Is ExpressVPN Safe?
The 2026 Security Audit
Everyone asks about ExpressVPN's price, but few ask about the infrastructure. You are paying for the "TrustedServer" technology and the BVI jurisdiction. The question is not if it works, but if the privacy claims hold up to a real forensic audit. Here is what we found.
The Short Answer
Is it safe? Yes.
ExpressVPN is among the most audited mainstream VPNs, with a strong track record of third-party testing. Their proprietary Lightway protocol adds ML-KEM for post-quantum key exchange to reduce ‘store now, decrypt later’ risk. Their "TrustedServer" technology ensures that all data is wiped from RAM every time a server reboots.
Owned by Kape since 2021; ExpressVPN continues publishing audits and security updates post-acquisition. They say they don’t store IPs or timestamps that tie activity to a person, but they do collect limited daily connection/transfer diagnostics.
(Note: If you are looking for details on speed, streaming performance, and ease of use, you should check our full ExpressVPN review instead.)
The Turkey Incident
The Ultimate Stress Test
Theoretical safety is one thing; practical reality is another. In December 2016, following the assassination of the Russian Ambassador to Turkey, Andrey Karlov, Turkish authorities seized an ExpressVPN server they believed held evidence deleted by the suspect.
Investigators found absolutely no useful data on the server. Because of ExpressVPN's architecture, there were no connection logs or activity history to recover. This event served as a real-world validation of their no-logs policy: when the hardware was physically seized and forensically analysed, the data simply was not there.
The No-Logs Policy
ExpressVPN's logging policy is strict but practical. They do not log traffic, DNS requests, or IP addresses. They do retain minimal non-identifying information for troubleshooting.
What They Keep
ExpressVPN collects the date (not time) of the connection, choice of server location, and total amount of data transferred per day. They explicitly state they do not know who accessed which website or service. This minimal retention helps them troubleshoot server load but cannot pinpoint an individual user's activity to a specific timestamp.
Technical Security
| Protocol | Lightway (ML-KEM Post-Quantum) | Includes NIST-approved post-quantum encryption by default to future-proof data against quantum computer attacks. |
| Server Type | TrustedServer (RAM-Only) | Servers run entirely on volatile memory (RAM). No data is ever written to a hard drive. If power is pulled, data vanishes instantly. |
| Encryption | AES-256-GCM / ChaCha20 | Uses government-standard AES-256 encryption. If your device supports it, Lightway automatically uses ChaCha20/Poly1305 for better performance on mobile. |
| Extras | Advanced Protection | Includes a built-in blocker for malicious sites, trackers, and intrusive ads at the DNS level. |
Lightway & Post-Quantum
Lightway is ExpressVPN's answer to WireGuard. It is designed to drop connections less often when switching networks (like moving from Wi-Fi to 4G). Crucially, ExpressVPN has implemented post-quantum protection (using ML-KEM) to future-proof your data against "store now, decrypt later" attacks by quantum computers.
Known Issue: Windows IP Leak (2025)
In early 2025, a bug was discovered in the Windows client that could potentially leak IP addresses under specific split-tunneling configurations. ExpressVPN patched this issue quickly, but it serves as a reminder to keep your client updated.
British Virgin Islands
A Privacy Haven
ExpressVPN is incorporated in the British Virgin Islands (BVI). While the BVI is a British Overseas Territory, it is autonomous in its internal affairs and has a distinct legal system.
The BVI has no data retention laws and is not a member of the 14 Eyes intelligence-sharing alliance. This means BVI companies cannot be compelled to produce records that they do not possess, and foreign court orders are not automatically enforceable there without a BVI court order.
Audit History
ExpressVPN has one of the most extensive audit logs in the industry. They regularly engage big-four firms and boutique security labs to verify their claims.
- 2025 (Oct): Lightway protocol security assessment by Cure53.
- 2025 (June): Third full no-logs policy and TrustedServer audit by KPMG.
- 2024 (Nov): Aircove router security audit by Cure53.
- 2023: Full no-logs policy audit by KPMG (confirmed no activity logs were stored).
- 2022: Windows app penetration test by F-Secure.
ExpressVPN publishes these reports in full for subscribers to read, maintaining a high level of transparency regarding their security posture.
FAQs
Is ExpressVPN owned by Kape?
Yes, Kape Technologies acquired ExpressVPN in 2021. While Kape has a controversial history due to previous ad-tech ventures (under the name Crossrider), ExpressVPN has operated independently since the buyout. They have submitted to multiple independent audits by KPMG and Cure53 post-acquisition to prove their infrastructure remains secure and untouched by corporate interference.
Does it work in China?
China connectivity is volatile; ExpressVPN is often recommended, but outages happen and you should install before arrival. Their obfuscation technology is automatic, but be prepared for intermittent access during government crackdowns.
Is there a free trial?
ExpressVPN does not offer a traditional free trial where you do not pay upfront. However, they offer a 30-day money-back guarantee. You must pay for the subscription first, but you can claim a full refund within 30 days if you are not satisfied, with no questions asked.
