What evidence supports mullvad's no-logs claim in 2025?

1. Independent security audits and penetration tests provide the core technical corroboration

Multiple external security firms have audited Mullvad’s software and infrastructure in recent years, including Cure53 and Assured Security Consultants, with reports noting high security levels, few issues, and quick remediation of low-severity findings—Assured’s August 11–22, 2025 penetration test (with follow-up verification in September) found no critical, high, or medium-severity issues and only a low-severity input validation weakness that Mullvad fixed ^{[1] [6]}. Security reviewers and industry sites consistently point to these audits as the primary technical evidence that Mullvad’s apps and public-facing infrastructure do not retain activity logs as described in their policy ^{[4] [7]}.

2. A real-world police search acted as an operational stress test

A Swedish police search of Mullvad’s Gothenburg office in early 2023 is frequently cited by Mullvad and reviewers as a direct operational test of the no-logs claim: police reportedly left without subscriber data because Mullvad does not retain IP addresses, connection timestamps, or traffic logs ^{[2] [8]}. That outcome is widely referenced in third‑party coverage as confirmation that the provider had no central data to hand over during an actual law-enforcement demand ^{[8] [9]}.

3. Public policies and engineering choices show minimal data retention by design

Mullvad’s published policies explicitly state a refusal to store activity logs or metadata and describe specific operational practices—such as ephemeral Nginx access logs retained for up to five minutes without IPs, anonymous account numbers instead of email-based accounts, and avoidance of analytics that would profile users—to make logging unnecessary by design ^{[10] [3] [5]}. Mullvad’s transparency blog and audit archive publish timelines and summaries of audits, and the company documents technical mitigations and the narrow scope of what it may process (e.g., payment-related data handled by third parties) ^{[1] [5]}.

4. Known limitations and vectors where evidence is weaker or external

Independent reviewers and Mullvad itself acknowledge limits: audits have scopes (web app, apps, infrastructure) and do not equate to continuous forensic guarantees; some audits dated earlier (e.g., logging policy audits in 2022) are older and require fresh confirmation over time ^{[7] [11]}. Payment processors and banks used for certain payment methods will generate records outside Mullvad’s control, and Mullvad warns that it can access limited personal data via those providers when users choose non-anonymous payment methods ^{[3] [5]}. Security reviewers note they could not “verify” the no-logs claim through independent continuous monitoring—audits and policies are persuasive, not absolute forensic proof ^{[4] [11]}.

5. Verdict: evidence strongly supports the claim but is not indistinguishable from absolute proof

Taken together—repeated third‑party audits with few findings, a police raid that reportedly found nothing, and documented engineering and policy choices to avoid log retention—Mullvad presents one of the stronger public cases for a no-logs posture in 2025 ^{[1] [2] [3]}. That evidence is persuasive because it combines technical inspection, operational outcomes, and policy transparency, yet it must be read against the practical limits auditors and journalists note: audit scope, the age of some reports, and unavoidable records with external payment processors mean the claim is demonstrably well-supported but not technically unchallengeable in every edge case ^{[6] [7] [5]}.