ExpressVPN developed its TrustedServer feature back in April 2019 as part of its commitment to ensuring it never stores any sensitive user data on any of its VPN servers. TrustedServer means that hard drives were completely removed from ExpressVPN’s servers, almost eliminating the risk that they could inadvertently contain any user information.
The team from PwC was given complete access to ExpressVPN’s team and system information for the duration of the audit, which was around one month. They interviewed the ExpressVPN staff in charge of managing its VPN servers and inspected source code and technical log files. They even observed server configuration methods and deployment processes.
Given the sheer scope of this audit, PwC is not allowing excerpts to be shared to ensure no information is taken out of context. ExpressVPN users can view the full report by logging into their accounts and visiting the ‘Privacy and Security Audits’ section – you have to agree not to share the report with anybody else without PwC’s prior written consent before it downloads.
ExpressVPN released a blog post on Tuesday 9 July informing users of the audit, stating it’s committed to doing its part to “keep pushing the industry forward to better protect online privacy and security, through both technology and transparency.” It also went on to say it hopes to publish more audits and insights such as this one in the future.
At the end of January this year ExpressVPN also released the results of an independent audit of its Google Chrome browser extension, carried out by Cure53. What’s more, it made the code open-source and available for anybody to view.
These audits are part of ExpressVPN’s commitment to providing ‘independent verification of the privacy and security commitments’ it makes to its users. They go alongside its other transparency efforts, such as providing open-source leak-testing tools, disclosing details of its security practices, and working with the Center for Democracy and Technology.