PwC audits ExpressVPN servers to confirm essential privacy protections

Tips & tricks
2 mins
An illustration of a block of servers and a checklist on a notepad.

At ExpressVPN, we take your privacy and security extremely seriously. To best protect our customers, we follow a central principle of never storing any data that could compromise a user’s privacy or security. That means not knowing what you do online when connected to our service—no activity logs, no connection logs, no sensitive information.

We’re so committed to ensuring we never store any sensitive data that we developed a new technology in-house, TrustedServer, to ensure that all data is wiped every time a server is rebooted.

How can you be confident ExpressVPN’s claims are accurate?

It would take a team of security audit experts with access to our servers’ codebase to verify our claims. So that’s exactly who we called in: the experts at the “Big Four” auditing firm PwC (PricewaterhouseCoopers).

Independent audit professionals from PwC exhaustively examined our code and interviewed our team members in order to confirm whether our VPN servers were in compliance with our privacy policy, including our policy of not collecting activity logs or connection logs. The audit also checked that TrustedServer technology operates as we’ve described. To learn more, see full details of what was covered by the audit (PDF).

Today, we’re releasing the independent audit report in full, available to customers, journalists, reviewers, and partners. The audit was conducted under the International Standard on Assurance Engagements (ISAE) 3000 (Revised), and in line with PwC’s standards for such reports, those seeking to view the report must acknowledge PwC’s terms and conditions before accessing it. Customers can do so by logging in and visiting the Privacy and Security Audits page, and members of the media can email press@expressvpn.com.

What process did the auditors follow, and what were the results?

To enable PwC to thoroughly audit our servers, we gave them extensive access to our team and system information. Over the course of a month, PwC interviewed staff responsible for managing our VPN servers; inspected source code, configurations, and technical log files; and observed our server configuration and deployment processes.

Given the scope and extensive nature of the audit, PwC does not allow excerpts to be shared in order to ensure none of the audit results are taken out of context and misunderstood. As such, we’re unable to provide specifics about the results in this blog post, but we encourage customers to read the full report. We can unequivocally say, however, that we’ve been pleased with the entire process from start to finish.

Independent verification of privacy and security protections

Online privacy and security have never been more important, and VPNs provide vital protections. That’s why it’s crucial that we have high standards for trust and transparency in the industry.

Audits by trusted third parties, including our recent security assessment by Cure53, provide independent verification of the privacy and security commitments we make to customers. They complement our other trust and transparency efforts, including providing open-source leak testing tools, publicly detailing our security practices, and working with the Center for Democracy and Technology on responsible disclosure in the VPN industry.

At ExpressVPN, we’re committed to doing our part to keep pushing the industry forward to better protect online privacy and security, through both technology and transparency. We look forward to publishing more audits, tools, and insights that enable you to hold us to that commitment.

ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.