KPMG LLP completes new assessment of ExpressVPN’s Privacy Policy claims

ExpressVPN news
2 mins
KPMG audits ExpressVPN privacy policy.

Millions of users entrust their privacy to ExpressVPN, relying on our claims of never logging user activity, whether that’s browsing history, DNS queries, VPN connection logs, or the content of your transmissions. But without extensive transparency measures, it is impossible for users to know for sure whether they can trust that our service works the way we say it does.

This is where independent security audits come in. And as part of our commitment to regularly publish such reviews of our systems, we’ve recently sought KPMG LLP (“KPMG”) to provide reasonable assurance over ExpressVPN’s TrustedServer services and Privacy Policy claims as at 12 December 2023. 

The engagement entailed testing the description, design, and implementation of controls over ExpressVPN’s TrustedServer services. KPMG provided independent reasonable assurance that within ExpressVPN’s TrustedServer architecture, the platform integrity prevented the collection of any user activity logs.

The engagement was conducted under the globally recognized International Standard on Assurance Engagements (ISAE) (UK) 3000 Type 1.

We’re pleased with the results. KPMG found no issues with regard to any of the controls tested, including the prevention of the logging of user activity. 

The report should be read in full to understand the detailed scope and findings – it is available to anyone, as long as you acknowledge KPMG’s terms and conditions before accessing it. 

“We’re delighted to have KPMG scrutinize our systems, TrustedServer technology, and validate our adherence to our no-logs policy as at 12 December 2023. Regular assessments and audits by independent third parties help validate the strength of our security measures, bolstering our confidence in safeguarding our users. The latest report by KPMG adds to our long list of existing third-party testings further solidifying ExpressVPN’s position as industry leaders in trust and transparency,” said Aaron Engel, Chief Information Security Officer, ExpressVPN.

To date, we’ve completed and published 18 independent third-party audit reports—more than anyone else within the VPN industry. These audits are done by a variety of third-party experts, including PwC, Cure53, F-secure, and others. We believe they uniquely contribute to transparency for users, providing assurance over how our company and technology have worked in the periods under review. Complementing these reports is our new transparency initiative of reporting stats on user-data requests received by our legal department, a white paper that details our Keys password manager’s entire security design, and more.

Our systems are rigorously designed to protect our users, and in cases where we aren’t satisfied with standard technology for our products, we’ve created security-focused innovations such as the Lightway VPN protocol with post-quantum protections and our TrustedServer system. The reports we commission provide valuable assurance to ExpressVPN over how these innovations work—within our efforts to drive the VPN industry forward.

Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Aaron Engel is the Chief Information Security Officer (CISO) at ExpressVPN responsible for ensuring the security and privacy of our users, employees, and company. He currently leads the Security and Information Technology (IT) teams to deliver unified security and productivity to all parties.