Earlier this year, we committed to investing in a greater frequency and quantity of third-party audits. Audits by trusted third parties are an important signifier of trust and transparency, since they provide independent assessment of the privacy and security claims we make.
Today, we’re sharing the latest of these audits. We invited both KPMG and Cure53 to separately conduct independent audits on our systems and core server technologies. On the basis of the reports provided to us, we believe that you can be confident that we will never know what you do online when connected to our service and that we do not have such sensitive information to share, even if compelled to.
Our guiding principle toward data collection is to collect only the minimal data required to operate world-class VPN service at scale. That means never collecting nor storing any data that could compromise a user’s privacy or security—no activity logs, no connection logs, or any other sensitive information.
One of the important ways we do so is through TrustedServer, our innovative in-house VPN server technology that significantly minimizes privacy and security risks that traditional server management poses. TrustedServer is the world’s most advanced server technology, with multiple layers of controls in place that ensure we don’t log any user data—not even accidentally.
We have defined and implemented a range of controls that give us confidence that we operate in line with our no logs principle. KPMG tested the design and implementation of the controls that help us achieve the key aspects of our Privacy Policy. Cure53 also conducted a penetration test and source code audit of TrustedServer.
KPMG audit puts ExpressVPN’s no-logs policy to the test
Independent auditors from KPMG performed testing over our controls framework and interviewed our team members in order to check on the processes, systems and controls intended to ensure our VPN servers were in compliance with our Privacy Policy. This includes testing our policy of not collecting activity logs or connection logs, and that TrustedServer technology operates as we’ve described.
In conclusion, we are thrilled that KPMG issued us with a clean bill of health.
The full report by KPMG is available to anyone—as long as you acknowledge KPMG’s terms and conditions before accessing it. ExpressVPN customers can also read the report in full by logging in and visiting the Privacy and Security Audits page.
The audit was conducted under the globally recognized International Standard on Assurance Engagements (ISAE) (UK) 3000 Type 1.
Cure53 audit further strengthens security of TrustedServer
Separately, cybersecurity firm Cure53 conducted a source code audit and white-box security assessment of TrustedServer. The findings were positive and highlights TrustedServer’s strong security posture. (FYI our $100,000 bug bounty for TrustedServer is still up for grabs!)
Cure53 elaborates that “mostly general weaknesses and minor flaws were spotted. Further, most of them can be evaluated as trivial to fix and resolve. It can be positively acknowledged as well that none of the four actually identified vulnerabilities was ranked with a High or Critical severity score, showcasing an already quite robust environment exposed by the ExpressVPN TrustedServer components.”
Read the full audit report by Cure53 here.
Our commitment to trust and transparency
The two new audits add to our list of audits and security assessments:
- An audit by Cure53 of our Linux app (August 2022)
- An audit by Cure53 of our macOS app (July 2022)
- A security audit by Cure53 of our Aircove router (July 2022)
- An audit by F-Secure of our Windows v12 app (April 2022)
- A security audit by F-Secure of our Windows v10 app (March 2022)
- A security audit by Cure53 of our VPN protocol Lightway (August 2021)
- An audit by PwC Switzerland on our build verification process (June 2020)
- An audit by PwC Switzerland of our privacy policy compliance and our in-house technology TrustedServer (June 2019)
- A security audit by Cure53 of our browser extension (November 2018)
“We are pleased that our systems and core server technologies were examined by KPMG and Cure53. Regular third-party audits that validate our controls and the results of our internal team’s work, along with other security efforts like our bug bounty program, give us even more confidence that we are protecting our users well,” says Aaron Engel, Head of Cybersecurity, ExpressVPN. “We are proud to be leading the industry in trust and transparency, and look forward to publishing even more audits this year.”
Take back control of your privacy
30-day money-back guarantee
Comments
This is great practice. I read a cynical github post saying vpns are all lying and logging your data and selling out your privacy. I think third party audits are a good way to maintain trust.
Thankyou