Is ExpressVPN Safe?
The 2026 Security Audit
Everyone asks about ExpressVPN's price, but fewer people ask about the infrastructure. You are paying for TrustedServer, audited no-logs controls, Lightway, custom WireGuard, and BVI jurisdiction. The question is not just whether it works, but whether the privacy claims hold up when the system is tested. Here is what we found.
The Short Answer
Is it safe? Yes, for most privacy-focused users.
As of 14th May 2026, ExpressVPN still ranks as a high-assurance mainstream VPN. It has a long audit history, a RAM-only TrustedServer design, private DNS, post-quantum protection through ML-KEM, and a clear no-logs position. It is not a perfect choice for every threat model, but its privacy claims are better tested than most consumer VPNs.
The biggest updates since the earlier version of this page are that ExpressVPN now offers a custom WireGuard implementation alongside Lightway, older ExpressVPN app versions were retired after 31st March 2026, and the Windows split-tunnelling issue should be described as a resolved DNS protection issue rather than a general IP leak.
Owned by Kape since 2021, ExpressVPN continues publishing audits and security updates post-acquisition. They say they do not store activity logs or connection logs, although they do collect limited operational data needed for support and service reliability.
(Note: If you are looking for details on speed, streaming performance, and ease of use, you should check our full ExpressVPN review instead.)
The Turkey Incident
The Ultimate Stress Test
Theoretical safety is one thing; practical reality is another. In December 2016, following the assassination of the Russian Ambassador to Turkey, Andrey Karlov, Turkish authorities seized an ExpressVPN server they believed held evidence deleted by the suspect.
Investigators found no useful data on the server. Because of ExpressVPN's architecture, there were no connection logs or activity history to recover. This event served as a real-world validation of their no-logs policy: when the hardware was physically seized and forensically analysed, the data simply was not there.
The No-Logs Policy
ExpressVPN's logging policy is strict but practical. They say they do not collect activity logs or connection logs, including browsing history, traffic destination, DNS queries, source IP address, assigned VPN IP address, connection timestamp, or session duration.
What They Keep
ExpressVPN collects limited operational information, such as which apps and app versions are activated, the dates you connect, the VPN location used, the source country or ISP, and the total amount of data transferred. They say this cannot identify a specific user's browsing activity because it excludes timestamps, source IP addresses, destination data, and assigned VPN IP addresses.
Technical Security
| Protocols | Lightway and Custom WireGuard | Lightway remains the default proprietary protocol. ExpressVPN now also offers a custom WireGuard implementation on major platforms, with ML-KEM post-quantum handshakes and privacy changes beyond base WireGuard. |
| Post-Quantum | ML-KEM | ML-KEM is the NIST-standardised key encapsulation mechanism used to reduce "harvest now, decrypt later" risk from future quantum-capable attackers. |
| Server Type | TrustedServer (RAM-Only) | Servers run on volatile memory rather than persistent hard drives. If power is pulled or the server reboots, operational data is wiped. |
| Encryption | AES-256-GCM / ChaCha20-Poly1305 | Uses modern authenticated encryption, with protocol and device context determining which cipher is used. |
| Extras | Advanced Protection | Can block malicious sites, intrusive display ads, trackers, and adult content, although feature availability depends on plan, device, and whether the VPN is connected. |
Lightway, WireGuard and Post-Quantum Protection
Lightway is ExpressVPN's proprietary protocol, designed for fast connection times, mobile reliability, and simple auditing. In 2025 ExpressVPN moved Lightway into Rust and published additional audit work by Cure53 and Praetorian.
The older wording that treated Lightway as the only answer to WireGuard is now out of date. ExpressVPN now also offers a custom WireGuard implementation for iOS, Android, Windows, macOS, and Linux. Their version adds ML-KEM, ephemeral credentials, dynamic IP assignment, short-lived access tokens, and TrustedServer provisioning to address the privacy gaps of base WireGuard.
Current Caveats
Resolved Issue: Windows Split-Tunnelling DNS Leak
The previous version of this page called this a 2025 Windows IP leak. That wording was too broad. ExpressVPN disclosed that Windows app versions 12.23.1 to 12.72.0 could leave some DNS requests unprotected when split tunnelling was used in specific configurations. Version 12.73.0 temporarily removed split tunnelling, and version 12.74.0 restored it after the fix. ExpressVPN says VPN encryption was not affected.
