Mullvad is a secure VPN that provided a seamless experience during our testing: It was easy to set up, and it hummed along so quietly in the background that we would often forget that it was even turned on. The company excelled in signals of transparency and trust, and in our testing the service was easy to use and delivered some of the fastest speeds of any VPN we tested. Dedicated apps for Windows, macOS, Android, and iOS make Mullvad simple to set up on a variety of devices even if you have little technical knowledge. Mullvad’s subscription is reasonably priced and costs the same whether you use the service for a month or a year, and one subscription can support up to five simultaneous connections at a time, so it’s easy to use on all of your devices, too.

In May and June 2020 Mullvad underwent a third-party security audit, a process that is key for improving trust in an opaque industry. Though we wish that Mullvad, like IVPN, allowed testers to look at its servers—something only the company can authorize—the white-box audit was otherwise comprehensive and included a look at Mullvad’s phone apps, something IVPN’s audit didn’t cover. Conducted by Cure53, the audit took six testers a total of 20 person-days to complete (IVPN’s took 21 person-days). In evaluating Mullvad, auditors spotted seven vulnerabilities, implementation issues, and other findings: two of medium severity, two of low severity, and three informational. In comparison, IVPN had three high-severity issues, two of medium severity, three of low severity, and one informational. Both companies issued updates quickly. Cure53’s report states that Mullvad “does a great job protecting the end-user from common PII leaks and privacy related risks.”

Mullvad’s transparency is another strong signal of trust. Located in Sweden, the company (Amagicom) is directly owned by founders Fredrik Strömberg—who works on research and development in security—and Daniel Berntsson, and it lists its employees on its site. Plus, according to Mullvad’s CEO, many of the people on its 22-person team use Qubes, a security-focused operating system designed to keep sensitive work isolated and secure even if an attacker were to breach another portion of the computer.

Mullvad keeps its policies comprehensive and transparent, and those policies generally minimize the data it collects at every step. Although the privacy policy is a bit jargony, its policy page links to additional documents explaining the company’s cookie policy, its no-logging policy, and the Swedish legislation it finds relevant as a VPN provider. The privacy policy states that the company does not collect or store activity logs of any kind. It may not even collect an email address during sign-up, depending on how you choose to pay. It typically stores only the account number and the time remaining on an account, plus a few other configuration details. Stored data includes whether customers are making payments via PayPal, Stripe, Swish, or bank wire, or if they send an email or report a problem (additional information for other types of payments is described in various policy pages on the site). Mullvad stores transaction IDs and email addresses for PayPal transactions but deletes them after six months.

Mullvad collects less information than many VPNs and a little less than IVPN. For example, IVPN stores email addresses, the associated IVPN ID and expiration date, and some payment information and transaction information. Mullvad collects very little data on its customers, and all of the cookies that may track you on the Mullvad website expire when you close the browser window. Those cookies include one that allows you to log in, a cookie that retains your language preference, a security cookie that prevents cross-site request forgeries, and cookies for Mullvad’s payment processor for some payment types. In contrast, IVPN uses a web analytics service—Piwik/Matomo—and collects data on your browser user-agent, language, screen resolution, referring website, and IP address, though it does discard the last piece of the IP address. Piwik may also use a web cookie to identify users who revisit the site. In addition, IVPN stores customers’ transaction and subscription IDs to process their money-back guarantee, enable auto-renewal subscriptions, and resolve payment issues.

Mullvad has fairly readable terms of service, including details about what kinds of information the company collects and how it uses that information.

You can request a copy of personal data and a registry extract from Mullvad. These requests will be honored within a month (the period may be extended if the request is particularly complex). This is similar to IVPN’s privacy policy, which says it will respond to “reasonable requests for release of a specific user’s data ... within 28 days of an acceptable request.” However, IVPN also states that it reserves “the right to refuse or charge for requests that are manifestly unfounded or excessive” but that the company will provide the reason for the refusal and “recourse to refer to the supervisory authority.”

