The ExpressVPN Review And Investigative Dossier: Examining Data Collection, Sharing Partners, and Findings for 2026.
Why it matters:
- ExpressVPN, acquired by Kape Technologies for $936 million, boasts a user base of over 6 million subscribers and operates from the British Virgin Islands.
- The company's privacy-focused approach includes wiping server data during reboots, minimal data collection, and third-party audits to verify its policies.
ExpressVPN entered the consumer market in 2009. Peter Burchhardt and Dan Pomerantz built the initial architecture. Kape Technologies purchased the parent company for 936 million dollars in September 2021. The acquisition expanded the total user base to over 6 million active subscribers. The service operates under the jurisdiction of the British Virgin Islands. The company maintains a strict policy against data retention. Engineers designed the TrustedServer network to run exclusively on volatile memory. The servers wipe all data during routine reboots. The application collects minimal diagnostic data. The collected data includes app versions, connection dates, server locations, and total bandwidth used. The system does not record IP addresses, browsing history, or DNS queries.
The company commissioned multiple third party audits to verify these privacy claims. KPMG completed a third assessment of the privacy policy in June 2025. Cure53 and Praetorian evaluated the proprietary Lightway connection method multiple times between 2021 and 2025. The provider secured ISO 27001, ISO 9001, and ISO 18295 certifications in 2025. The company expanded the core product into a broader privacy suite in February 2026. The new update introduced Identity Defender, ExpressAI, and ExpressMailGuard alongside the existing virtual private network service.
The 2021 acquisition by Kape Technologies represented the largest financial transaction in the virtual private network sector at that time. Kape Technologies paid 237 million dollars in shares to the founders and 699 million dollars in cash. The parent company previously acquired Private Internet Access and CyberGhost. ExpressVPN functions as an independent entity within the corporate structure. The engineering team released the Lightway connection method as open source software in August 2021. The method uses the wolfSSL cryptography library to improve connection speeds on routers and mobile devices. The Indian Computer Emergency Response Team released a directive in April 2022 requiring providers to store user data for five years. ExpressVPN refused to comply with the mandate. The company removed all physical servers from India and replaced them with virtual locations hosted in Singapore and the United Kingdom.
The privacy policy explicitly outlines the exact data points the company processes. The system records successful connections on a specific day without logging the exact time. The database registers the chosen server location without tracking the assigned outgoing IP address. The software notes the origin country and internet service provider without capturing the source IP address. The support team uses this minimal information to troubleshoot network failures and optimize server performance. The company routes all marketing analytics traffic through a dedicated pool of internal IP addresses to prevent third party trackers from correlating user identities. The legal department publishes twice yearly transparency reports detailing all law enforcement requests. The company surrenders zero data in response to these requests because the servers physically cannot store the requested information.
20 Important Questions Being Answered In This ExpressVPN Review
| Question | Verified Answers |
|---|---|
| 1. When did ExpressVPN officially launch? | 2009. |
| 2. Who originally founded the company? | Peter Burchhardt and Dan Pomerantz. |
| 3. Which corporation currently owns the service? | Kape Technologies. |
| 4. How much did the acquisition cost? | 936 million dollars. |
| 5. When did the acquisition finalize? | September 2021. |
| 6. How reporting active users does the network support? | Over 6 million. |
| 7. What specific data does the application collect? | App versions, connection dates, server locations, and bandwidth used. |
| 8. Does the company store user IP addresses? | No. |
| 9. Are DNS queries logged on the servers? | No. |
| 10. Which firm conducted the 2025 privacy audit? | KPMG. |
| 11. How reporting independent audits has the company published by 2024? | 19. |
| 12. What proprietary connection method does the service use? | Lightway. |
| 13. Which organizations audited the Lightway method in 2024 and 2025? | Cure53 and Praetorian. |
| 14. Does the company sell user data to third parties? | No. |
| 15. What server technology prevents data retention? | TrustedServer. |
| 16. How does the provider handle law enforcement requests? | They provide zero data because no logs exist. |
| 17. Which new features launched in February 2026? | ExpressKeys, Identity Defender, ExpressAI, and ExpressMailGuard. |
| 18. What ISO certifications did the company secure in 2025? | ISO 27001, ISO 9001, and ISO 18295. |
| 19. Does the application track browsing history? | No. |
| 20. Where is the parent company headquartered? | British Virgin Islands. |
Independent Security Audits by Year
| Year | Audit Count |
|---|---|
| 2021 |
1
|
| 2022 |
12
|
| 2023 |
1
|
| 2024 |
5
|
| 2025 |
3
|
ExpressVPN Privacy Claims and Security Audits
ExpressVPN maintains a precise data collection policy. The application records the installed app version, the dates of successful connections, the chosen VPN server location, and the total bandwidth consumed per day. The engineering team uses this minimal data to troubleshoot network problems and provide technical support. The system does not record connection times, source IP addresses, outgoing VPN IP addresses, DNS queries, or browsing history. The servers operate entirely on volatile memory. The TrustedServer architecture wipes all data during routine reboots. The company explicitly states that the collected data cannot link specific network activity to an individual user. The infrastructure design ensures that even if authorities seize a physical server, investigators find zero usable data. A historical incident involving the assassination of Andrei Karlov demonstrated this reality when Turkish authorities seized an ExpressVPN server and recovered zero logs.
Kape Technologies purchased ExpressVPN for 936 million dollars in September 2021. Kape previously operated under the name Crossrider. Crossrider developed a platform that external companies used to distribute adware and malware. The acquisition raised immediate questions regarding user privacy and corporate transparency. ExpressVPN operates as a separate entity under the jurisdiction of the British Virgin Islands. The corporate structure prevents Kape Technologies from accessing or controlling ExpressVPN user data. The company generates all revenue directly from user subscriptions and does not sell user data to external buyers. Following the acquisition, Kape Technologies delisted from the London Stock Exchange in 2023. Ownership transferred to Unikmind Holdings Limited. Israeli billionaire Teddy Sagi controls Unikmind Holdings Limited. The shifting corporate ownership shows the importance of independent verification for all privacy claims.
