vpn

Is ExpressVPN Safe? Security, Privacy & Audit Analysis

Is ExpressVPN safe? Independent audit results, encryption protocols, jurisdiction analysis, kill switch testing, and no-logs policy verification.

VPN.com Editorial Team · ·9 min read

Is ExpressVPN Safe? A Security Deep-Dive

ExpressVPN earns an 85/100 trust score based on verified no-logs audits, AES-256 encryption, and RAM-only servers across 105 countries. It operates under British Virgin Islands jurisdiction, outside 14 Eyes surveillance alliances. Multiple independent audits by KPMG and Cure53 confirm its no-logs claims hold up under scrutiny.

Jurisdiction: Why the British Virgin Islands Matter

ExpressVPN is incorporated in the British Virgin Islands, a self-governing British Overseas Territory. The BVI has no mandatory data retention laws for VPN providers. This single fact shapes how ExpressVPN responds to government data requests.

The BVI sits outside the 5 Eyes, 9 Eyes, and 14 Eyes intelligence-sharing alliances. Foreign government requests must pass through the BVI High Court before reaching ExpressVPN. The BVI has no legal obligation to honor foreign subpoenas or surveillance orders directly.

This jurisdiction advantage proved real in 2017. Turkish authorities seized an ExpressVPN server during a political investigation. The server contained zero user data, confirming the no-logs policy worked under actual government pressure.

Independent Audit History

ExpressVPN has completed more third-party security audits than most competitors. Each audit examined different aspects of the service’s privacy and security claims.

KPMG No-Logs Audits

KPMG audited ExpressVPN’s no-logs policy in 2022 and again in 2024. Both audits confirmed ExpressVPN’s TrustedServer technology stores no activity logs, connection logs, or IP addresses. KPMG tested production servers and internal systems to verify these claims independently.

Cure53 Security Audits

Cure53, a respected German cybersecurity firm, has audited ExpressVPN multiple times. In 2019, Cure53 examined the browser extensions and found no critical vulnerabilities. They audited the Lightway protocol in 2021 and confirmed its cryptographic implementation was sound. A 2022 audit reviewed the TrustedServer infrastructure and rated it strong.

PwC Audit

PricewaterhouseCoopers conducted an earlier no-logs audit in 2019. PwC verified that ExpressVPN’s server configuration matched its public privacy policy. This marked one of the first major audits ExpressVPN commissioned.

ExpressVPN publishes summaries of all audit results on its website. The full Cure53 reports are available publicly, which shows above-average transparency for the VPN industry.

Logging Policy: What Gets Stored and What Does Not

ExpressVPN’s privacy policy states clearly what data it collects. Understanding the specifics matters more than marketing claims.

Data ExpressVPN Does NOT Store

ExpressVPN does not log your browsing history, traffic destination, DNS queries, or IP address. It does not record connection timestamps, session duration, or assigned VPN IP addresses. No content of your communications passes through any logging system.

Data ExpressVPN DOES Collect

ExpressVPN collects aggregate connection data: which app version you use, which server location you chose (not specific server), and total bandwidth consumed per day. This data cannot identify individual users or link activity to specific accounts. It uses this information to maintain server capacity across its 3,000+ server network.

Your account email, payment information, and support ticket history are stored for billing purposes. Users who want maximum anonymity can pay with Bitcoin or use a disposable email address.

Encryption Standards and Protocols

ExpressVPN uses AES-256-GCM encryption as its default standard. This is the same encryption level used by the U.S. government for classified information. Breaking AES-256 would require computational power that does not currently exist.

Available Protocols

ExpressVPN offers 4 VPN protocols across its apps. Lightway is its proprietary protocol, built on wolfSSL and using ChaCha20 or AES-256 encryption. OpenVPN runs over both UDP and TCP with AES-256-GCM. IKEv2/IPSec is available on select platforms for fast mobile connections.

Lightway deserves special attention. Its codebase contains roughly 2,000 lines of code, compared to OpenVPN’s 70,000+. Fewer lines mean fewer potential vulnerabilities and faster connection times under 1 second. Cure53 audited Lightway’s source code, which ExpressVPN published as open source on GitHub.

