Understanding ExpressVPN’s independent audits

This article explains how ExpressVPN’s security is independently tested by external firms, what those audits cover, and how to read the reports yourself.

How ExpressVPN is independently audited

ExpressVPN has been commissioning independent audits since 2018 and continues to do so on a regular basis as products evolve. These audits are carried out by external security firms, who are given access to source code, internal infrastructure, and documentation relevant to what is being assessed. Their role is to test whether ExpressVPN’s systems and software work as described and to identify any vulnerabilities or issues.

Each auditing firm conducts its work independently, following its own methodology and standards. ExpressVPN does not influence auditors’ findings or conclusions.

When issues are found, they are disclosed in the published report. Auditors may also conduct retests to verify that the issues have been resolved. Finding issues in a security audit is a normal part of the process: it is what independent testing is designed to do.

Each audit reflects the state of ExpressVPN’s systems at the time of testing, which is why audits are commissioned regularly rather than as a one-time exercise.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top

What ExpressVPN’s audits cover

Audits are commissioned across different parts of ExpressVPN’s product and infrastructure. The areas that have been assessed include:

• The Lightway protocol: ExpressVPN’s own VPN protocol, built in-house and open-sourced, which governs how devices connect to VPN servers.
• TrustedServer: ExpressVPN’s server technology, which runs entirely on RAM so that all data is wiped every time a server is rebooted.
• Desktop and mobile VPN apps: The ExpressVPN applications for Windows, macOS, Linux, iOS, and Android.
• Browser extensions: The ExpressVPN extension for Chrome and Firefox and the ExpressKeys password manager extension.
• Additional services: ExpressAI, ExpressVPN’s privacy-first AI platform. Audits are also in progress for ExpressKeys (password manager), Identity Defender (identity protection services), and ExpressMailGuard (email relay service).
• Aircove routers: ExpressVPN’s router hardware, which runs the VPN at the network level rather than on individual devices.
• The no-logs policy and privacy commitments: Whether ExpressVPN’s technical infrastructure and internal processes are consistent with what the privacy policy states. You can read more about ExpressVPN’s no-logs policy here.
• The build verification system: The process that ensures software delivered to users matches the source code, guarding against tampering during distribution.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top

Who carries out ExpressVPN’s audits

ExpressVPN has worked with a number of established, independent cybersecurity and professional services firms across its audit program, including:

• Cure53: A German cybersecurity firm specializing in penetration testing and security audits.
• KPMG: One of the world’s largest professional services firms, providing audit and assurance services under internationally recognized standards.
• PwC Switzerland: The Swiss practice of one of the world’s largest professional services firms, providing audit and assurance services.
• F-Secure: A Finnish cybersecurity company with a long track record in vulnerability research and security testing.
• Praetorian: A U.S.-based cybersecurity firm specializing in offensive security and technical risk assessments.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top

How to read an ExpressVPN audit report

Not all audit reports follow the same structure. There are two main types in ExpressVPN’s audit program, and the format you see will depend on what was being assessed:

Penetration tests and source code audits

This type of audit report typically includes:

• Scope: Defines exactly what was tested, including specific software versions or code commits, and explicitly lists what was out of scope. Reading the scope tells you what the audit can and cannot speak to.
• Test methodology: Documents the testing approach and techniques used, usually broken down by area of the software being assessed. This includes areas that were examined even where no issues were found.
• Severity glossary: Defines the rating system used to classify findings. Each rating has a defined meaning, which the auditor applies consistently across all findings.
• Identified vulnerabilities: Lists each security issue found, with a unique identifier, severity rating, technical description, proof-of-concept where applicable, and a fix note confirming whether the issue was addressed and verified.
• Miscellaneous issues: Covers weaknesses that do not constitute exploitable vulnerabilities but could assist an attacker or represent areas for improvement.
• Auditor conclusion: A concluding statement summarizing the auditor’s overall assessment. These conclusions are written by the auditing firm, not ExpressVPN, and reflect the auditor’s independent view.

Assurance engagements

These reports do not list vulnerabilities or use severity ratings. Instead, the auditor reviews ExpressVPN’s technical controls and internal processes against defined criteria and issues a formal opinion on whether those controls function as described. The conclusion to look for is whether the auditor provided assurance and whether any exceptions were noted.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top

Access ExpressVPN’s audit reports

Each report, including any issues found, is published in full as delivered by the auditor. All published reports are available to read in full at expressvpn.com/trust.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top