The company commissioned multiple independent security firms to verify its privacy claims between 2020 and 2026. PricewaterhouseCoopers examined the build verification process in June 2020. Cure53 audited the proprietary Lightway system in August 2021. The security firm F Secure reviewed the Windows applications in early 2022. Cure53 verified the TrustedServer technology in May 2022. KPMG certified the policy against logging in September 2022 and conducted a subsequent assessment in December 2023. Praetorian and Cure53 executed further audits on the Lightway system in late 2024. Cure53 also evaluated the Aircove routers in November 2024. KPMG completed a third security audit of the privacy commitments in June 2025. These frequent external reviews confirm that the server infrastructure adheres to the stated data protection rules. The auditors consistently report zero unexpected logging or deviations from the published privacy rules.
| Date | Auditing Firm | Audit Focus |
|---|---|---|
| June 2020 | PwC Switzerland | Build verification process |
| August 2021 | Cure53 | Lightway VPN system |
| May 2022 | Cure53 | TrustedServer technology |
| September 2022 | KPMG | Policy against logging verification |
| December 2023 | KPMG | Privacy policy claims |
| September 2024 | Praetorian | Lightway VPN system |
| November 2024 | Cure53 | Aircove routers |
| June 2025 | KPMG | Privacy commitments |
ExpressVPN publishes biannual transparency reports to document legal requests for user data. The company received 374 formal requests from government and law enforcement entities between January and June 2025. This number represents a massive increase compared to previous reporting periods. The legal department also processed over one million Digital Millennium Copyright Act requests during the same timeframe. The company disclosed zero user data records in response to these inquiries. The absence of stored IP addresses and connection timestamps makes it mathematically impossible for the provider to match specific network activity to an individual user. The British Virgin Islands jurisdiction requires a local court order to compel data disclosure. The company fights all data requests vigorously through legal channels. The combination of strict local laws and volatile memory servers provides a verified defense against data extraction.
ExpressVPN introduced the Identity Defender product suite to provide credit scanning and identity monitoring. The privacy policy for this specific product requires users to submit personal information including Social Security numbers, banking details, and passport documents. The company maintains a strict separation between the Identity Defender database and the core VPN service. The engineering team ensures that no VPN data links to the personally identifiable information stored for identity monitoring. External service providers handle the credit history reports and criminal background checks. ExpressVPN does not store this sensitive background information on its own servers. This separation of databases protects the anonymity of the VPN users while allowing the company to offer personalized security products.
Corporate Lineage and the Kape Technologies Acquisition Timeline
The corporate ownership structure governing ExpressVPN traces back to 2011. Israeli technologists established a company named Crossrider. Teddy Sagi purchased Crossrider in December 2012 for 37 million dollars. The company completed an initial public offering on the London Stock Exchange Alternative Investment Market in September 2014. The public offering raised 75 million dollars and established a 250 million dollar valuation. Crossrider operated primarily in the advertising technology sector during its early years. The executive board initiated a strategic pivot toward digital security software in 2016. The company officially changed its name to Kape Technologies PLC in March 2018. The rebranding signaled a complete departure from advertising technology.
Kape Technologies executed a series of acquisitions to consolidate market share in the virtual private network sector. The firm acquired CyberGhost in 2017. The company purchased Private Internet Access in 2019 for 128 million dollars. Kape Technologies bought the digital content platform Webselenese for 149 million dollars in March 2021. These transactions established the foundation for the ExpressVPN acquisition later that year. Kape Technologies announced the ExpressVPN purchase on September 13 2021. The transaction required 936 million dollars. The payment structure included 699 million dollars in cash and 237 million dollars in Kape Technologies stock. The stock distribution granted the ExpressVPN founders a 14 percent stake in the combined entity.
Kape Technologies Acquisition Expenditures 2019 to 2021
128 Million Private Internet Access 2019
149 Million Webselenese 2021
936 Million ExpressVPN 2021
The ownership structure underwent a major alteration in 2023. Teddy Sagi controlled 54.8 percent of Kape Technologies through Unikmind Holdings Limited at the start of the year. Unikmind Holdings submitted a formal offer to purchase all remaining shares on February 13 2023. The initial proposal offered 285 pence per share. The board of directors negotiated a final price of 290 pence per share by April 2023. This final offer valued Kape Technologies at 1.51 billion dollars. Unikmind Holdings secured 98.54 percent of the total share capital by May 19 2023. The London Stock Exchange officially delisted Kape Technologies on May 31 2023. The transaction converted the publicly traded corporation into a privately held entity.
| Date | Event | Financial Valuation |
|---|---|---|
| December 2012 | Teddy Sagi acquires Crossrider | 37 million dollars |
| September 2014 | Crossrider Initial Public Offering | 250 million dollars |
| March 2018 | Crossrider rebrands to Kape Technologies | Not Applicable |
| September 2021 | Kape Technologies acquires ExpressVPN | 936 million dollars |
| May 2023 | Unikmind Holdings takes Kape Technologies private | 1.51 billion dollars |
The 2023 privatization process included significant executive restructuring. ExpressVPN founders Peter Burchhardt and Dan Pomerantz departed the company following the delisting. Chief Technology Officer Dan Gericke also exited the organization during this transition period. Kape Technologies reduced its global workforce by 12 percent after securing private status. The workforce reduction affected multiple departments across the corporate umbrella. Unikmind Holdings consolidated operational control to maximize financial efficiency. The new private board of directors consists exclusively of Unikmind appointees and select internal executives. This governance model removes independent shareholder oversight from the corporate equation.
Kape Technologies published specific operational guarantees during the 2021 ExpressVPN acquisition. The parent company agreed to maintain the existing zero knowledge architecture. ExpressVPN engineers retained full control over the TrustedServer deployment. The acquisition terms explicitly prohibited Kape Technologies from integrating ExpressVPN user data with CyberGhost or Private Internet Access databases. The parent company honors the British Virgin Islands legal framework for all ExpressVPN data requests. Law enforcement agencies must secure a valid court order from the British Virgin Islands to compel data production. The private ownership structure under Unikmind Holdings has not altered these jurisdictional protections as of 2026.
The transition to private ownership centralized corporate governance. Unikmind Holdings exercises total voting control over Kape Technologies. The private structure eliminates the public reporting requirements previously mandated by the London Stock Exchange. Kape Technologies operates ExpressVPN as an independent brand within its portfolio. The parent company maintains separate infrastructure for its various virtual private network properties. ExpressVPN continues to operate under the legal jurisdiction of the British Virgin Islands even with the parent company headquarters located in the United Kingdom. The corporate lineage shows a clear trajectory from a public advertising technology startup to a privately held digital privacy conglomerate.
