How do Mullvad, Proton VPN, and NordVPN define transparency report scope and methodology?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
NordVPN, Proton VPN and Mullvad take different approaches to transparency reporting: NordVPN publishes regular (quarterly/monthly) reports on government and DMCA requests and shifted from a warrant canary to transparency reports [1] [2]. Proton VPN publishes transparency reports and has undergone multiple third‑party audits including a SOC 2 Type II in 2025 and Securitum audits [3] [4]. Mullvad emphasises audit-verified no‑logs and anonymous accounts but — unlike the others — has resisted routine transparency reports, saying reports add little because it holds no user data [5] [6].
1. NordVPN: moving from canary to counts — the numbers-first play
NordVPN abandoned sole reliance on a warrant canary and now issues transparency reports that disclose the number of government inquiries and DMCA requests it receives, with Nord explicitly promising “detailed monthly updates” on inquiries and DMCA notices in its announcement [1]. Independent reporting notes Nord’s quarterly transparency statements can be “barebones” but still publish large request counts — for example Nord reported 3,001,848 DMCA requests and 88 government inquiries between April 1 and July 1, 2025 [2] [7]. That emphasis on raw tallies signals a posture of measurable disclosure: Nord shows volume but — as reviewers observe — offers limited methodological detail inside those summaries [2].
2. Proton VPN: reports plus audits — coupled transparency and verification
Proton VPN combines transparency reports with repeated third‑party audits and formal compliance work. Multiple sources say Proton publishes transparency reporting on law‑enforcement requests and has completed several independent audits, notably Securitum engagements and a SOC 2 Type II audit in 2025, which the company promoted as confirming its operational security practices [3] [4]. Industry commentary frames Proton’s approach as “full transparency” through both narrative reports and external verification, though some reviews still press for more frequent or granular audit disclosures [4].
3. Mullvad: audit‑centric, anonymous by design, skeptical of reports
Mullvad is best known for extreme minimization of data collection (anonymous accounts, diskless/RAM servers) and a history of independent audits; it also publishes yearly summaries of police requests, but company representatives have repeatedly said they do not plan to publish routine transparency reports because such reports are unverifiable and unnecessary when no user data exists to disclose [5] [6] [8]. Security reviewers praise Mullvad’s clear, minimal policy and external audits as proof points, but note the company’s Swedish jurisdiction can raise theoretical legal‑exposure questions despite its no‑logs architecture [6] [4].
4. What “scope” and “methodology” mean in practice across the three
Available sources show Nord focuses on counts of requests (DMCA, government inquiries) and publishes them on a recurring basis, implying a scope centered on legal process metrics rather than technical telemetry [1] [2]. Proton’s scope appears broader: it provides request reporting while foregrounding third‑party audits (operational controls, SOC 2) as methodological verification [3] [4]. Mullvad’s methodological stance prioritizes demonstrable absence of logs via audits and architecture (anonymous signup, RAM servers) and treats formal periodic transparency reports as redundant because there is no user data to admit or deny [5] [6].
5. Competing perspectives and implicit agendas
NordVPN’s reports serve an agenda of quantifiable accountability — publishing large request counts supports a marketing narrative of transparency, but critics call the reports “barebones,” implying a tension between disclosure and depth [2]. Proton’s tandem audit-plus-report model advances credibility through external certification (SOC 2) but invites scrutiny about audit frequency and what each audit actually covers [3] [4]. Mullvad’s refusal to push routine transparency reports fits an ideological agenda: maximal user anonymity and audit proofs over narrative disclosures; reviewers admire the stance but warn some users interpret the absence of frequent reports as less transparent [5] [6].
6. Limits of available reporting and open questions
Current reporting in these sources documents what each provider publishes (counts, audits, architectural claims) but does not supply full methodological appendices showing how counts are logged, how requests are categorized, or how audits sample systems. The sources do not provide the providers’ internal templates for counting or the precise audit scopes and remediations beyond headline claims; in short, detailed methodology documents are not found in the cited reporting [1] [3] [5].
7. Practical takeaway for users concerned about transparency
If you want raw visibility into legal requests, NordVPN’s periodic counts make it easy to watch trends [1] [2]. If you want third‑party technical verification of operational practices, Proton’s audits and SOC 2 offer documentary assurance [3] [4]. If you prioritise minimal attack surface and anonymous signup, Mullvad’s architecture and audits are the clearest signal — but expect fewer routine narrative transparency reports because the company says there’s nothing to report [5] [6].
Sources cited in-line: [1], [2], [7], [3], [4], [5], [6], [8].