ExpressVPN hits 27 audits as privacy tools pass checks

ExpressVPN has completed 27 independent security audits, with the latest covering its ExpressMailGuard and Identity Defender privacy tools.

It said that total is higher than any disclosed by another VPN provider. Cybersecurity firm Cure53 carried out the two most recent assessments.

Cure53 reviewed the source code and infrastructure behind both products. Its audit of ExpressMailGuard examined the email relay layer, which lets users create unlimited anonymous email aliases linked to their main inbox.

According to ExpressVPN, Cure53 confirmed that the tool removes identifying metadata from emails, routes messages through aliases and deletes delivered messages from ExpressVPN servers. The relay is therefore not designed to retain communication archives or build profiles based on users' email activity.

Identity Defender was also examined because it handles sensitive personal data. Available as a standalone app for users in the United States, it monitors public records, home and auto titles, court records, changes to financial records that may indicate fraud and dark web data for signs of identity theft.

ExpressVPN said Cure53 tested Identity Defender's backend systems and found that personally identifiable information remained isolated from unauthorised access. The service also includes a data-removal tool designed to scrub personal information from data-broker sites on an ongoing basis.

Audit record

ExpressVPN said it began publishing independent audit findings in 2018 and has since expanded the practice across major parts of its business. Reviews have covered VPN protocols, its no-logs policy, an AI assistant and newer privacy products beyond its core consumer VPN service.

Founded in 2009, the company has broadened its product range in recent years. Alongside its VPN app, it now offers a password manager, an identity protection app, an email privacy product and an AI platform, as well as services aimed at businesses and travellers.

That broader portfolio reflects a wider shift among privacy companies seeking revenue beyond traditional VPN subscriptions. In that context, independent audits have become a way for providers to demonstrate external scrutiny of technical claims about handling sensitive user data.

Audit disclosures have taken on greater significance as providers market tools that process emails, passwords, identity records and AI interactions. Such products can raise tougher questions about data retention, access controls and whether internal architecture limits what the provider itself can see.

ExpressVPN is owned by Kape Technologies, which acquired the business in 2021. Kape has built a group of digital privacy brands through acquisitions, and scrutiny of those businesses has often focused on trust, transparency and the extent of independent verification.

Aaron Engel, Chief Security Officer at ExpressVPN, said the company treats external testing as a core part of product development. "Security audits are not a checkbox exercise for us. Every product we build that touches user data gets handed to independent researchers whose job is to break it. Twenty-seven audits later, we remain committed to the same standard: trust must be earned, not assumed," Engel said.

Privacy tools

ExpressMailGuard addresses a common privacy concern tied to signing up for online services, where a single personal email address can become a persistent identifier across multiple platforms. Alias-based tools aim to reduce that link by inserting a relay address between the user and the service.

The technical detail matters because email relays can themselves become a source of sensitive records if they retain metadata or message histories. ExpressVPN said the Cure53 review focused on whether the architecture prevented that outcome by removing identifying information and deleting messages after delivery.

Identity protection services present a different challenge because they often need access to a wide range of records to detect signs of fraud. In this case, ExpressVPN said the audit centred on whether sensitive personal information used by the monitoring system was kept separate and shielded from unauthorised access.

ExpressVPN said its full set of audit reports and certifications is publicly available through its trust materials. It said the latest milestone reflects its approach of submitting products that handle user data to outside review rather than relying on internal assurances alone.