Financial Mechanics and Revenue Models Behind the VPN Giant
ExpressVPN operates under a subscription based revenue model that underwent significant structural changes between 2020 and 2026. Prior to its acquisition, the company generated 279. 4 million dollars in revenue during the 2020 fiscal year. The provider maintained an average revenue per user between 70 and 93 dollars during that period. Kape Technologies purchased the provider in September 2021 for 936 million dollars. The transaction stood as the largest acquisition in the virtual private network industry at the time. The deal integrated ExpressVPN into a broader corporate portfolio alongside CyberGhost and Private Internet Access. The acquisition immediately altered the financial trajectory of the parent company. Kape Technologies reported 623. 5 million dollars in total revenue for the 2022 fiscal year. The inclusion of ExpressVPN for a full twelve months drove a 170. 3 percent year over year revenue increase for Kape Technologies. The parent company also reported an adjusted operating profit of 176. 0 million dollars for the same fiscal period.
Corporate ownership structures shifted entirely in 2023. Israeli billionaire Teddy Sagi initiated a buyout of Kape Technologies through his investment vehicle Unikmind Holdings. Sagi previously held a 54. 8 percent stake in the enterprise. He offered 290 pence per share to acquire the remaining public stock. The transaction valued the entire company at 1. 51 billion dollars. Unikmind Holdings secured 98. 54 percent of the shares by May 2023. The firm subsequently delisted Kape Technologies from the London Alternative Investment Market on May 31, 2023. This privatization removed the requirement for public financial disclosures. The company reporting operates as a privately held entity under concentrated ownership. The absence of public shareholder pressure allows the firm to focus on long term subscription retention over quarterly earnings reports. The private structure also facilitates aggressive internal investments without the need to satisfy public market dividend expectations.
The core consumer pricing strategy evolved dramatically in September 2025. ExpressVPN abandoned its historical single tier subscription model in favor of a three tiered system. The company introduced Basic, Advanced, and Pro subscription levels to capture different market segments. The Basic plan costs 3. 49 dollars per month on a two year billing pattern. This entry level tier permits ten simultaneous device connections and includes standard virtual private network access. The Advanced plan costs 4. 49 dollars per month. The mid tier option adds a password manager, identity monitoring, and twelve simultaneous connections. The Pro plan costs 7. 49 dollars per month. The highest tier provides a dedicated IP address, data removal services, and fourteen simultaneous connections. This tiered method increases the average revenue per user by upselling privacy tools beyond basic encrypted routing. The company frequently uses promotional discounts during major retail events to acquire new users on these extended billing pattern.
| Subscription Tier | Monthly Cost (Two Year Plan) | Simultaneous Connections | Included Features |
|---|---|---|---|
| Basic | $3. 49 | 10 | VPN access, DNS blocking |
| Advanced | $4. 49 | 12 | VPN, Password Manager, Identity Monitoring |
| Pro | $7. 49 | 14 | VPN, Dedicated IP, Data Removal, Credit Reports |
Hardware sales represent a secondary revenue stream for the enterprise. The company sells the Aircove router directly to consumers for 189. 90 dollars. Engineers built the device with native ExpressVPN integration at the firmware level. The hardware requires an active software subscription to unlock the encrypted routing capabilities. This hardware strategy locks consumers into the software ecosystem and reduces subscriber churn. The company also generates revenue through enterprise licensing and business accounts. The tiered pricing and hardware cross selling demonstrate a mature monetization strategy. The firm maximizes lifetime customer value through bundled services. The transition from a single product company to a broad privacy suite mirrors wider consolidation trends in the cybersecurity sector. The private ownership structure shields exact profit margins from public scrutiny, yet the aggressive pricing updates in 2025 indicate a clear push toward higher average revenue per user. The financial operations rely entirely on converting free trial users into multi year subscribers while minimizing customer acquisition costs.
Analysis of the ExpressVPN Privacy Policy and Terms of Service
ExpressVPN updated its Privacy Policy and Terms of Service multiple times between 2020 and 2026 to account for new product integrations and third party data handlers. The January 1, 2026, policy revision explicitly defines the boundaries between core virtual private network operations and supplementary services. The document confirms the company does not sell or lease personal data to third parties. The legal framework bases data processing on legitimate interest to fulfill contractual obligations.
This investigative ExpressVPN review finds that the ExpressVPN core network operates on volatile memory servers, the corporate infrastructure relies on external vendors. The privacy policy identifies Zendesk and TeamSupport as the primary customer service platforms. These processors handle direct user communications and support tickets. For financial transactions, the company routes billing through external payment processors. The policy states these entities acquire billing addresses and credit card numbers, reporting ExpressVPN does not link this financial data to individual network activity.
The company deploys Google Analytics and mobile identifiers on its primary website and application interfaces to measure marketing performance. The January 2026 policy confirms the use of cookies and tracking pixels to monitor site navigation and advertising conversion rates. The system collects device types, operating systems, language preferences, and user agents. Android and iOS devices provide mobile identifiers to generate statistics related to marketing channels. The company uses this data to evaluate the effectiveness of advertising partners. Users hold the right to opt out of this tracking via the Network Advertising Initiative platform. The policy explicitly states these tracking systems do not extract personal data from the encrypted tunnel.
The 2026 Terms of Service introduced distinct clauses for new product suites. In February 2026, the company launched ExpressAI, ExpressMailGuard, and the Identity Defender suite. ExpressMailGuard functions as an email alias service to protect primary email addresses from spam. The Identity Defender product, operated in partnership with Array Plus Inc., requires a separate privacy agreement. This add on service collects highly sensitive information, including Social Security numbers, banking details, and credit scores. The Identity Defender policy details the collection of transaction information, order history, and social media handles. If a user activates the Credit Scanner feature, the system collects credit history incidents. The policy mandates a strict firewall between this identity data and the core service, ensuring no cross referencing occurs.
The March 12, 2026, Terms of Service update addresses the Model Context Protocol. This feature allows users to connect the service to third party artificial intelligence tools like Claude Code and Codex. The legal text explicitly absolves ExpressVPN of liability regarding data processed by these external models. The terms warn users that data transmitted to third party cloud servers falls exclusively under the external provider privacy policies.
