand over.
That said, Mullvad is not a zero-data service. Like any VPN that needs to function as a business, it retains a minimal amount of account and payment information. Your account number, its expiry date, and legally required payment records exist in their systems. The difference is that none of this connects to who you actually are or what you actually do online.
What also sets Mullvad apart from most of the industry is the depth of verification behind these claims. Eleven audits across four independent firms examined every layer of the stack - client apps, mobile apps, server infrastructure, relay servers, DNS servers, the API backend, the search proxy, the website, and a custom-built WireGuard implementation. Across all of them, no auditor found evidence of user activity logging anywhere in the system. That's not a single snapshot audit. That's eight years of consistent, layered, independent scrutiny.
What Supports Mullvad's No-Logs Claims
- No browsing history logged
- No DNS query logging - confirmed disabled by independent audit
- No source IP address logging
- No connection timestamps or session duration records
- No bandwidth usage tracking per account
- No last-activity timestamp on accounts
- Anonymous account system requiring zero personal information to sign up
- Connection enforcement handled entirely in RAM - never written to disk
- Eleven independent security audits across four firms (2018–2026)
- Real-world legal test passed - Swedish police left empty-handed in April 2023
- Legally exempt from standard telecommunications data retention laws in Sweden
- Open-source client applications across desktop and mobile platforms
- Cash and Monero payment options for fully anonymous account funding
What Prevents a Perfect Score
- Payment processors (Stripe, PayPal) maintain their own records if you pay by card - Mullvad can't control that
- The Leta search proxy had a partial UUID logging edge case when search quotas were hit - flagged in the 2023 audit
- Search term caching in Leta wasn't auto-purging expired entries at the time of the 2023 audit
- Swedish Covert Surveillance of Data Act (permanent since April 2025) allows device-level monitoring - though this bypasses all VPNs, not just Mullvad
- Physical server seizure remains legally possible under Swedish law, though audits confirm seized servers would yield no user data
- No single dedicated no-logs certification audit - though the breadth of security audits and the 2023 police encounter provide stronger real-world validation than most dedicated certifications do
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
