For VPN (Virtual Private Network) service providers, it all starts in their codebase, who can access their servers, and what they are allowed to change in there. This was the focus of this audit, which was conducted under the International Standard on Assurance Engagements (ISAE) 3000. To perform the examination, ExpressVPN gave PwC extensive access to their team and system information for a full month, while they took part in interviews and openly shared all system management and data handling and logging activities in the company.
According to the TrustedServer architecture, the servers run in RAM only, and the bootloader on the server hardware boots directly into a read-only ISO image file (Debian Linux) that is digitally signed by Express VPN. There can be no booting without a valid signature, no files written to system locations, and no ISO content modifications. This, as well as the claim that no PII or IP addresses ever leave the contained environment, was checked and confirmed by PwC. As for the codebase changes and deployment, it was affirmed that there can be no changes pushed directly in the master branch, so there can be no unchecked and unapproved code changes on the servers.