ExpressVPN Trust Center

ExpressVPN is, first and foremost, a privacy company. Our users trust us to protect their privacy with an industry-leading combination of hardware, software, and human ingenuity. Here is a look at how we work to earn that trust.

A dog walker, an adult and child, and someone with their phone.

Security at ExpressVPN: Our 4 key strategies

Learn how we do cybersecurity to keep our systems and users protected.

A lock symbolizing security.

1. Make systems difficult to compromise

Dominoes falling onto a brick wall.

2. Minimize potential damages

A blue clock with turning hands.

3. Minimize the time of compromise

Checklist image with shield.

4. Validate our security controls

Innovation

As we strive to meet and exceed industry security standards, we are also constantly innovating in a relentless pursuit of new ways to safeguard our products and our users’ privacy. Here we highlight two groundbreaking technologies built by ExpressVPN.

Vertical toggle buttons.

Lightway: Our protocol offering a superior VPN experience

Lightway is a VPN protocol built by ExpressVPN. A VPN protocol is the method by which a device connects to a VPN server. Most providers use the same off-the-shelf protocols, but we set out to create one with superior performance, making users’ VPN experience not only speedier and more reliable, but also more secure.

  • Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard.

  • Lightway also preserves perfect forward secrecy, with dynamic encryption keys that are regularly purged and regenerated.

  • The core library of Lightway has been open-sourced, ensuring that it can be transparently and widely assessed for security.

  • Lightway includes post-quantum support, protecting users against attackers with access to both classical and quantum computers. ExpressVPN is one of the first VPN providers to deploy post-quantum protection, helping users remain secure in the face of quantum computing advancements.

Learn more about Lightway, and read our dev blog for technical insights from ExpressVPN software developers on how Lightway works and what makes it better than the rest.

A stack of servers with a lock.

TrustedServer: All data wiped with every reboot

TrustedServer is VPN server technology we created that delivers greater security to our users.

  • It runs only on volatile memory, or RAM. The operating system and apps never write to hard drives, which retain all data until they are erased or written over. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again—stopping both data and potential intruders from persisting on the machine.

  • It increases consistency. With TrustedServer, every one of ExpressVPN’s servers runs the most up-to-date software, rather than each server receiving an update at different times as needed. That means ExpressVPN knows exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.

  • TrustedServer technology has been audited by PwC.

Want a more detailed look at the many ways TrustedServer protects users? Read our deep dive into the tech, written by the engineer who designed the system.

Independent security audits

Checklist image with shield.

We’re committed to commissioning in-depth third-party audits of our products with great frequency. Here is a comprehensive list of our external audits, ordered chronologically:

Transparency report

Checklist image with shield.

Our biannual transparency reports provide information on user-data requests received by our legal department.

While we regularly receive such requests, our no-logs policy ensures we never have anything to share. We do not and never will keep logs of your online activities or personal information, including your browsing history, traffic destination or metadata, DNS queries, or any IP addresses you are assigned when you connect to our VPN.

We can never provide this customer data because it simply does not exist. By publishing this additional information on the requests that we receive, we aim to provide even more transparency into how we protect our users.

Requests for user data

Date range: January - June 2024

TypeRequests received
Government, law enforcement, and civil requests170
DMCA requests 259,561
Warrants from any government institution2
Gag orders0
National Security Letters0
None of the requests resulted in the disclosure of user-related data.

Date range: July - December 2023

TypeRequests received
Government, law enforcement, and civil requests194
DMCA requests 152,653
Warrants from any government institution0
Gag orders0
National Security Letters0
None of the requests resulted in the disclosure of user-related data.

A bug under a magnifying glass.

Bug bounty

Through our bug bounty program, we invite security researchers to test our systems and receive financial rewards for any problems they find. This program gives us access to a large number of testers who regularly assess our infrastructure and applications for security issues. These findings are then validated and remediated, ensuring our products are as secure as possible.

The scope of our program includes vulnerabilities in our VPN servers, our apps and browser extensions, our website, and more. To individuals who report bugs, we provide full safe harbor conforming to global best practices in the security-research space.

Our bug bounty program is managed by Bugcrowd. Follow this link to find out more or report a bug.

A bar graph with an arrow on the highest bar.

Industry leadership

While we set rigorous standards for ourselves, we also believe that our work of building a more private and secure internet can’t stop there—that’s why we collaborate with the entire VPN industry to raise standards and better protect users.

We co-founded and chair the VPN Trust Initiative (VTI) together with the Internet Infrastructure Coalition (i2Coalition) and several other major industry players. In addition to its ongoing awareness and advocacy work, the group has launched the VTI Principles—shared guidelines for responsible VPN providers in the areas of security, privacy, transparency, and more. This builds on ExpressVPN’s previous transparency initiative work in partnership with the Center for Democracy and Technology.

Some of the innovations we've pioneered have helped to drive the VPN industry forward. We were the first to create TrustedServer, and others have since followed our lead to roll out similar technology. Lightway is another example of technology that we've built from the ground up, and we hope that by open-sourcing it, it will have an influence on the VPN industry as a whole.

Notable privacy initiatives

Find out more about how we protect our users’ privacy.

A shield button toggled on.

ioXT certified

ExpressVPN has become one of the few VPN apps to be certified by the ioXt Alliance for security standards, empowering consumers to use our services with greater confidence.

Bar graph with different heights.

In-app privacy features

We have introduced a feature on our app for Android called Protection Summary, which helps users protect their privacy with practical guidelines.

Two line graphs.

Digital Security Lab

We launched the Digital Security Lab to delve deep into real-world privacy issues. See its leak-testing tools, which help to validate the security of your VPN.