ExpressVPN is, first and foremost, a privacy company. Our users trust us to protect their privacy with an industry-leading combination of hardware, software, and human ingenuity. Here is a look at how we work to earn that trust.
Learn how we do cybersecurity to keep our systems and users protected.
We use public-private key pairs for a variety of security purposes, such as two-factor authentication, signing Git commits, and connecting to a server via SSH. We mitigate the risk of our private keys being stolen by keeping them on hardware security devices. This means that even if our workstations are compromised, an attacker cannot steal our private keys.
These devices are secured with strong passphrases and are configured to “brick” themselves after multiple failed attempts to unlock them. The devices require a physical touch to operate, meaning that malware cannot steal the keys without a human being involved.
All production code requires at least one other human to act as a reviewer. This makes it much more difficult to add malicious code, either from insider threat or if an employee’s workstation is compromised.
We use SSH as a secure way to gain remote access to our critical servers. These SSH servers are configured to only use a set of highly secure ciphers, key exchange algorithms, and MACs. We also don’t allow connecting as root, and authentication can only occur using strong SSH keys—no passwords allowed. We use intermediate SSH bastion hosts to segregate production infrastructure from the open internet. These machines only accept traffic from addresses on an IP whitelist.
All of this configuration is defined in code, so it is peer reviewed and reproducible.
For production machines, software dependencies are updated automatically via unattended upgrades.
To mitigate the threat of stolen keys being used to impersonate a VPN server, we require the ExpressVPN application to check in with our API servers to receive updated configuration settings. Our applications authenticate the servers they are connecting to by validating the private Certificate Authority (CA) signature and common name ensuring that an attacker cannot impersonate us.
ExpressVPN’s password manager (named ExpressVPN Keys) leverages zero-knowledge encryption to ensure that no one—not even ExpressVPN—can decrypt the information our users store. Zero-knowledge encryption ensures that if there was a data breach of our servers, an attacker would not be able to decrypt any information stored by our users. This information is only ever decrypted on a user’s device, and can only be decrypted using encryption keys generated by the user’s primary password—which only they know.
Security and privacy threat modeling is incorporated into the design phase of any system. We use the MITRE ATT&CK framework to identify threats that can exist in our designs, consider ways to remove them, and apply sufficient measures to minimize potential risks.
All our users, services, and operations follow the least-privilege model. Our employees are authorized access to only the services and production systems necessary for their roles. Our customer-support agents work under two environments, an untrusted one for general web browsing activities and a restrictive one for accessing sensitive systems. These measures minimize the impact and thwart the goals of the attackers should they manage to take over any of our accounts.
We continuously monitor our internal services and infrastructure for any anomalous or unauthorized activity. Our 24/7 on-call security team performs real-time monitoring and triaging of security alerts.
We perform regular penetration tests to evaluate our systems and software to identify vulnerabilities and weaknesses. Our testers have full access to the source code and employ a combination of automated and manual testing to ensure a thorough evaluation of our services and products.
We engage independent auditors to review the security of our services and software. These engagements serve as validation that our internal controls are effective in mitigating security vulnerabilities, while offering customers documentation on the accuracy of the security claims we make about our products.
As we strive to meet and exceed industry security standards, we are also constantly innovating in a relentless pursuit of new ways to safeguard our products and our users’ privacy. Here we highlight two groundbreaking technologies built by ExpressVPN.
Lightway is a VPN protocol built by ExpressVPN. A VPN protocol is the method by which a device connects to a VPN server. Most providers use the same off-the-shelf protocols, but we set out to create one with superior performance, making users’ VPN experience not only speedier and more reliable, but also more secure.
Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard.
Lightway also preserves perfect forward secrecy, with dynamic encryption keys that are regularly purged and regenerated.
The core library of Lightway has been open-sourced, ensuring that it can be transparently and widely assessed for security.
Lightway includes post-quantum support, protecting users against attackers with access to both classical and quantum computers. ExpressVPN is one of the first VPN providers to deploy post-quantum protection, helping users remain secure in the face of quantum computing advancements.
TrustedServer is VPN server technology we created that delivers greater security to our users.
It runs only on volatile memory, or RAM. The operating system and apps never write to hard drives, which retain all data until they are erased or written over. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again—stopping both data and potential intruders from persisting on the machine.
It increases consistency. With TrustedServer, every one of ExpressVPN’s servers runs the most up-to-date software, rather than each server receiving an update at different times as needed. That means ExpressVPN knows exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.
TrustedServer technology has been audited by PwC.
Want a more detailed look at the many ways TrustedServer protects users? Read our deep dive into the tech, written by the engineer who designed the system.
We’re committed to commissioning in-depth third-party audits of our products with great frequency. Here is a comprehensive list of our external audits, ordered chronologically:
The second audit of our VPN protocol Lightway by Cure53 (November 2022)
An audit by Cure53 of the ExpressVPN Keys browser extension (October 2022)
An audit by Cure53 of the ExpressVPN browser extension (October 2022)
An audit by KPMG of our no-logs policy (September 2022)
A security audit by Cure53 of our app for iOS (September 2022)
A security audit by Cure53 of our app for Android (August 2022)
An audit by Cure53 of our Linux app (August 2022)
An audit by Cure53 of our macOS app (July 2022)
A security audit by Cure53 of our Aircove router (July 2022)
An audit by F-Secure of our Windows v12 app (April 2022)
A security audit by F-Secure of our Windows v10 app (March 2022)
A security audit by Cure53 of our VPN protocol Lightway (August 2021)
A security audit by Cure53 of our browser extension (November 2018)
Through our bug bounty program, we invite security researchers to test our systems and receive financial rewards for any problems they find. This program gives us access to a large number of testers who regularly assess our infrastructure and applications for security issues. These findings are then validated and remediated, ensuring our products are as secure as possible.
The scope of our program includes vulnerabilities in our VPN servers, our apps and browser extensions, our website, and more. To individuals who report bugs, we provide full safe harbor conforming to global best practices in the security-research space.
Our bug bounty program is managed by Bugcrowd. Follow this link to find out more or report a bug.
While we set rigorous standards for ourselves, we also believe that our work of building a more private and secure internet can’t stop there—that’s why we collaborate with the entire VPN industry to raise standards and better protect users.
We co-founded and chair the VPN Trust Initiative (VTI) together with the Internet Infrastructure Coalition (i2Coalition) and several other major industry players. In addition to its ongoing awareness and advocacy work, the group has launched the VTI Principles—shared guidelines for responsible VPN providers in the areas of security, privacy, transparency, and more. This builds on ExpressVPN’s previous transparency initiative work in partnership with the Center for Democracy and Technology.
Some of the innovations we've pioneered have helped to drive the VPN industry forward. We were the first to create TrustedServer, and others have since followed our lead to roll out similar technology. Lightway is another example of technology that we've built from the ground up, and we hope that by open-sourcing it, it will have an influence on the VPN industry as a whole.
Find out more about how we protect our users’ privacy.
ExpressVPN has become one of the few VPN apps to be certified by the ioXt Alliance for security standards, empowering consumers to use our services with greater confidence.
We have introduced a feature on our app for Android called Protection Summary, which helps users protect their privacy with practical guidelines.