Practical advice: update the Windows app, avoid legacy builds, and retest DNS leaks after changing split-tunnelling rules.
Legacy App Cut-Off
ExpressVPN retired older app versions after 31st March 2026. That matters for safety because old clients may no longer connect to VPN servers or receive the latest protocol and certificate updates. Users should run current app versions before relying on ExpressVPN for travel, public Wi-Fi, or restrictive networks.
Advanced Protection Is Not a Full Antivirus
Advanced Protection is useful for blocking some trackers, malicious domains, intrusive ads, and adult sites, but it is still a DNS and blocklist-based layer. It does not replace endpoint security software, browser hardening, good update hygiene, or phishing awareness.
British Virgin Islands
A Privacy-Friendly Jurisdiction
ExpressVPN is incorporated in the British Virgin Islands (BVI). While the BVI is a British Overseas Territory, it is autonomous in its internal affairs and has a distinct legal system.
The BVI has no mandatory VPN data retention law and is not a member of the 14 Eyes intelligence-sharing alliance. This means foreign court orders are not automatically enforceable without local legal process, and a provider cannot be compelled to produce records that do not exist.
Audit History
ExpressVPN has one of the most extensive audit logs in the consumer VPN industry. The latest directly relevant VPN privacy audit is the June 2025 KPMG assessment of ExpressVPN's privacy commitments, TrustedServer controls, and no-logs claims. ExpressVPN's wider Trust Centre also lists newer 2026 audits for other products, but those are less central to this VPN safety assessment.
- 2025 (June): Third KPMG security audit of ExpressVPN's privacy commitments, including TrustedServer and privacy policy claims.
- 2024 (Nov): Second Cure53 security audit of Aircove routers, completed in November 2024 with fixes reviewed in February 2025.
- 2024 (Oct): Fourth Cure53 audit of the Lightway protocol.
- 2024 (Sept): Third Praetorian audit of the Lightway protocol.
- 2024 (June): Second Cure53 audit of the ExpressVPN browser extension.
- 2024 (April): Windows app audit to confirm remediation of the DNS issue related to split tunnelling.
- 2023 (Dec): KPMG assessment of ExpressVPN's privacy policy claims.
- 2022: Multiple app, TrustedServer, Lightway, and no-logs audits by KPMG, Cure53, and F-Secure.
ExpressVPN publishes many of these reports for subscribers or the public to review, which is a stronger transparency position than simply claiming not to log data.
FAQs
Is ExpressVPN owned by Kape?
Yes, Kape Technologies acquired ExpressVPN in 2021. While Kape has a controversial history due to previous ad-tech ventures under the name Crossrider, ExpressVPN has continued to publish independent audits by KPMG, Cure53, Praetorian, and others after the acquisition. Those audits are the main reason the service still scores highly here.
Does ExpressVPN keep logs?
ExpressVPN says it does not keep activity logs or connection logs. In practical terms, that means no browsing history, traffic destination, DNS queries, source IP address, assigned VPN IP address, connection timestamp, or session duration. It does keep limited operational data such as app versions activated, connection dates, VPN location, source country or ISP, and total data transferred.
Is Lightway better than WireGuard?
Not automatically. Lightway is still ExpressVPN's proprietary default protocol and is strong for fast reconnection and mobile reliability. However, ExpressVPN now also offers a custom WireGuard implementation on major apps, adding ML-KEM post-quantum handshakes, ephemeral credentials, dynamic IPs, short-lived access tokens, and RAM-only TrustedServer provisioning. Both are privacy-focused options.
What was the Windows split-tunnelling DNS issue?
Some Windows versions could leave certain DNS requests unprotected when split tunnelling was enabled in specific configurations. ExpressVPN temporarily removed split tunnelling in version 12.73.0 and restored it from version 12.74.0 after fixes. This was a DNS issue rather than a general IP leak, but it is still a reminder to keep VPN apps updated.
Does it work in China?
China connectivity is volatile. ExpressVPN is often used for restrictive networks, but outages happen and you should install and update the app before arrival. Be prepared for intermittent access during government crackdowns or network disruption periods.
Is there a free trial?
Yes, but with conditions. ExpressVPN offers a 3-day mobile free trial on iOS and Android in many cases. It also offers a 30-day money-back guarantee for eligible first-time users who buy directly or through Google Play. iOS App Store purchases are handled by Apple, so refund terms may differ.
