ExpressVPN Trust Center

ExpressVPN is, first and foremost, a privacy company. Our users trust us to protect their privacy with an industry-leading combination of hardware, software, and human ingenuity. Here is a look at how we work to earn that trust.

Un paseador de perros, un adulto con un niño, y alguien con su teléfono.

Security at ExpressVPN: Our 4 key strategies

Learn how we do cybersecurity to keep our systems and users protected.

Un candado que simboliza la seguridad.

1. Make systems difficult to compromise

The front line in our defenses is making our systems secure. We employ many different techniques to ensure that it’s difficult to break into any of them, from using an independently assured build verification system to hardware security devices and cutting-edge encryption.

Build verification system
Hardware security devices
Code review
Hardened secure shell (SSH)
Rapid patching
Fichas de dominó cayendo sobre una pared de ladrillos.

2. Minimize potential damages

Despite our efforts, it is still possible that a motivated attacker may break through our defenses. We address this risk by applying guardrails to minimize the attacker’s potential damage from their initial foothold.

Embracing zero trust
Employing zero-knowledge encryption
Secure design
Principle of least privilege
Imagen de una lista de verificación con un escudo.

3. Minimize the time of compromise

Not only should the severity of the damage be minimized, but our processes also help to limit the duration of compromise and the amount of time that attackers can stay lurking.

Security monitoring
Automatic rebuilds
Un reloj azul con manecillas girando.

4. Validate our security controls

All of our software and services are rigorously tested to ensure they work as intended and meet the high standards of privacy and security that we promise to our customers.

Internal validation: Penetration tests
External validation: Security audits by third parties


As we strive to meet and exceed industry security standards, we are also constantly innovating in a relentless pursuit of new ways to safeguard our products and our users’ privacy. Here we highlight two groundbreaking technologies built by ExpressVPN.

Botones de activar verticales.

Lightway: Our protocol offering a superior VPN experience

Lightway is a VPN protocol built by ExpressVPN. A VPN protocol is the method by which a device connects to a VPN server. Most providers use the same off-the-shelf protocols, but we set out to create one with superior performance, making users’ VPN experience not only speedier and more reliable, but also more secure.

  • Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard.

  • Lightway also preserves perfect forward secrecy, with dynamic encryption keys that are regularly purged and regenerated.

  • The core library of Lightway has been open-sourced, ensuring that it can be transparently and widely assessed for security.

Learn more about Lightway, and read our dev blog for technical insights from ExpressVPN software developers on how Lightway works and what makes it better than the rest.

Una pila de servidores con un candado.

TrustedServer: All data wiped with every reboot

TrustedServer is VPN server technology we created that delivers greater security to our users.

  • It runs only on volatile memory, or RAM. The operating system and apps never write to hard drives, which retain all data until they are erased or written over. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again—stopping both data and potential intruders from persisting on the machine.

  • It increases consistency. With TrustedServer, every one of ExpressVPN’s servers runs the most up-to-date software, rather than each server receiving an update at different times as needed. That means ExpressVPN knows exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.

  • TrustedServer technology has been audited by PwC.

Want a more detailed look at the many ways TrustedServer protects users? Read our deep dive into the tech, written by the engineer who designed the system.

Un "bug" bajo una lupa.

Bug bounty

Through our bug bounty program, we invite security researchers to test our systems and receive financial rewards for any problems they find. This program gives us access to a large number of testers who regularly assess our infrastructure and applications for security issues. These findings are then validated and remediated, ensuring our products are as secure as possible.

The scope of our program includes vulnerabilities in our VPN servers, our apps and browser extensions, our website, and more. To individuals who report bugs, we provide full safe harbor conforming to global best practices in the security-research space.

Our bug bounty program is managed by Bugcrowd. Follow this link to find out more or report a bug.

Un gráfico de barras con una flecha en la barra más alta.

Industry leadership

While we set rigorous standards for ourselves, we also believe that our work of building a more private and secure internet can’t stop there—that’s why we collaborate with the entire VPN industry to raise standards and better protect users.

We co-founded and chair the VPN Trust Initiative (VTI) together with the Internet Infrastructure Coalition (i2Coalition) and several other major industry players. In addition to its ongoing awareness and advocacy work, the group has launched the VTI Principles—shared guidelines for responsible VPN providers in the areas of security, privacy, transparency, and more. This builds on ExpressVPN’s previous transparency initiative work in partnership with the Center for Democracy and Technology.

Some of the innovations we've pioneered have helped to drive the VPN industry forward. We were the first to create TrustedServer, and others have since followed our lead to roll out similar technology. Lightway is another example of technology that we've built from the ground up, and we hope that by open-sourcing it, it will have an influence on the VPN industry as a whole.

Notable privacy initiatives

Find out more about how we protect our users’ privacy.

Un botón de escudo encendido.

ioXT certified

ExpressVPN has become one of the few VPN apps to be certified by the ioXt Alliance for security standards, empowering consumers to use our services with greater confidence.

Gráfico de barras con diferentes alturas.

In-app privacy features

We have introduced a feature on our app for Android called Protection Summary, which helps users protect their privacy with practical guidelines.

Gráfico de dos líneas.

Digital Security Lab

We launched the Digital Security Lab to delve deep into real-world privacy issues. See its leak-testing tools, which help to validate the security of your VPN.