For users purchasing a Dedicated IP, the March 2026 terms specify that the company generates a unique access code. The system design prevents any staff member or service provider from retrieving this code or identifying the assigned IP address. The terms specify the conditions for Dedicated IP inactivity. If a user remains inactive for more than two months on a long term subscription, the company can reassign the IP address. Similarly, the ExpressKeys password manager secures user data with zero knowledge encryption. The policy guarantees that the company cannot view, retrieve, or decrypt the stored passwords.
The terms of service strictly prohibit users from deploying the network to transmit harmful code, infringe on intellectual property rights, or track the personal information of others. Users agree not to reproduce, duplicate, copy, sell, or resell any portion of the service without express written permission. The company reserves the right to terminate accounts immediately without notice if a user breaches these conditions. To validate these legal claims, the company commissioned a third party audit in June 2025. KPMG LLP examined the privacy policy implementations and the server architecture. The auditors concluded the company provided reasonable assurance that it does not log browsing history, traffic destinations, or DNS queries, confirming the operational reality matches the written terms.
| Data Category | Collection Status | Third Party Processor |
|---|---|---|
| Support Communications | Collected | Zendesk, TeamSupport |
| Payment Information | Collected | External Payment Processors |
| Website Analytics | Collected via Cookies | Google Analytics |
| Identity Defender Data | Collected via Add On | Array Plus Inc. |
| ExpressKeys Passwords | Zero Knowledge Encrypted | None |
| External AI Prompts | Not Logged by ExpressVPN | Claude Code, Codex |
Technical Architecture of TrustedServer Technology and RAM Only Operations
ExpressVPN engineers deployed the TrustedServer architecture to eliminate physical hard drive storage from their data centers. The system runs entirely on volatile Random Access Memory. Traditional server setups write operating system data and configurations directly to physical disks. A physical disk retains data permanently until a system administrator overwrites the sectors. The TrustedServer infrastructure operates on a completely different foundation. The servers load a read only image at startup. The image contains the entire software stack and the operating system. Volatile memory requires continuous electrical power to maintain data. A standard reboot wipes all stored information instantly. The company schedules mandatory weekly reboot sequences for all servers across the global network. The reboot process clears the memory completely and guarantees that no personally identifiable information remains.
The engineering team configured a virtual in memory disk for necessary temporary operations. The system writes temporary operational data to this volatile space instead of a physical drive. Once the weekly upgrade and reboot sequence begins, the server forgets all data written to this virtual disk. The system reinstalls the entire software stack upon every single restart. The company applies a cryptographic signature to verify the read only image before the server boots. The server fails to start if the cryptographic signature proves invalid. The uniform read only image guarantees absolute consistency across the entire network. The engineering team knows the exact software version running on every single machine. The strict consistency reduces the risk of misconfigurations across the fleet of over 3000 servers. The RAM only method ensures that no server runs outdated or unsecured code.
Third party firms examined the TrustedServer architecture multiple times between 2020 and 2026 to verify the engineering claims. PwC Switzerland conducted an audit of the privacy policy compliance and the TrustedServer technology in June 2020. Cure53 performed a source code audit and a white box security assessment of the TrustedServer infrastructure in May 2022. KPMG tested the no logs policy in September 2022. The KPMG assessment verified that the TrustedServer technology operates exactly as the company claims. The auditors from KPMG performed testing over the controls framework and interviewed team members to check the processes. The independent assessments confirm that the servers do not retain user data.
| Audit Date | Auditing Firm | Scope of Assessment |
|---|---|---|
| June 2020 | PwC Switzerland | Privacy policy compliance and TrustedServer technology |
| August 2021 | Cure53 | Security audit of the Lightway technology |
| May 2022 | Cure53 | Source code audit and white box security assessment of TrustedServer |
| September 2022 | KPMG | No logs policy and server control framework |
| October 2022 | Cure53 | Second penetration test and source code audit of the Lightway technology |
The architecture prevents attackers from installing permanent backdoors on the network. An intruder might compromise a server temporarily. The weekly reboot sequence removes any unauthorized modifications automatically. The system design makes sure that neither information nor intruders can remain on a server after a restart. The thoroughness of these protections provides a verifiable guarantee against data retention. The company commissioned multiple independent audits to validate these specific security controls. The regular third party audits validate the internal engineering work and give users confidence in the privacy claims.
The TrustedServer infrastructure directly supports the proprietary Lightway technology. Cure53 audited the Lightway software in August 2021 and conducted a second assessment in October 2022. The technology uses standard cryptography and a simplified codebase. The optimized design requires fewer system resources to operate. The RAM only servers process the Lightway encrypted traffic without writing connection data to permanent storage. The combination of volatile memory and the simplified software delivers fast connection speeds. The Lightway technology connects quickly and switches smoothly between different networks. The RAM only servers handle the encrypted traffic quickly while maintaining the strict no logs policy.
The transition from hard disks to volatile memory represents a major shift in data center management. ExpressVPN introduced the RAM only server concept to the consumer market. Other providers adopted similar methods by 2020 to keep up with the new standard. The virtual in memory disk handles necessary operational data temporarily while the server runs. The system discards the data during the weekly maintenance window. The architecture provides a verifiable guarantee against data retention. The independent audits confirm the technical claims. The company continues to operate the TrustedServer network across 105 countries as of 2026. The engineering team maintains the strict reboot schedule to ensure maximum privacy for all users.
Historical Audit Trail from Inception to the 2026 Verification pattern
ExpressVPN entered the consumer market in 2009. The company operated for its reporting decade without publishing independent security assessments. That posture changed in 2019 when PriceWaterhouseCoopers Switzerland conducted the reporting external examination of the provider. The auditors verified the privacy policy compliance and inspected the proprietary server architecture. This initial assessment established a baseline for subsequent verification pattern. Between January 2020 and December 2026, the provider commissioned more than twenty independent examinations from external cybersecurity firms.
