The sites, apps, and services we use every day are getting more and more data-hungry – just take a look at LinkedIn, for example, which was recently found quietly training AI with user information.
Naturally, nobody wants their personal details harvested and used without consent. It's why data privacy is such a big deal – and why I recommend relying on today's best VPNs to give you (and your data) a much-needed privacy boost. The big question, however, is whether these VPNs are trustworthy.
VPNs handle a lot of customer data, too, and the most reliable services undergo independent audits to prove that they're not doing anything unethical (or plain illegal) with it. ExpressVPN, in fact, has invited auditors to comb through its service and privacy policy a whopping 18 times.
Wondering why that matters or what happens during a VPN audit? I’ve got you covered – just keep reading.
What is a privacy audit?
Sites and services use your browsing data and personal information to tailor users' experience – and some allow third-party tracking. This isn't ideal from a privacy perspective, seeing as your data gets passed around in a way that's not always clear, and these shady parties can even create eerie targeted ads based on what you've purchased previously.
Wondering what makes a VPN a no-logs VPN? We get into the details in our in-depth explainer.
Unfortunately, all this can get everyday internet users caught up in phishing scams and data breaches.
Given the value of personal data, and the fact that it can be weaponized by bad actors, any site or service that handles it should be scrutinized. How does it manage user data? How is it protecting the data?
The same goes for VPN services – and it's where VPN audits enter the picture.
An independent audit involves a non-biased third party that examines a VPN's infrastructure, system, and records. It's a way for the VPN to prove that it lives up to its privacy promises and reassure users that, if any vulnerabilities are found, they'll be addressed quickly.
VPN audits typically come in two flavors:
- Security audits: these varied audits tend to focus on a specific part of the VPN service, like an app, or cover the wider infrastructure and software. Auditors hunt down vulnerabilities in the apps and their code that, if left unchecked, could put user privacy at risk.
- Privacy audits: these audits dig into a VPN's no-logs policy, privacy policy, and terms of service to ensure that the VPN is adhering to them. Auditors investigate how a VPN goes about collecting and handling data, how data is stored and used, and the types of data collected.
Any VPN audit takes a lot of time, effort, and resources – but it's well worth the investment.
Once the audit is complete, the auditing team writes up a report of their findings which ultimately declares whether the VPN upholds the promises outlined in its various policies. VPNs aren't required to publish these reports, but I always prefer when they do – transparency is key, after all.
ExpressVPN’s most recent audit
ExpressVPN is no stranger to the auditing game. Its most recent audit took place earlier in 2024 and, in May, the service announced that KPMG had completed its audit of the provider's privacy policy.
In the end, it was all good news – KPMG didn't uncover any issues or non-compliance regarding the ExpressVPN privacy policy, there was no unusual logging activity, and all systems were working as intended as of December 12, 2023.
The audit also confirmed that ExpressVPN's TrustedServer technology was working as intended, too.
TrustedServer was created from the group up to boost ExpressVPN's overall data protection. The RAM-only design means that servers never write to the hard drive, mitigating potential data risks, and that all data is wiped after every reboot. This ensures that any potential intruders are given the boot, and that no sensitive data is ever logged– or, subsequently, made accessible to the VPN or third parties.
KPMG combed through the design and implementation of TrustedServer technology to confirm that it wasn't gobbling up user logs and storing them for later.
ExpressVPN had previously undergone 17 audits – with the KPMG making 18. It's an unmatched commitment to transparency that secures ExpressVPN’s place as one of the most secure VPNs available today.
“We’re delighted to have KPMG scrutinize our systems, TrustedServer technology, and validate our adherence to our no-logs policy as at 12 December 2023." said Aaron Engel, Chief Information Security Officer, ExpressVPN. "Regular assessments and audits by independent third parties help validate the strength of our security measures, bolstering our confidence in safeguarding our users.”
Why are privacy audits so important?
Each and every VPN on the market should be undertaking regular independent audits – after all, they each handle a huge amount of personal customer data that could be misused.
These audits have benefits for customers and VPN services alike, too, including:
- Maintaining transparency: using a VPN means trusting it with your data – and that trust has to be earned and maintained. A VPN can have a fantastic no-logs policy on paper and still collect logs that it shouldn't. For this reason, top-tier VPNs undergo audits to create trust between themselves and their users, prove that they're not paying lip service to privacy, and uphold their no-logs policy.
- Better security: during a security audit, auditors take a deep dive into a VPN's infrastructure to uncover potential vulnerabilities. This prevents bad actors from taking advantage of them and causing security incidents, and also prevents data breaches.
- Improved privacy: in addition to verifying the claims of a VPN's privacy policy, auditors scrutinize how VPNs collect and handle user data, and determine whether the VPN is doing enough to protect it. Auditors also determine whether this information would be safe if a data breach happened – allowing the VPN to take preventive measures to firm up its security.
- Ensure compliance: auditors will also make sure that a VPN company is following the law and abiding by the relevant privacy and security regulations – as determined by the VPN jurisdiction.