Key Takeaways: Is ExpressVPN a No-Log VPN?

• ExpressVPN claims not to keep logs of user activity, though it’s natural to question the claim. ExpressVPN has been through many audits that prove it adheres to its privacy policy. 
• Thanks to TrustedServer, ExpressVPN has no logs to hand to governments even if they demand the data.
• ExpressVPN’s British Virgin Islands location provides it with legal standing to ignore most requests for user surveillance.

ExpressVPN is highly acclaimed as a premium VPN provider, having passed a number of audits from independent parties. The company claims it doesn’t keep traffic logs, meaning your VPN traffic isn’t recorded for anyone to look through. However, it’s natural to question if this statement is true.

Our team at Cloudwards is confident that ExpressVPN doesn’t store logs that can be traced back to users. Even if servers are seized, there are no VPN logs for government officials to comb through. ExpressVPN’s commitment to privacy is one of the primary reasons we rank it as the best VPN.

Time's up

Why Do You Need a No-log VPN?

Some VPNs keep activity logs of everything a user does on the internet while connected to its VPN servers. Should authorities demand access to the servers containing that data, they can trace your online activity back to you. There are even providers that sell logs to brokers.

It’s possible for entities like governments and hackers to use the data in VPN logs for nefarious purposes, including cybercrime and surveillance. To reassure their users that this won’t happen, many premium VPN providers ensure their servers are cleared of logs through automated processes.

By using a no-logs VPN, you can avoid government surveillance, ads, malware, trackers and attacks from hackers. A log-free VPN can also keep you safe when you’re connected to public WiFi networks, which are a breeding ground for cyber attacks.

What’s the Difference Between Activity and Connection Logs?

Before we go any further, let’s clarify the distinction between activity and connection logs. Activity logs refer to browsing history, such as what websites you visited, browsing session duration, original IP addresses and more. They contain personally identifiable information.

Connection logs include the VPN apps used, whether a connection was successful or not and the amount of transferred data. They have no personally identifiable information in them. 

When a VPN provider claims not to keep logs, it’s usually referring to activity logs. Because connection logs are anonymous, a provider can keep them without compromising the security of registered users.

VPN Logging: Does ExpressVPN Keep Any Logs?

ExpressVPN doesn’t keep any activity logs. Because it saves data on RAM instead of hard drives, the servers wipe all data when they reset, approximately once per week, including browsing history, DNS queries, data content, traffic destination and IP addresses.

ExpressVPN keeps connection logs to help manage its services. These logs contain usage statistics and diagnostic data, not personal data. The company will know if someone used ExpressVPN, what VPN server they connected to, the amount of data they transferred and the date they started a VPN connection. ExpressVPN uses this information to fix connection problems and to “provide country-specific advice” for using its service.

App diagnostic data is only collected if you opt to send it to ExpressVPN. This anonymized information includes crash reports, connection diagnostics and speed test data shared with some third parties. Depending on your platform of choice, entities like Sentry, Google Analytics and Firebase Crashlytics can access this data. This data helps ExpressVPN discover server problems, bugs in its apps or incompatibility with specific internet service providers.

ExpressVPN shares support logs with Zendesk and SnapEngage, which is now a part of TeamSupport. Support logs contain email addresses, anonymized device attributes and messages or emails.

ExpressVPN claims both Zendesk and TeamSupport use SSL encryption to prevent leaks and hacks. A look at TeamSupport’s privacy policy confirms this, but Zendesk only has the words “appropriate security procedures and technical and organizational measures” in its privacy notice.

The MediaStreamer Asterisk

People who use MediaStreamer, ExpressVPN’s DNS service for devices that don’t support VPN apps, must register their IP addresses. ExpressVPN stores these IP addresses for MediaStreamer use only, and it doesn’t collect IP addresses when you use the standard apps.

However, if you use MediaStreamer and the full ExpressVPN app on the same network, ExpressVPN is essentially storing your real IP address. Therefore, we discourage using MediaStreamer unless there’s no alternative. If you do use it, the safest way is to install ExpressVPN on your router, which will protect any device that connects through your WiFi.

While not exactly VPN logs, you’ll provide ExpressVPN with your passwords if you use ExpressVPN Keys, the included password manager. Fortunately, ExpressVPN stores passwords with zero-knowledge encryption, so the company doesn’t have any sort of access to them. You can delete and add passwords as you like, but ExpressVPN will never be able to see them.

Where Is The Headquarters of ExpressVPN?