The verification schedule accelerated significantly starting in 2020. PriceWaterhouseCoopers returned in June 2020 to inspect the internal build verification process. Cure53 took over the primary testing duties in August 2021 to evaluate the proprietary Lightway software. The testing volume peaked in 2022 with eight separate assessments. F Secure analyzed the Windows desktop application in March and April 2022. The auditors tested the software to ensure it could not leak IP addresses outside the encrypted tunnel. The inspection found zero remote code execution vulnerabilities. Cure53 executed penetration tests on the macOS application, the Linux application, and the Aircove hardware router during the summer of 2022. The macOS test revealed two security vulnerabilities and four informational weaknesses. The Linux test revealed two security vulnerabilities and three general weaknesses. The engineering team patched all identified items before the final report publication. KPMG entered the testing rotation in September 2022 to validate the zero data retention claims.
The 2023 verification pattern focused on software security and policy enforcement. Cure53 completed a second source code examination of the Lightway software. KPMG executed another compliance check on the data retention policies. The testing parameters expanded in 2024. Praetorian and Cure53 conducted concurrent evaluations of the Lightway software in September and October 2024. Cure53 also tested the browser extensions and the Aircove router firmware in late 2024.
The 2025 testing phase introduced new corporate governance standards alongside technical inspections. KPMG completed its third examination of the zero retention policy and the server architecture in June 2025. The audit evaluated the server architecture against the ISAE 3000 Type 1 standard. This standard is issued by the International Auditing and Assurance Standards Board. KPMG verified that the servers run exclusively on volatile memory. The servers wipe all temporary data during frequent reboots. The servers run a custom operating system image that is cryptographically signed to prevent tampering. The engineering team conducts weekly full operating system reinstallations to apply security patches. KPMG confirmed the systems functioned exactly as designed as of February 28, 2025. The engineering team rewrote the Lightway software using the Rust programming language in early 2025. Cure53 and Praetorian immediately tested the new Rust codebase. The parent organization secured ISO/IEC 27001 certification for information security management and ISO 9001 certification for quality management during the 2025 calendar year.
The 2026 operational pattern forced a mandatory software migration. The engineering team announced the retirement of all legacy security certificates. The company required all subscribers to install the latest software versions by March 31, 2026. The network infrastructure rejected connections from outdated software after that deadline. The mandatory update deployed post quantum encryption standards across the entire network. The company scheduled ISO/IEC 42001 certification for artificial intelligence management systems and ISO/IEC 27701 certification for privacy extensions by the end of 2026.
| Verification Year | Auditing Firm | Target Component | Primary Finding |
|---|---|---|---|
| 2020 | PriceWaterhouseCoopers | Build Verification Process | Confirmed source code integrity protections. |
| 2021 | Cure53 | Lightway Software | Validated cryptographic implementation. |
| 2022 | F Secure | Windows Application v12 | Found zero remote code execution vulnerabilities. |
| 2022 | KPMG | Data Retention Policy | Verified zero activity logging compliance. |
| 2023 | Cure53 | Lightway Software | Identified five low severity items requiring patches. |
| 2024 | Praetorian | Lightway Software | Confirmed software security posture. |
| 2025 | KPMG | Server Architecture | Validated volatile memory data destruction. |
| 2025 | Cure53 | Lightway Rust Codebase | Verified secure transition to new programming language. |
The application update schedule dictates specific version requirements for the 2026 network transition. Windows users must run version 12. 103. 0. 22 or newer. Apple macOS installations require version 11. 70. 90675 or later. Mobile users on iOS must install version 11. 193. 0. Android devices require version 12. 13. 0. Linux machines need version 4. 0. 1. Aircove routers must operate on firmware version 5. 4. 2. The network drops all traffic from devices running older software builds. This strict version control system ensures uniform security standards across the entire user base.
The transparency reporting process provides additional data points regarding government interactions. The legal department processes hundreds of data requests from law enforcement agencies every year. The transparency report covering July 2024 through December 2024 showed a complete absence of surrendered data. The server architecture physically prevents the collection of the requested information. The independent audits confirm the mechanical impossibility of data extraction. The combination of mandatory software updates, continuous third party testing, and hardware level data destruction defines the current security posture of the application.
Cure53 and PwC Security Assessments of Core Infrastructure
Independent security firms continuously evaluate the core infrastructure of ExpressVPN to verify privacy claims. PricewaterhouseCoopers Switzerland conducted a major assessment of the build verification process in June 2020. This examination verified the software delivery pipeline remained free from malicious code injection. The engineering team subsequently expanded their external testing program to include the proprietary Lightway software and the TrustedServer architecture.
The June 2020 PricewaterhouseCoopers assessment scrutinized the internal systems used to compile the application clients. The auditors verified that the build machines operate in a restricted environment. This restriction prevents unauthorized modifications to the executable files before distribution to end users. The validation of the build process guarantees that the software installed on a user device matches the exact code reviewed by the security researchers.
Cure53 executed the reporting source code examination of the Lightway software in August 2021. The Berlin based cybersecurity firm reviewed the core codebase after the company released it under an open source license. The testers confirmed the high quality of the code and identified no severe vulnerabilities. Cure53 returned in November 2022 to conduct a second penetration test on the Lightway components. The auditors reported a positive security state and verified that the development team resolved five low severity findings immediately.
The TrustedServer network underwent a dedicated white box security assessment by Cure53 in May 2022. The firm inspected the source code to validate that the servers operate entirely on volatile memory. The audit proved that the operating system never writes data to hard drives. The servers wipe all information during every reboot sequence. KPMG took over the privacy policy compliance testing in September 2022. The KPMG auditors interviewed staff and tested the control frameworks to confirm the absence of activity and connection logs.
The company commissioned F Secure to evaluate the Windows desktop application in early 2022. The security firm tested version 10 in March 2022 and version 12 in April 2022. The penetration testers attempted to execute remote code and intercept network traffic. The final report confirmed that the application successfully blocked packet injection and TLS downgrades. Cure53 expanded the testing scope to include the proprietary Aircove hardware routers. The firm completed the initial router security assessment in July 2022 and returned for a second evaluation in November 2024.
The engineering team rewrote the Lightway software using the Rust programming language to improve memory safety. Cure53 and Praetorian conducted dual assessments of this new implementation in late 2024. Praetorian completed its review in September 2024. Cure53 followed with its fourth Lightway audit in October 2024. The October 2024 Cure53 investigation required twenty four days of dedicated testing by five senior security engineers. The team divided the assessment into two distinct work packages. The reporting package focused on the Lightway source code. The second package examined the cryptographic libraries.
