ExpressVPN Trust Center
ExpressVPN is, first and foremost, a privacy company. Our users trust us to protect their privacy with an industry-leading combination of hardware, software, and human ingenuity. Here is a look at how we work to earn that trust.
Security at ExpressVPN: Our 4 key strategies
Learn how we do cybersecurity to keep our systems and users protected.
1. Make systems difficult to compromise
The front line in our defenses is making our systems secure. We employ many different techniques to ensure that it’s difficult to break into any of them, from using an independently assured build verification system to hardware security devices and cutting-edge encryption.
Build verification system
The ExpressVPN software is guarded, from creation to software delivery, against contamination with malicious code, due to an in-house build verification system that has been independently reviewed.
Hardware security devices
We use public-private key pairs for a variety of security purposes, such as two-factor authentication, signing Git commits, and connecting to a server via SSH. We mitigate the risk of our private keys being stolen by keeping them on hardware security devices. This means that even if our workstations are compromised, an attacker cannot steal our private keys.
These devices are secured with strong passphrases and are configured to “brick” themselves after multiple failed attempts to unlock them. The devices require a physical touch to operate, meaning that malware cannot steal the keys without a human being involved.
All production code requires at least one other human to act as a reviewer. This makes it much more difficult to add malicious code, either from insider threat or if an employee’s workstation is compromised.
Hardened secure shell (SSH)
We use SSH as a secure way to gain remote access to our critical servers. These SSH servers are configured to only use a set of highly secure ciphers, key exchange algorithms, and MACs. We also don’t allow connecting as root, and authentication can only occur using strong SSH keys—no passwords allowed. We use intermediate SSH bastion hosts to segregate production infrastructure from the open internet. These machines only accept traffic from addresses on an IP whitelist.
All of this configuration is defined in code, so it is peer reviewed and reproducible.
For production machines, software dependencies are updated automatically via unattended upgrades.
2. Minimize potential damages
Despite our efforts, it is still possible that a motivated attacker may break through our defenses. We address this risk by applying guardrails to minimize the attacker’s potential damage from their initial foothold.
Embracing zero trust
To mitigate the threat of stolen keys being used to impersonate a VPN server, we require the ExpressVPN application to check in with our API servers to receive updated configuration settings. Our applications authenticate the servers they are connecting to by validating the private Certificate Authority (CA) signature and common name ensuring that an attacker cannot impersonate us.
Employing zero-knowledge encryption
ExpressVPN’s password manager (named ExpressVPN Keys) leverages zero-knowledge encryption to ensure that no one—not even ExpressVPN—can decrypt the information our users store. Zero-knowledge encryption ensures that if there was a data breach of our servers, an attacker would not be able to decrypt any information stored by our users. This information is only ever decrypted on a user’s device, and can only be decrypted using encryption keys generated by the user’s primary password—which only they know.
Security and privacy threat modeling is incorporated into the design phase of any system. We use the MITRE ATT&CK framework to identify threats that can exist in our designs, consider ways to remove them, and apply sufficient measures to minimize potential risks.
Principle of least privilege
All our users, services, and operations follow the least-privilege model. Our employees are authorized access to only the services and production systems necessary for their roles. Our customer-support agents work under two environments, an untrusted one for general web browsing activities and a restrictive one for accessing sensitive systems. These measures minimize the impact and thwart the goals of the attackers should they manage to take over any of our accounts.
3. Minimize the time of compromise
Not only should the severity of the damage be minimized, but our processes also help to limit the duration of compromise and the amount of time that attackers can stay lurking.
We continuously monitor our internal services and infrastructure for any anomalous or unauthorized activity. Our 24/7 on-call security team performs real-time monitoring and triaging of security alerts.
Many of our systems are automatically destroyed and rebuilt several times per week, if not on a daily basis. This limits the potential length of time that an attacker lurks within our systems.
4. Validate our security controls
All of our software and services are rigorously tested to ensure they work as intended and meet the high standards of privacy and security that we promise to our customers.
Internal validation: Penetration tests
We perform regular penetration tests to evaluate our systems and software to identify vulnerabilities and weaknesses. Our testers have full access to the source code and employ a combination of automated and manual testing to ensure a thorough evaluation of our services and products.
External validation: Security audits by third parties
We engage independent auditors to review the security of our services and software. These engagements serve as validation that our internal controls are effective in mitigating security vulnerabilities, while offering customers documentation on the accuracy of the security claims we make about our products.
