ExpressVPN Trust Center

ExpressVPN is, first and foremost, a privacy company. Our users trust us to protect their privacy with an industry-leading combination of hardware, software, and human ingenuity. Here is a look at how we work to earn that trust.

A dog walker, an adult and child, and someone with their phone.

Security at ExpressVPN: Our 4 key strategies

Learn how we do cybersecurity to keep our systems and users protected.

A lock symbolizing security.

1. Make systems difficult to compromise

The front line in our defenses is making our systems secure. We employ many different techniques to ensure that it’s difficult to break into any of them, from using an independently assured build verification system to hardware security devices and cutting-edge encryption.

Build verification system
Hardware security devices
Code review
Hardened secure shell (SSH)
Rapid patching
Dominoes falling onto a brick wall.

2. Minimize potential damages

Despite our efforts, it is still possible that a motivated attacker may break through our defenses. We address this risk by applying guardrails to minimize the attacker’s potential damage from their initial foothold.

Embracing zero trust
Employing zero-knowledge encryption
Secure design
Principle of least privilege
A blue clock with turning hands.

3. Minimize the time of compromise

Not only should the severity of the damage be minimized, but our processes also help to limit the duration of compromise and the amount of time that attackers can stay lurking.

Security monitoring
Automatic rebuilds
Checklist image with shield.

4. Validate our security controls

All of our software and services are rigorously tested to ensure they work as intended and meet the high standards of privacy and security that we promise to our customers.

Internal validation: Penetration tests
External validation: Security audits by third parties

Innovation

As we strive to meet and exceed industry security standards, we are also constantly innovating in a relentless pursuit of new ways to safeguard our products and our users’ privacy. Here we highlight two groundbreaking technologies built by ExpressVPN.

Vertical toggle buttons.

Lightway: Our protocol offering a superior VPN experience

Lightway is a VPN protocol built by ExpressVPN. A VPN protocol is the method by which a device connects to a VPN server. Most providers use the same off-the-shelf protocols, but we set out to create one with superior performance, making users’ VPN experience not only speedier and more reliable, but also more secure.

  • Lightway uses wolfSSL, whose well-established cryptography library has been extensively vetted by third parties, including against the FIPS 140-2 standard.

  • Lightway also preserves perfect forward secrecy, with dynamic encryption keys that are regularly purged and regenerated.

  • The core library of Lightway has been open-sourced, ensuring that it can be transparently and widely assessed for security.

  • Lightway includes post-quantum support, protecting users against attackers with access to both classical and quantum computers. ExpressVPN is one of the first VPN providers to deploy post-quantum protection, helping users remain secure in the face of quantum computing advancements.

Learn more about Lightway, and read our dev blog for technical insights from ExpressVPN software developers on how Lightway works and what makes it better than the rest.

A stack of servers with a lock.

TrustedServer: All data wiped with every reboot

TrustedServer is VPN server technology we created that delivers greater security to our users.

  • It runs only on volatile memory, or RAM. The operating system and apps never write to hard drives, which retain all data until they are erased or written over. Since RAM requires power to store data, all information on a server is wiped every time it is powered off and on again—stopping both data and potential intruders from persisting on the machine.

  • It increases consistency. With TrustedServer, every one of ExpressVPN’s servers runs the most up-to-date software, rather than each server receiving an update at different times as needed. That means ExpressVPN knows exactly what’s running on each and every server—minimizing the risk of vulnerabilities or misconfiguration and dramatically improving VPN security.

  • TrustedServer technology has been audited by PwC.

Want a more detailed look at the many ways TrustedServer protects users? Read our deep dive into the tech, written by the engineer who designed the system.

A bug under a magnifying glass.

Bug bounty

Through our bug bounty program, we invite security researchers to test our systems and receive financial rewards for any problems they find. This program gives us access to a large number of testers who regularly assess our infrastructure and applications for security issues. These findings are then validated and remediated, ensuring our products are as secure as possible.

The scope of our program includes vulnerabilities in our VPN servers, our apps and browser extensions, our website, and more. To individuals who report bugs, we provide full safe harbor conforming to global best practices in the security-research space.

Our bug bounty program is managed by Bugcrowd. Follow this link to find out more or report a bug.

A bar graph with an arrow on the highest bar.

Industry leadership

While we set rigorous standards for ourselves, we also believe that our work of building a more private and secure internet can’t stop there—that’s why we collaborate with the entire VPN industry to raise standards and better protect users.

We co-founded and chair the VPN Trust Initiative (VTI) together with the Internet Infrastructure Coalition (i2Coalition) and several other major industry players. In addition to its ongoing awareness and advocacy work, the group has launched the VTI Principles—shared guidelines for responsible VPN providers in the areas of security, privacy, transparency, and more. This builds on ExpressVPN’s previous transparency initiative work in partnership with the Center for Democracy and Technology.

Some of the innovations we've pioneered have helped to drive the VPN industry forward. We were the first to create TrustedServer, and others have since followed our lead to roll out similar technology. Lightway is another example of technology that we've built from the ground up, and we hope that by open-sourcing it, it will have an influence on the VPN industry as a whole.

Notable privacy initiatives

Find out more about how we protect our users’ privacy.

A shield button toggled on.

ioXT certified

ExpressVPN has become one of the few VPN apps to be certified by the ioXt Alliance for security standards, empowering consumers to use our services with greater confidence.

Bar graph with different heights.

In-app privacy features

We have introduced a feature on our app for Android called Protection Summary, which helps users protect their privacy with practical guidelines.

Two line graphs.

Digital Security Lab

We launched the Digital Security Lab to delve deep into real-world privacy issues. See its leak-testing tools, which help to validate the security of your VPN.