The auditors discovered that the server accepted data fragments from clients without proper authentication. The system stored these fragments in a cache memory block. A malicious actor could exploit this flaw to trigger a denial of service condition. The engineering team resolved this flaw and Cure53 verified the fix. The final report noted only one exploitable vulnerability and four miscellaneous weaknesses. The development team patched these flaws before the final retest in December 2024.
KPMG continued to monitor the privacy commitments through multiple subsequent evaluations. The firm completed a review of the privacy policy claims in December 2023. A third KPMG security audit concluded in June 2025. KPMG performed extensive testing on the server control frameworks during these assessments. The auditors inspected the server configurations to verify compliance with the published privacy policy. The testing confirmed that the infrastructure drops all incoming connection metadata. The system does not record the assigned IP addresses or the session durations. The June 2025 KPMG audit reaffirmed these findings across the expanded global server network.
The company maintains a public bug bounty program to supplement these formal security audits. Independent researchers receive financial compensation for identifying undocumented vulnerabilities in the application clients or the server infrastructure. The engineering team published the core codebase of the Lightway software under the GNU General Public License in 2021. This open source distribution allows external developers to scrutinize the cryptographic implementation continuously. The combination of scheduled professional audits and continuous public scrutiny establishes a verifiable baseline for the security claims of the provider.
| Date | Auditor | Component Tested |
|---|---|---|
| June 2020 | PricewaterhouseCoopers | Build Verification Process |
| August 2021 | Cure53 | Lightway Software |
| May 2022 | Cure53 | TrustedServer Architecture |
| September 2022 | KPMG | Privacy Policy Compliance |
| November 2022 | Cure53 | Lightway Software |
| December 2023 | KPMG | Privacy Policy Claims |
| September 2024 | Praetorian | Lightway Rust Implementation |
| October 2024 | Cure53 | Lightway Rust Implementation |
| June 2025 | KPMG | Privacy Commitments |
KPMG Independent Audits on No Log Claims and Data Retention
ExpressVPN relies on third party validation to prove its data retention claims. The company contracted KPMG to audit its privacy policies and server infrastructure. KPMG conducted three separate audits between 2022 and 2025. The reporting audit concluded in September 2022. The second audit finished in December 2023. The third audit wrapped up in June 2025. These assessments tested the internal controls that govern the TrustedServer network.
KPMG executed these audits under the International Standard on Assurance Engagements 3000 Type 1 framework. This specific standard requires auditors to evaluate the design and implementation of internal controls at a specific point in time. The auditors interviewed engineering staff and inspected the server configuration files. They checked the volatile memory deployment to verify that the servers wipe all data during routine reboots. The 2025 report confirmed that the platform integrity prevents the collection of user activity logs.
The auditing firm specifically looked for evidence of connection logs and activity logs. Connection logs include timestamps and assigned internet protocol addresses. Activity logs include browsing history and domain name system queries. KPMG found no evidence that ExpressVPN stores this information. The firm issued a clean bill of health for the 2022, 2023, and 2025 assessments. Users can access the full KPMG reports through the ExpressVPN website after agreeing to the terms and conditions set by the auditing firm.
ExpressVPN publishes biannual transparency reports to supplement these independent audits. These reports detail the number of user data requests the legal department receives from government agencies and law enforcement. The company operates under the jurisdiction of the British Virgin Islands. This location has no mandatory data retention laws. When authorities submit legal requests for user data, the company responds that it has no data to share. The zero log architecture makes it technically impossible to comply with data requests.
The company also commissioned other cybersecurity firms to test different components of its service. Cure53 audited the browser extensions and the Aircove router firmware. Praetorian and Cure53 both audited the Lightway virtual private network software. These parallel audits provide a broader view of the security posture. The KPMG audits remain the primary verification method for the core privacy claims regarding data retention.
The table reporting details the specific KPMG audits and their primary focus areas between 2022 and 2025.
| Audit Date | Auditing Firm | Standard Applied | Primary Focus Area |
|---|---|---|---|
| September 2022 | KPMG | ISAE 3000 Type 1 | Privacy policy compliance and no log verification |
| December 2023 | KPMG | ISAE 3000 Type 1 | TrustedServer architecture and data retention controls |
| June 2025 | KPMG | ISAE 3000 Type 1 | Security audit of privacy commitments and server infrastructure |
The 2023 audit specifically tested the description and design of the TrustedServer services. KPMG provided reasonable assurance that the platform integrity prevented the collection of any user activity logs. The 2025 audit reaffirmed these findings. The continuous auditing schedule shows a commitment to verifying privacy claims through recognized third party firms. The company has published 19 independent audit reports to date. This volume of third party testing sets a measurable standard for the virtual private network industry.
The engineering team designed the network to run entirely on random access memory. This hardware decision enforces log impermanence at the physical level. Traditional hard drives can retain deleted data until new data overwrites it. Random access memory requires continuous power to store information. When the server reboots, the memory clears completely. KPMG verified that this architecture functions exactly as the company claims. The auditors confirmed that the servers do not write data to persistent storage.
The transparency reports provide a quantitative measure of the legal requests the company receives. The legal team processes subpoenas and court orders from various international jurisdictions. The company reviews each request for legal validity under British Virgin Islands law. Even when a request meets all legal requirements, the company cannot produce the requested data. The servers do not hold the necessary records to identify specific users or their online activities. The KPMG audits validate this operational reality by confirming the absence of data storage systems.
The auditors also examined the internal processes for deploying server updates. They verified that the engineering team cannot secretly introduce logging code into the production environment. The build verification process requires multiple approvals before any code reaches the live servers. This separation of duties prevents rogue employees from compromising the privacy protections. KPMG reviewed these administrative controls as part of the broader assessment of the privacy policy claims.
The scope of the ISAE 3000 Type 1 standard focuses on the design of the controls at a specific date. It does not provide continuous monitoring of the network. The company addresses this limitation by scheduling regular audits. The gap between the 2023 and 2025 audits was eighteen months. During this period, the company relied on its internal security team and bug bounty program to maintain the integrity of the systems. The bug bounty program rewards independent researchers who find security vulnerabilities in the software.
