3rd KPMG audit supports ExpressVPN's privacy commitments

In the world of digital privacy, trust is greatly strengthened with third-party assurance. At ExpressVPN, we've long been committed to rigorous independent audits to test that our services operate as we claim. Today, we're excited to announce the completion of our second assessment by KPMG LLP, which examined ExpressVPN’s TrustedServer system and privacy policy claims as of 28 February 2025.

To provide the highest level of privacy to users, our VPN service is built in accordance with our strict no-logs policy, which ensures users that our technology is engineered so that activity logs and connection logs are never retained. KPMG's latest report examined our TrustedServer technology to assess our claim that its design effectively prevents the collection of such logs.

The engagement was conducted under the globally recognized International Standard on Assurance Engagements (ISAE) (UK) 3000 Type 1.

Following testing of ExpressVPN's TrustedServer architecture and privacy controls, KPMG provided reasonable assurance that our systems functioned as designed, with no identified issues regarding our technical safeguards against activity logging.

The full assessment report is available for all; you simply need to first acknowledge KPMG's terms and conditions to access it.

"Independent assurance isn't just a checkbox for us—it's fundamental in our efforts towards trust and transparency," said Aaron Engel, Chief Information Security Officer at ExpressVPN. "Having KPMG evaluate our technologies and assess our privacy protections again demonstrates our unwavering commitment to maintaining the highest standards of user privacy protection."

This latest assessment represents another milestone in our continuous efforts to validate our privacy promises. We believe that regular independent audits are essential for maintaining user trust in an increasingly complex digital landscape.

"By subjecting our systems to rigorous third-party scrutiny, we're not just verifying our current protections—we're establishing a standard for accountability that we hope will raise the bar across the entire VPN industry," adds Engel.

With 23 third-party audits published to date, ExpressVPN continues to lead the industry with one of the most comprehensive independent verification initiatives. Our commitment to transparency follows increasingly rigorous standards, exemplified by the recent commissioning of not one but two security assessments of our Lightway protocol following its complete rewrite in the modern coding language Rust.

In addition to audits, we've also published detailed white papers documenting the engineering design behind products including our Keys password manager and dedicated IP service. You can find the latest update to our biannual transparency report here, which displays the number of requests for user data our legal department receives, for which we have no records to provide.

These audits represent just one facet of our multidimensional approach to earning and maintaining user trust. At ExpressVPN, we are constantly researching, developing, and implementing advanced technological solutions that push the boundaries of privacy protection and security. As threats to online privacy continue to evolve, so too will our commitment to serving our customers with transparency and industry-leading protection.