ExpressVPN’s Privacy Protections Tested in 2 New Audits by KPMG & Cure53

• ExpressVPN is delivering on its promises of more frequent independent audits.
• The latest round of audits focused on ExpressVPN’s privacy-related practices.
• ExpressVPN users can rest assured that their data is never logged or stored.

Earlier this year, ExpressVPN promised to invest in a greater frequency of third-party audits. That said, back in March, the VPNs published the results of its audit and penetration testing by F-Secure, focusing on the VPN’s Windows app. And now, ExpressVPN has unveiled that two new audits were done, focusing on Privacy Policy protection and server technology security.

The latest round of audits was conducted by KPMG and Cure53, both of which are respectable companies that specialize in cybersecurity. The goal of the audits was to test ExpressVPN’s claims that it logs and stores no personally identifiable data, emphasizing the protections provided by the TrustedServer technology. That’s an in-house VPN server technology, thanks to which ExpressVPN’s servers don’t use hard drives; they rely only on RAM instead.

The audit done by KPMG emphasized ExpressVPN’s controls network and interviews with the VPN's team members. In other words, the goal was to check the processes, systems, and controls intended to ensure that ExpressVPN’s servers are in compliance with its Privacy Policy.

We’ll remind you that as per ExpressVPN’s Privacy Policy, the VPN claims “not to collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries.” Aside from that, “ExpressVPN never stores connection logs, meaning no logs of your IP address, your VPN IP address, connection timestamp, or session duration.”

KPMG’s audit concludes that ExpressVPN fully complies with its Privacy Policy. The VPN truly doesn’t log anything more than anonymous analytic data. More precisely, ExpressVPN logs your app versions, successful connection attempts, and the aggregate sum of data transferred. None of that data can be connected to a single individual.

The audit done by Cure53 placed an emphasis on the ExpressVPN TrustedServer setup and sources, checking for security vulnerabilities. The audit found 7 low-level issues and 3 medium-level issues, most of which have already been patched by ExpressVPN. None of those were severe vulnerabilities that could lead to data leaks.

Also, most of the found vulnerabilities are linked to the L2TP protocol, which ExpressVPN is in the process of deprecating, which should be complete by the end of October 2022.   

In the end, we’ll mention that these latest audits (as well as all the previous audits) and their reports are available on the ExpressVPN website. You can access them by logging in to your account and visiting your dashboard.

If you’d like to learn more, check out our summary of what’s new in ExpressVPN.