ExpressVPN's exterior auditors verify no-logs coverage as of February

Computer and Internet


“ExpressVPN by no means retains information that might tie you to any on-line exercise,” the VPN supplier claims on its web site. An unbiased audit from late February helps these claims. Accounting agency KPMG discovered “affordable assurance” that the VPN supplier’s system prevents the logging of person exercise. The product is one in all Engadget’s prime VPN picks.

The agency’s audit put ExpressVPN’s TrustedServer system below a microscope. That is the corporate’s RAM-based system. In principle, this strategy means person information is wiped with each server reboot. (Doing so would forestall even the potential for long-term storage.) Some rivals, together with NordVPN, additionally use RAM-based servers. In the meantime, ProtonVPN counters that correctly encrypted onerous drives are simply as safe.

One other counter-argument to RAM-based servers is that they are solely as efficient in the event that they’re rebooted. In principle, an organization may run RAM servers for advertising functions, however then by no means restart them. That is the place audits might help.

KPMG has a excessive degree of confidence that the no-logging system functioned as marketed in late February. “Controls present affordable assurance that the ExpressVPN TrustedServer doesn’t gather logs of customers’ exercise,” KPMG’s paper reads. That included “no logging of shopping historical past, site visitors vacation spot, information content material, DNS queries or particular connection logs.”

KPMG’s evaluation was an ISAE 3000 Sort I audit. Meaning it targeted on ExpressVPN’s management design and implementation at a particular time limit. (In the meantime, a Sort II audit would have gone farther, testing the effectiveness of these controls over an prolonged interval.) In case you aren’t acquainted, KPMG is among the Massive 4 accounting companies. It is a trusted title that firms shell out huge bucks to for audits like this.

The evaluation checked out a number of elements. These included documentation critiques, observing the system at work and interviewing ExpressVPN personnel. The audit’s conclusion applies “as of February 28, 2025.” You’ll be able to learn KPMG’s full paper for a extra detailed breakdown.



Supply hyperlink