What Data ExpressVPN Actually Collects During User Sessions
ExpressVPN maintains a specific data collection framework during active user sessions. The company updated its privacy policy multiple times between January 2020 and January 2026 to clarify these exact metrics. The application records whether a user successfully establishes a virtual private network connection on a specific day. The system does not record the exact time of day for this connection. The servers log the chosen server location. The infrastructure does not store the assigned outgoing IP address. The software identifies the originating country and the internet service provider. The network does not capture the source IP address. This precise separation of data points allows the engineering team to monitor network health without compromising individual user identities.
The company collects aggregate data transfer metrics to manage server load. The system calculates the total sum of megabytes or gigabytes transferred by a specific account over a twenty four hour period. Engineers use this metric to identify accounts that consume excessive bandwidth. The company contacts users who push more traffic than thousands of other customers combined. This monitoring ensures stable server performance across the entire network. The operations team reviews these bandwidth logs to provision new servers in high demand regions. The data remains tied to a generic account identifier rather than a specific browsing history. The network administrators delete these aggregate bandwidth totals once they complete their monthly capacity planning assessments.
The desktop and mobile applications transmit specific telemetry data. Independent performance tests from 2026 show the application sends diagnostic payloads every ninety minutes. These transmissions average eight kilobytes in size. The telemetry includes the active network interface names and the timezone derived from the device geolocation. The application requires two hundred eighteen megabytes of resident set size memory during active sessions. The auto updater downloads full binaries ranging from one hundred twenty to one hundred eighty megabytes for patch releases. This background activity generates approximately one point two gigabytes of monthly traffic on metered connections.
| Data Category | Collection Status | Data Size / Frequency | Primary Purpose |
|---|---|---|---|
| Connection Success | Logged Daily | 1 Boolean Value | Network Reliability |
| Server Location | Logged per Session | Text String | Capacity Planning |
| Bandwidth Total | Aggregated Daily | Numeric Byte Count | Abuse Prevention |
| Diagnostic Telemetry | Opt In Only | 8 KB per 90 Minutes | Software Patching |
| Source IP Address | Never Collected | 0 Bytes | Privacy Protection |
Users can opt into sharing anonymous diagnostic information during the initial software installation. This category includes crash reports and connection diagnostics. The engineering team uses these reports to patch software bugs and improve network stability. The data remains completely separated from personal account identifiers. The company stores all diagnostic payloads on secure servers. The internal staff accesses usage statistics strictly on a need to know basis. The privacy policy explicitly prohibits the sale of this diagnostic data to third party marketing firms.
The service processes payment and account information separately from session data. The billing department retains email addresses and transaction records. Third party payment processors process the actual credit card numbers. The company binds these processors to strict confidentiality agreements. The legal department mandates that these external vendors cannot use the payment data for secondary marketing campaigns. The corporate structure in the British Virgin Islands protects these billing records from foreign data requests.
The company commissions regular independent audits to verify these data collection practices. Accounting firms like KPMG and PricewaterhouseCoopers examined the server infrastructure multiple times between 2022 and 2026. The auditors confirmed that the volatile memory servers wipe all session data during routine reboots. The independent reports verified that the company cannot produce connection logs or browsing histories even when presented with a valid court order. The engineering architecture physically prevents the storage of sensitive session data on permanent hard drives. The security researchers at Cure53 also tested the desktop applications to ensure the software does not secretly collect unapproved telemetry data in the background.
Telemetry Data and Crash Reports Sent to Third Party Analytics
ExpressVPN collects specific diagnostic data only when users explicitly grant permission. The application gathers crash reports, usability diagnostics, and speed test metrics. The privacy policy mandates that this data remains anonymized. The software strips all personally identifiable information before transmission. The default state for diagnostic data sharing remains disabled upon installation. Users must actively choose to send this information through the application settings menu. The engineering team uses the telemetry to identify server connection failures, software bugs, and internet service provider incompatibilities. The system separates support interactions from application telemetry. The company shares support tickets with Zendesk and SnapEngage. These support logs contain email addresses and anonymized device attributes.
The company routes this diagnostic data through external service providers based on the operating system. ExpressVPN binds these external processors with non disclosure agreements. The integration of Google and Apple services introduces external data processors into the privacy chain. Firebase Crashlytics and Google Analytics operate under Google privacy policies. Sentry operates under Functional Software policies. Apple device users must navigate to their system settings to disable Apple crash reporting completely. The January 01 2026 privacy policy update confirms that the application does not share diagnostic data by default.
| Operating System | Analytics Provider | Parent Company |
|---|---|---|
| Windows | Sentry | Functional Software |
| Mac | Firebase Crashlytics, Sentry | Google, Functional Software |
| Linux | Sentry | Functional Software |
| iOS | Firebase Crashlytics, Apple | Google, Apple |
| Android | Firebase Crashlytics | |
| Browser Extensions | Google Analytics |
The ExpressVPN Digital Security Lab published a report titled Investigation Xoth which analyzed smartphone location tracking. The researchers identified 450 mobile applications containing invasive trackers. The company distinguishes its own telemetry from these malicious trackers by ensuring its diagnostic tools never collect location data or browsing history. The application limits data collection to the minimum required for software maintenance. The engineering team applies privacy by design principles to ensure the strictest privacy settings remain the default option. The system architecture prevents the transmission of any data that could enrich user profiles or provide insights into user behavior.
Independent audits verified that the telemetry pipeline does not leak DNS queries or IP addresses to these third parties. KPMG conducted a thorough assessment of the privacy policy and confirmed that the company keeps no activity logs. The auditors verified that all connection timestamps record as zero to prevent user identification. The system design prevents the correlation of crash reports with individual browsing sessions. The engineering team uses this reporting data strictly for network optimization and software patching. The infrastructure relies on volatile memory servers that wipe all data during routine weekly reboots.
Users who prioritize maximum privacy frequently choose to leave all diagnostic sharing options disabled. The application functions completely without transmitting any telemetry data. The network architecture ensures that core virtual private network services do not depend on Firebase or Sentry to establish secure tunnels. This separation of diagnostic tools from core routing functions protects user traffic from third party observation. The company maintains 18 published third party audit reports to verify these claims. The legal department published a transparency report in July 2024 confirming they possessed no user data to share with authorities.