As we strive to meet and exceed industry security standards, we are also constantly innovating in a relentless pursuit of new ways to safeguard our products and our users’ privacy. Here we highlight two groundbreaking technologies built by ExpressVPN.
Lightway: Our protocol offering a superior VPN experience
Lightway is a VPN protocol built by ExpressVPN. A VPN protocol is the method by which a device connects to a VPN server. Most providers use the same off-the-shelf protocols, but we set out to create one with superior performance, making users’ VPN experience not only speedier and more reliable, but also more secure.
Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard.
Lightway also preserves perfect forward secrecy, with dynamic encryption keys that are regularly purged and regenerated.
The core library of Lightway has been open-sourced, ensuring that it can be transparently and widely assessed for security.
Learn more about Lightway, and read our dev blog for technical insights from ExpressVPN software developers on how Lightway works and what makes it better than the rest.
TrustedServer: All data wiped with every reboot
TrustedServer is VPN server technology we created that delivers greater security to our users.
It runs only on volatile memory, or RAM. The operating system and apps never write to hard drives, which retain all data until they are erased or written over. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again—stopping both data and potential intruders from persisting on the machine.
It increases consistency. With TrustedServer, every one of ExpressVPN’s servers runs the most up-to-date software, rather than each server receiving an update at different times as needed. That means ExpressVPN knows exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.
TrustedServer technology has been audited by PwC.
Want a more detailed look at the many ways TrustedServer protects users? Read our deep dive into the tech, written by the engineer who designed the system.
Independent security audits
We’re committed to commissioning in-depth third-party audits of our products with great frequency. Here is a comprehensive list of our external audits, ordered chronologically:
The second audit of our VPN protocol Lightway by Cure53 (November 2022)
An audit by Cure53 of the ExpressVPN Keys browser extension (October 2022)
An audit by Cure53 of the ExpressVPN browser extension (October 2022)
An audit by KPMG of our no-logs policy (September 2022)
A security audit by Cure53 of our app for iOS (September 2022)
A security audit by Cure53 of our app for Android (August 2022)
An audit by Cure53 of our Linux app (August 2022)
An audit by Cure53 of our macOS app (July 2022)
A security audit by Cure53 of our Aircove router (July 2022)
A security audit by Cure53 of TrustedServer, our in-house VPN server technology (May 2022)
An audit by F-Secure of our Windows v12 app (April 2022)
A security audit by F-Secure of our Windows v10 app (March 2022)
A security audit by Cure53 of our VPN protocol Lightway (August 2021)
An audit by PwC Switzerland on our build verification process (June 2020)
A security audit by Cure53 of our browser extension (November 2018)
Through our bug bounty program, we invite security researchers to test our systems and receive financial rewards for any problems they find. This program gives us access to a large number of testers who regularly assess our infrastructure and applications for security issues. These findings are then validated and remediated, ensuring our products are as secure as possible.
The scope of our program includes vulnerabilities in our VPN servers, our apps and browser extensions, our website, and more. To individuals who report bugs, we provide full safe harbor conforming to global best practices in the security-research space.
Our bug bounty program is managed by Bugcrowd. Follow this link to find out more or report a bug.
While we set rigorous standards for ourselves, we also believe that our work of building a more private and secure internet can’t stop there—that’s why we collaborate with the entire VPN industry to raise standards and better protect users.
We co-founded and chair the VPN Trust Initiative (VTI) together with the Internet Infrastructure Coalition (i2Coalition) and several other major industry players. In addition to its ongoing awareness and advocacy work, the group has launched the VTI Principles—shared guidelines for responsible VPN providers in the areas of security, privacy, transparency, and more. This builds on ExpressVPN’s previous transparency initiative work in partnership with the Center for Democracy and Technology.
Some of the innovations we've pioneered have helped to drive the VPN industry forward. We were the first to create TrustedServer, and others have since followed our lead to roll out similar technology. Lightway is another example of technology that we've built from the ground up, and we hope that by open-sourcing it, it will have an influence on the VPN industry as a whole.
Notable privacy initiatives
Find out more about how we protect our users’ privacy.
ExpressVPN has become one of the few VPN apps to be certified by the ioXt Alliance for security standards, empowering consumers to use our services with greater confidence.
In-app privacy features
We have introduced a feature on our app for Android called Protection Summary, which helps users protect their privacy with practical guidelines.
Digital Security Lab
We launched the Digital Security Lab to delve deep into real-world privacy issues. See its leak-testing tools, which help to validate the security of your VPN.