ExpressVPN Receives Third Independent Audit Confirming No-Logs Policy Compliance

VPN Provider's TrustedServer Technology Passes KPMG Verification for Privacy Controls

ByPavlos Giorkas Posted on News
Express VPN
  • ExpressVPN receives third independent KPMG audit confirming no-logs policy compliance and TrustedServer technology effectiveness.
  • KPMG provided “reasonable assurance” across all 48 tested control activities with zero exceptions noted during the examination.
  • TrustedServer RAM-only architecture automatically eliminates user activity logs through system reboots that reset servers to standardized states.
  • Independent verification confirms ExpressVPN collects minimal usage statistics while preventing identification of specific user online behavior.
  • Audit examined six control objectives including user activity logging prevention, server security, and automated change management procedures.

ExpressVPN has completed its third independent audit by KPMG LLP, with the auditing firm providing “reasonable assurance” that the company’s no-logs policy and TrustedServer technology operate as stated. The ISAE (UK) 3000 Type I audit, dated February 28, 2025, examined ExpressVPN’s internal controls and system design.

The audit focused on ExpressVPN’s TrustedServer VPN services, which the company claims prevent the collection of user activity logs including browsing history, traffic destination, data content, and DNS queries. According to the KPMG report, ExpressVPN’s systems are designed to “categorically eliminate storage of sensitive data.”

Key Audit Findings

KPMG tested six primary control objectives covering 48 specific control activities. All controls received “no exceptions noted” ratings from the auditors. The examination covered several areas including user activity logging prevention, usage analytics data collection, third-party software protection, individual VPN server security, build pipeline protection, and change management procedures.

The audit confirmed that ExpressVPN’s TrustedServer infrastructure operates on RAM-only architecture. According to the report, “the servers run in RAM only” and use a Trusted Boot system that loads a read-only ISO image from the company’s content delivery network. The image contains the entire Debian OS compiled by ExpressVPN and requires valid digital signatures to boot.

TrustedServer Architecture Verification

KPMG verified that ExpressVPN’s servers reset to their standardized state with every reboot, causing any accumulated operational data to be lost. The audit confirmed that no server-specific configuration or secrets are shipped inside the ISO image, with a separate “activator” validating the running operating system before pushing credentials.

The auditors examined ExpressVPN’s GitHub Infrastructure as Code (IaC) workflow, which requires multiple developer approvals and cryptographic signing using hardware-backed keys. All code changes undergo automated testing that includes verification of no-logging configurations.

Privacy Policy Compliance

The audit verified ExpressVPN’s privacy policy implementation, confirming the company collects minimal usage statistics while maintaining user anonymity. According to the KPMG report, ExpressVPN may know that a user connected to a specific VPN location on a particular day but “cannot be uniquely identified as responsible for any specific online behavior.”

The company’s analytics system was verified to collect only aggregate data transfer amounts, VPN location information, and country/ISP data derived from GeoIP lookups, while excluding user IP addresses and specific connection times.

Industry Context

This marks ExpressVPN’s third independent audit, following previous examinations of its no-logs claims. The ISAE (UK) 3000 standard used by KPMG provides assurance about the design and implementation of controls but does not test their operational effectiveness over time.

ExpressVPN, operated by Express Technologies Limited, serves millions of users across 105 countries. The company has expanded beyond VPN services to offer additional privacy and security tools.

The complete KPMG audit report spans 39 pages and includes detailed technical specifications of ExpressVPN’s infrastructure. KPMG conducted the audit from its Leeds office, with the final report signed on May 8, 2025.

ExpressVPN’s Chief Information Security Officer Aaron Engel and Chief Financial Officer Or Ifrah signed the management statement acknowledging responsibility for the system’s design and implementation.

CHECK ALSO: ExpressVPN Rolls Out Redesigned Mobile Apps with New Features

Hi. My name is Pavlos. I am a full time blogger, affiliate marketer and SEO expert. In this blog, I review software, training programs and make money online opportunities. I also write how to tutorials and listicles around SEO, Software and make money online.

Leave a Reply

Your email address will not be published. Required fields are marked *