ExpressVPN’s external auditors confirm no-logs policy as of February

“ExpressVPN never keeps data that could tie you to any online activity,” the VPN provider claims on its website. An independent audit from late February supports those claims. Accounting firm KPMG found “reasonable assurance” that the VPN provider’s system prevents the logging of user activity. The product is one of Engadget’s top VPN picks.

RAM-based VPN servers

The firm’s audit put ExpressVPN’s TrustedServer system under a microscope. That’s the company’s RAM-based system. In theory, this approach means user data is wiped with every server reboot. (Doing so would prevent even the possibility of long-term storage.) Some competitors, including NordVPN, also use RAM-based servers. Meanwhile, ProtonVPN counters that properly encrypted hard drives are just as secure.

Another counter-argument to RAM-based servers is that they’re only effective if they’re rebooted. In theory, a company could run RAM servers for marketing purposes, but then never restart them. That’s where audits can help.

KPMG’s findings

KPMG has a high level of confidence that the no-logging system functioned as advertised in late February. “Controls provide reasonable assurance that the ExpressVPN TrustedServer does not collect logs of users’ activity,” KPMG’s paper reads. That included “no logging of browsing history, traffic destination, data content, DNS queries or specific connection logs.”

KPMG’s assessment was an ISAE 3000 Type I audit. That means it focused on ExpressVPN’s control design and implementation at a specific point in time. (Meanwhile, a Type II audit would have gone farther, testing the effectiveness of those controls over an extended period.) If you aren’t familiar, KPMG is one of the Big Four accounting firms. It’s a trusted name that corporations shell out big bucks to for audits like this.

The assessment looked at several factors. These included documentation reviews, observing the system at work and interviewing ExpressVPN personnel. The audit’s conclusion applies “as of February 28, 2025.” So, it represents KPMG’s conclusions for a specific point in time rather than a blanket statement of permanent trust. The assessment also didn’t include stress-testing the entire system or a full-fledged security analysis of the company.

You can read KPMG’s full paper for a more detailed breakdown.