Mullvad has fairly readable terms of service, including details about what kinds of information the company collects and how it uses that information. As we discuss in the section on trusting a VPN, using a VPN service beholden to US laws provides for some level of consumer protection, but some people argue that services outside the US are less likely to be swept up in US-government data-collection efforts. We’re unable to draw distinctions between the laws of Sweden (or Gibraltar, where IVPN is incorporated) and US law in this regard, but we do like that Mullvad includes details on how it handles government requests for data. It also says it retains lawyers to monitor the legal landscape and is prepared to shut down the service in the affected jurisdiction if a government somehow legally forces it to spy on its customers: “Just as where no data can be revealed if it does not first exist, the service can’t be used as a surveillance tool if it’s not in operation,” the company says.

Though we prefer a trial, we like that Mullvad offers a 30-day money-back guarantee so you can see if the server speeds and connections work for you. IVPN offers a free three-day trial, but you have to enter your credit card or PayPal information anyway, and the money-back guarantee is for only seven days rather than a month. When you sign up for an account, Mullvad offers more payment options than IVPN, including credit card, Bitcoin, Bitcoin Cash, PayPal, or Swish. Mullvad offers a 10% discount for payment in cryptocurrency. Although Mullvad accepts cash payments, most people aren’t going to mail cash to Sweden from the US, and those payments are not eligible for the money-back guarantee.

Mullvad’s app allows you to connect to servers in 57 cities across 36 countries. In connection speeds, on average, it ranked second among the VPNs we tested during rush hour, behind NordVPN, and it did not freeze or drop video calls. Across nine locations, it averaged just about 9% faster than IVPN. During non-rush-hour traffic, Mullvad averaged 80.15 Mbps in the US. The phone apps were much faster, averaging 115 Mbps on Android and 126 Mbps on iOS over cellular data during non-rush-hour times. Mullvad didn’t disrupt basic web browsing tasks, and Mullvad and IVPN were the only two VPNs that did not cause video calls to drop or freeze.

As for the security and connection standards Mullvad uses, it’s competitive with the other VPN services we found to be trustworthy. Mullvad allows you to choose between the OpenVPN and WireGuard standards on Windows and macOS. It uses WireGuard on its iOS and Android app. We recommend using WireGuard for better security and faster speed. We like that Mullvad lays out its security standards clearly; although IVPN meets our standards, that company is less technical in its descriptions.

Mullvad includes a kill switch, which stops all traffic if the VPN disconnects. As with other competitors we tested, this feature worked as promised and kept our browsing and connections offline until the VPN connection was confirmed.

Mullvad’s open-source apps are available for Windows, macOS, Android (though the Android app is still in beta; more on that below), and iOS. This flexibility makes Mullvad simple to set up on a variety of devices even if you have little technical knowledge. You can customize whether to launch the app on startup and autoconnect when it launches. It also has a local network sharing setting to access other devices on the same network, which prevents problems with printing and file sharing, a common issue for some VPNs. And though Mullvad didn’t disconnect randomly as often as other VPNs we tested, it clearly and visually indicates when you are disconnected by changing the closed green lock icon to an open red lock. IVPN is the same on Windows, but on a Mac, IVPN's icon is black when connected and gray when disconnected, which can be harder to discern at a glance.

Whether you sign up for a month or a year, the cost of a Mullvad subscription is the same: €5 a month (usually around $5.50 to $6). IVPN charges $6 per month for its standard tier and $10 per month for its pro tier. If you commit to a whole year of service, IVPN charges $60 per year for its standard tier and $100 per year for its pro tier, which means its pro tier is still more expensive than Mullvad with the annual discount, and the savings with the standard tier are negligible.

Mullvad offers some features other providers don’t. Although most people won’t take advantage of these extras, the existence of these options shows that the company invests a lot of thought into privacy and security. For instance, you can download the software using the Tor Browser and verify the signatures for new app releases. We were particularly impressed with the company’s design specifications, which describe how the application should work, the connections that it should be allowed to make, and how that differs on each individual platform. “That level of upfront specification means that you can test against that specification, which means that you can actually find deviations from it that indicate security issues. That's a deeper level of knowledge about what you're building than what I've seen for many other VPN providers,” said Dan Guido. Mullvad also supports installation on many routers, though it’s worthwhile to check and confirm that yours is supported and what steps are required.