Perfect Forward Secrecy

ExpressVPN negotiates a new encryption key for every connection session. If an attacker somehow compromised one session key, past and future sessions remain protected. This feature prevents bulk retroactive decryption of captured traffic.

Kill Switch and DNS Leak Protection

ExpressVPN calls its kill switch “Network Lock.” It activates by default on Windows, Mac, Linux, and routers. Network Lock blocks all internet traffic if the VPN connection drops unexpectedly.

Network Lock works at the firewall level, not the application level. This approach prevents leaks during brief reconnection windows that application-level kill switches often miss. It allows traffic only through the VPN tunnel and to ExpressVPN’s DNS servers.

ExpressVPN runs its own private, encrypted DNS on every server. Your DNS queries never touch third-party DNS providers like Google or Cloudflare. This eliminates DNS leak risk at the infrastructure level rather than relying on software patches.

Independent testing tools consistently show zero DNS leaks, zero WebRTC leaks, and zero IPv6 leaks across ExpressVPN’s major apps. The router firmware extends this protection to every device on your network.

Past Security Incidents

No security product exists without scrutiny. ExpressVPN has faced two notable incidents worth examining.

The Turkey Server Seizure (2017)

Turkish authorities investigated the assassination of Russian Ambassador Andrei Karlov. They seized an ExpressVPN server seeking suspect communications. The server contained zero usable data, validating the no-logs infrastructure under real-world law enforcement pressure.

The Kape Technologies Acquisition (2021)

Kape Technologies acquired ExpressVPN for approximately $936 million in September 2021. Kape previously operated as Crossrider, a company associated with adware distribution before rebranding. This acquisition raised legitimate concerns among privacy advocates.

ExpressVPN responded by maintaining its independent operations and BVI jurisdiction. Post-acquisition KPMG audits in 2022 and 2024 confirmed the no-logs policy remained intact. The company retained its leadership team and continued publishing audit results transparently. Users should monitor future audits to verify continued independence.

Unique Security Features

ExpressVPN offers several security features that distinguish it from competitors with similar encryption standards.

TrustedServer Technology

Every ExpressVPN server runs entirely on volatile RAM, not hard drives. Servers load a read-only image at every boot. All data is wiped completely with each server reboot. This architecture makes persistent data storage physically impossible on VPN servers.

Threat Manager

Threat Manager blocks apps and websites from communicating with known trackers and malicious servers. It operates at the DNS level across all connected devices. ExpressVPN updates its blocklists regularly based on threat intelligence data.

Express Keys (Password Manager)

ExpressVPN bundles a built-in password manager called Keys with all subscriptions. Keys uses zero-knowledge encryption, meaning ExpressVPN cannot access your stored passwords. This integration adds practical security value beyond the VPN tunnel itself.

Post-Quantum Protection

ExpressVPN implemented post-quantum cryptography support in its Lightway protocol. This feature protects against future quantum computing attacks that could break current encryption standards. Few VPN providers have implemented this protection as of current testing.

FAQ

Does ExpressVPN Keep Logs?

ExpressVPN does not keep activity logs, connection logs, IP addresses, or browsing history. It collects minimal aggregate data like app version and server location choice for network maintenance. KPMG and PwC audits have independently verified these no-logs claims across multiple years.

Has ExpressVPN Been Hacked?

ExpressVPN has not suffered a confirmed data breach affecting user information. The 2017 Turkey server seizure proved the no-logs system works because authorities recovered zero user data. Its TrustedServer RAM-only architecture limits the impact of any potential physical server compromise.

Is ExpressVPN Trustworthy?

ExpressVPN demonstrates trustworthiness through 5+ independent audits, open-source protocol code, and a verified no-logs incident. The Kape Technologies ownership raises valid questions that users should weigh individually. Its 30-day money-back guarantee lets users test the service with minimal financial risk.

Can ExpressVPN See My Data?

ExpressVPN cannot see your browsing data due to AES-256 end-to-end encryption within the VPN tunnel. The TrustedServer infrastructure prevents data from being written to disk on any server. Even if compelled by a court order, ExpressVPN has no stored user activity data to hand over.