"ExpressVPN by no means retains information that might tie you to any on-line exercise," the VPN supplier claims on its web site. An impartial audit from late February helps these claims. Accounting agency KPMG discovered "cheap assurance" that the VPN supplier's system prevents the logging of person exercise. The product is one among Engadget's prime VPN picks.
RAM-based VPN servers
The agency's audit put ExpressVPN's TrustedServer system underneath a microscope. That's the corporate's RAM-based system. In principle, this strategy means person information is wiped with each server reboot. (Doing so would stop even the opportunity of long-term storage.) Some opponents, together with NordVPN, additionally use RAM-based servers. In the meantime, ProtonVPN counters that correctly encrypted laborious drives are simply as safe.
One other counter-argument to RAM-based servers is that they're solely efficient in the event that they're rebooted. In principle, an organization may run RAM servers for advertising functions, however then by no means restart them. That's the place audits may help.
KPMG's findings
KPMG has a excessive degree of confidence that the no-logging system functioned as marketed in late February. "Controls present cheap assurance that the ExpressVPN TrustedServer doesn’t acquire logs of customers' exercise," KPMG's paper reads. That included "no logging of looking historical past, site visitors vacation spot, information content material, DNS queries or particular connection logs."
KPMG's evaluation was an ISAE 3000 Sort I audit. Which means it centered on ExpressVPN's management design and implementation at a particular time limit. (In the meantime, a Sort II audit would have gone farther, testing the effectiveness of these controls over an prolonged interval.) If you happen to aren't acquainted, KPMG is without doubt one of the Huge 4 accounting corporations. It's a trusted identify that companies shell out huge bucks to for audits like this.
The evaluation checked out a number of elements. These included documentation opinions, observing the system at work and interviewing ExpressVPN personnel. The audit's conclusion applies "as of February 28, 2025." So, it represents KPMG's conclusions for a particular time limit relatively than a blanket assertion of everlasting belief. The evaluation additionally didn't embody stress-testing all the system or a full-fledged safety evaluation of the corporate.
You may learn KPMG's full paper for a extra detailed breakdown.
This text initially appeared on Engadget at https://www.engadget.com/cybersecurity/vpn/expressvpns-external-auditors-confirm-no-logs-policy-as-of-february-171957335.html?src=rss