Earlier this year, we committed to investing in a greater frequency and quantity of third-party audits. Audits by trusted third parties are an important signifier of trust and transparency, since they provide independent assessment of the privacy and security claims we make.
Today, we’re sharing the latest of these audits. We invited both KPMG and Cure53 to separately conduct independent audits on our systems and core server technologies. On the basis of the reports provided to us, we believe that you can be confident that we will never know what you do online when connected to our service and that we do not have such sensitive information to share, even if compelled to.
Our guiding principle toward data collection is to collect only the minimal data required to operate world-class VPN service at scale. That means never collecting nor storing any data that could compromise a user’s privacy or security—no activity logs, no connection logs, or any other sensitive information.
One of the important ways we do so is through TrustedServer, our innovative in-house VPN server technology that significantly minimizes privacy and security risks that traditional server management poses. TrustedServer is the world’s most advanced server technology, with multiple layers of controls in place that ensure we don’t log any user data—not even accidentally.
KPMG audit puts ExpressVPN’s no-logs policy to the test
In conclusion, we are thrilled that KPMG issued us with a clean bill of health.
We recommend the report is read in full—it is available to anyone, as long as you acknowledge KPMG’s terms and conditions before accessing it. ExpressVPN customers can also do so by logging in and visiting the Privacy and Security Audits page.
The audit was conducted under the globally recognized International Standard on Assurance Engagements (ISAE) (UK) 3000 Type 1.
Cure53 audit further strengthens security of TrustedServer
Separately, cybersecurity firm Cure53 conducted a source code audit and white-box security assessment of TrustedServer. The findings were positive and highlights TrustedServer’s strong security posture. (FYI our $100,000 bug bounty for TrustedServer is still up for grabs!)
Cure53 elaborates that “mostly general weaknesses and minor flaws were spotted. Further, most of them can be evaluated as trivial to fix and resolve. It can be positively acknowledged as well that none of the four actually identified vulnerabilities was ranked with a High or Critical severity score, showcasing an already quite robust environment exposed by the ExpressVPN TrustedServer components.”
Read the full audit report by Cure53 here.
Our commitment to trust and transparency
The two new audits add to our list of past audits and security assessments:
- An audit by PwC Switzerland on our build verification process
- A security audit by Cure53 of our browser extension
- A security audit by Cure53 of our VPN protocol Lightway
- Security audits by F-Secure of our apps for Windows v10 and v12
- A security audit by Cure53 of our Aircove router
“We are pleased that our systems and core server technologies were examined by KPMG and Cure53. Regular third-party audits that validate our controls and the results of our internal team’s work, along with other security efforts like our bug bounty program, give us even more confidence that we are protecting our users well,” says Aaron Engel, Head of Cybersecurity, ExpressVPN. “We are proud to be leading the industry in trust and transparency, and look forward to publishing even more audits this year.”