Independent audit experts PricewaterhouseCoopers (PwC) have audited ExpressVPN’s servers to confirm compliance with privacy policy and privacy protections, and also evaluated the company’s TrustedServer technology. Audits that are carried out by independent third parties have the value of confirming what the company’s claims, or debunking them if they are invalid. This is why ExpressVPN is ordering audits like this one, as they have done again in the recent past with Cure53 who audited their browser extension. Security claims are easy to make, but customers should only accept them after they have been put to the test by an independent entity.
For VPN (Virtual Private Network) service providers, it all starts in their codebase, who can access their servers, and what they are allowed to change in there. This was the focus of this audit, which was conducted under the International Standard on Assurance Engagements (ISAE) 3000. To perform the examination, ExpressVPN gave PwC extensive access to their team and system information for a full month, while they took part in interviews and openly shared all system management and data handling and logging activities in the company.
According to the TrustedServer architecture, the servers run in RAM only, and the bootloader on the server hardware boots directly into a read-only ISO image file (Debian Linux) that is digitally signed by Express VPN. There can be no booting without a valid signature, no files written to system locations, and no ISO content modifications. This, as well as the claim that no PII or IP addresses ever leave the contained environment, was checked and confirmed by PwC. As for the codebase changes and deployment, it was affirmed that there can be no changes pushed directly in the master branch, so there can be no unchecked and unapproved code changes on the servers.
ExpressVPN is consistently scoring high in our reviews, and this latest news is only strengthening our position on promoting the product as a trustworthy privacy protecting solution. Other VPN vendors who have had their products audited in the past is TunnelBear, NordVPN, and more, but in this latest case of the ExpressVPN it is the first time that we see an auditor go beyond just testing the privacy policy compliance, validating key security technologies that are unique to the product such as the TrustedServer architecture. That said, this is one of the most complete and extensive audits we have seen in the industry so far.
Have something to say on the above? Feel free to leave your comments down below, or join the discussion on our socials, on Facebook and Twitter.