On its website, the VPN provider asserts that it does not retain any data that could be used to link users to their online activities. This claim is supported by an independent audit conducted by the accounting firm KPMG in late February. The audit found “reasonable assurance” that ExpressVPN’s system is designed to prevent the logging of user activity, which is a key factor in its inclusion as one of Engadget’s top VPN picks.

RAM-based VPN servers

KPMG’s audit focused on ExpressVPN’s TrustedServer system, which utilizes RAM-based servers. Theoretically, this approach ensures that user data is deleted every time the server is rebooted, preventing the possibility of long-term storage. Some of ExpressVPN’s competitors, such as NordVPN, also employ RAM-based servers. On the other hand, ProtonVPN argues that properly encrypted hard drives offer equivalent security, as outlined in their blog post.

A potential counterpoint to the effectiveness of RAM-based servers is that they only provide security if they are regularly rebooted. If a company were to use RAM servers as a marketing tactic but never restart them, the benefits would be minimal. This is where audits can provide additional assurance.

KPMG’s findings

According to KPMG’s audit, as of late February, the firm has a high level of confidence that ExpressVPN’s no-logging system functions as advertised. The audit report states that “controls provide reasonable assurance that the ExpressVPN TrustedServer does not collect logs of users’ activity,” including “no logging of browsing history, traffic destination, data content, DNS queries, or specific connection logs.”

The audit conducted by KPMG was an ISAE 3000 Type I audit, which focused on evaluating the design and implementation of ExpressVPN’s controls at a specific point in time. As one of the Big Four accounting firms, KPMG is a trusted name in the industry, and its audits are highly regarded. The assessment involved reviewing documentation, observing the system in operation, and conducting interviews with ExpressVPN personnel.

The audit’s conclusions are valid as of February 28, 2025, and represent a snapshot of KPMG’s findings at that time. It is essential to note that the assessment did not include stress-testing the entire system or a comprehensive security analysis of the company. For a more detailed breakdown, you can read KPMG’s full paper.