ExpressVPN is headquartered in the British Virgin Islands, or BVI, a privacy haven that doesn’t have data retention laws. The small territory has some of the best privacy laws on the planet.

Of note is that the BVI government protects data by “dual criminality.” Any evidence can’t be extradited unless it’s a crime in both the origin country and the BVI, and online actions are less likely to be illegal in the BVI due to its strong privacy laws.

Thanks to this protection, foreign courts of law can’t request data unless the BVI Supreme Court requires it as evidence of criminal activity. ExpressVPN doesn’t store activity logs, and personal data provided to create an account is protected by BVI law.

ExpressVPN Privacy Policy

ExpressVPN’s privacy policy contains much of the information we covered above. The language is simple, with no confusing jargon that could be interpreted to justify malicious action.

Should I Be Skeptical of ExpressVPN’s No-logs Policy?

The privacy policy states that two third parties, KPMG and Cure53, have conducted audits separately on ExpressVPN’s VPN systems and server technology. In another blog post, ExpressVPN links to a full report by KPMG on its privacy policy. The findings conclude that ExpressVPN doesn’t keep activity logs.

In fact, even though ExpressVPN knows someone is accessing the service, they don’t know exactly who it is and at what precise moment it happens; the report states that all timestamps are 00:00:00. This and other criteria have convinced us that ExpressVPN is secure to use.

In 2019, Turkish authorities seized an ExpressVPN server in the country. They used it to try to find critical information about an accomplice of the assassin of Russian Ambassador Andrey Karlov. However, since none of ExpressVPN’s servers keep logs, the inspectors found nothing to help with their investigation.

As of 2023, ExpressVPN has commissioned 16 independent audits. Many of them were performed by Cure53, including a recent audit of the proprietary Lightway protocol. Other audits were conducted by KPMG, PrivatewaterhouseCoopers (PwC) and F-Secure. Users can read these audits online.

ExpressVPN Logs: What User Data Does ExpressVPN Keep?

Besides the connection logs, diagnostic data and IP addresses of MediaStreamer users, ExpressVPN keeps some personal information: email addresses, names, billing countries, billing addresses and credit card numbers used to pay for subscriptions. Paying through cryptocurrency, PayPal and UnionPay doesn’t require a credit card number.

ExpressVPN uses this information to provide you with “access to [their] Services, including through password reset emails.” This aligns with most VPN services available, though Mullvad (read our Mullvad review) stores no user information at all when you pay by cash or crypto.

ExpressVPN’s privacy policy states that no other entities — including its holding company Kape Technologies — will receive stored data for “any duration of time.” Only ExpressVPN and its subsidiaries have access to it except when it shares this information with others on a need-to-know basis. According to ExpressVPN, this rarely happens.

ExpressVPN TrustedServer Technology

ExpressVPN uses its TrustedServer technology to avoid accidental logging. All of your activity is written solely on RAM servers, which are cleared during weekly reboots, as seen in a deep look into TrustedServer technology. As an extra precaution, ExpressVPN reinstalls the software stack every time each server boots up.

If someone steals the server, they would have to shut down the device, which automatically wipes whatever is on it. Reinstalling the software also requires a hardware key. TrustedServer has been independently audited twice and proven to be effective.

The KMPG independent audit proves that TrustedServer technology is working as ExpressVPN intended. Cure53 also checked the source code and performed a security assessment on TrustedServer. While KPMG gave ExpressVPN a “clean bill of health,” Cure53 identified several flaws, though none that were considered critical or highly severe.

Cure53’s full independent audit is available to read. In a nutshell, there were four issues that could be solved without much trouble, and none that indicated ExpressVPN was saving activity logs.

Final Thoughts

Though ExpressVPN claims to keep no logs in a bid to further protect internet users’ online privacy, it’s natural to question whether or not it’s telling the truth. We looked at its privacy policy, results from third-party audits and real-world occurrences to determine if the company was honest.

Based on our observations, we can safely confirm that ExpressVPN does not keep any activity logs. It collects some data, including account information and anonymized analytics data, but cannot track your activities.

What do you think about ExpressVPN’s commitment to privacy? How was your experience using ExpressVPN? Let us know in the comments below. Thank you for reading.

FAQ: ExpressVPN No-Logs Policy

• Does ExpressVPN Keep Any Logs?

  ExpressVPN collects some browsing data that can’t be used to identify users, but it doesn’t keep activity logs that can be traced back to anyone.

• Does ExpressVPN Sell Your Data?

  ExpressVPN doesn’t sell your personal data to any third parties, as stated in its privacy policy.