Payment Processing Data and Anonymity in Subscription Models
ExpressVPN requires specific financial data to activate and maintain user subscriptions. The company collects an email address and payment details during the initial checkout process. The privacy policy explicitly states that this billing information remains on file to process recurring charges, handle refund requests, and manage account statuses. The service does not process credit card transactions directly on its own servers. Instead, the company routes transactions through established third party payment gateways. This separation ensures that the core VPN infrastructure never touches raw credit card numbers. The billing database operates entirely independently from the VPN server network.
The network relies on external processors like PayPal, Stripe, and BitPay to handle fiat and cryptocurrency transfers. In February 2025, ExpressVPN expanded its checkout options to include Apple Pay and Google Pay. These mobile payment platforms use advanced encryption and tokenization technologies. Tokenization allows users to complete purchases without transmitting their actual credit card numbers directly to the merchant. This method reduces the amount of raw financial data stored on ExpressVPN servers. The privacy policy mandates that all third party payment providers operate under strict confidentiality agreements. These vendors can only process the data for billing purposes and cannot share or sell the transaction details. The payment processors maintain their own separate privacy policies, which govern how they handle the financial data on their end.
Users seeking maximum financial anonymity frequently use alternative payment methods. Since 2014, ExpressVPN has accepted Bitcoin and other cryptocurrencies through BitPay. Paying with cryptocurrency requires only a valid email address, separating the user identity from their VPN account. In early 2026, technical problems temporarily disabled the cryptocurrency checkout option in certain regions, yet the company maintained its commitment to restoring the feature quickly. Subscribers also use prepaid debit cards and virtual single use masked credit cards to obscure their identities. Services providing virtual credit cards generate temporary numbers that are not directly linked to a primary bank account. If a checkout prompt requires a name for a prepaid card, users can input generic terms like “Gift Card” to bypass identity verification.
The introduction of dedicated IP addresses in late 2024 tested the boundaries of payment anonymity. A dedicated IP provides a static address for a single user, creating a chance link between the subscriber billing profile and their internet activity. To solve this problem, ExpressVPN engineered a zero knowledge IP allocation system. When a user purchases the dedicated IP add on, the billing system processes the payment reporting does not record which specific IP address the system assigns to that account. The company cannot trace the dedicated IP back to the user, even with a clear record of the financial transaction. The engineering team published a white paper detailing this cryptographic separation, proving that the billing database and the IP assignment database cannot communicate identifying details.
Data retention laws in the British Virgin Islands govern how long ExpressVPN keeps billing records. The jurisdiction does not enforce mandatory data retention for internet service providers. The company keeps payment information only for the duration of the active subscription. If a user submits a formal data deletion request, the company erases the billing profile, which immediately terminates the VPN service. The separation of payment data from connection logs ensures that a subpoena for financial records yields only a purchase history, not a record of web traffic or assigned IP addresses. Law enforcement agencies can confirm that a specific individual purchased a subscription, yet they cannot obtain any data showing how that individual used the service.
| Payment Method | Data Shared with ExpressVPN | Anonymity Level |
|---|---|---|
| Standard Credit Card | Name, Billing Address, Last 4 Digits | Low |
| PayPal | Email Address, Billing Agreement ID | Low |
| Apple Pay and Google Pay | Tokenized Payment ID, Email Address | Medium |
| Virtual Masked Credit Card | Alias Name, Tokenized Number | High |
| Cryptocurrency | Email Address, Transaction Hash | High |
Law Enforcement Requests and the Historical Response Record
ExpressVPN receives hundreds of legal demands annually from global authorities. The legal department processes warrants, subpoenas, and civil inquiries. The company publishes biannual transparency reports detailing these requests. The engineering architecture prevents the fulfillment of these demands. The servers contain no connection timestamps, session durations, or assigned IP addresses. The legal team informs requesting agencies that the specified records do not exist. The company operates under the jurisdiction of the British Virgin Islands. Foreign subpoenas require domestication through local courts before they carry legal weight. Even when a court grants a valid local order, the technical reality remains unchanged. The volatile memory servers wipe all data upon reboot.
A major physical test of this infrastructure occurred in January 2017. Turkish investigators confiscated a physical server located in Turkey. Authorities sought connection logs related to the assassination of Russian Ambassador Andrei Karlov. The hardware inspection yielded zero user data. The company confirmed to investigators that the system design prevents the retention of activity logs. The event provided a physical verification of the zero retention architecture. The authorities found no evidence linking any specific user to the deleted social media accounts in question. The company subsequently removed all physical servers from Turkey and transitioned to virtual locations for that region. The virtual servers provide Turkish IP addresses while the physical hardware resides in the Netherlands.
The company formalized its public reporting in 2024. The legal team logged 333 formal government and civil requests throughout the year. The reporting half of 2024 generated 170 requests. The second half brought 163 requests. Authorities served three official warrants during this period. Copyright holders submitted over one million Digital Millennium Copyright Act notices. The reporting half of the year saw 259, 561 copyright complaints. The second half saw 807, 788 copyright complaints. The company disclosed zero user records in response to these demands. The legal department responded to every inquiry by confirming the absence of stored data. The massive volume of copyright notices arrives primarily through automated tracking systems. The company discards these notices because it cannot identify the users generating the traffic.
The volume of legal inquiries escalated in 2025. Between January and June 2025, the legal department received 374 formal requests from government and civil entities. This figure represented a massive increase from the previous reporting period. Copyright complaints also surged to 1, 063, 598 notices during the same six month window. The company updated its reporting categories during this period. The legal team grouped subpoenas, gag orders, and national security letters under a single civil and government request category. Warrants remained in a separate classification to maintain consistency with past reports. The company maintained its zero disclosure record across all categories. The second half of 2025 brought another wave of automated copyright notices and three additional government warrants. The outcome remained identical.
| Reporting Period | Government and Civil Requests | Official Warrants | Copyright Notices | Data Disclosed |
|---|---|---|---|---|
| January to June 2024 | 170 | 2 | 259, 561 | 0 |
| July to December 2024 | 163 | 1 | 807, 788 | 0 |
| January to June 2025 | 374 | 0 | 1, 063, 598 | 0 |
The historical response record shows a consistent pattern of zero compliance with data extraction demands. The company commissions external audits to verify these claims. Security firms like KPMG and Cure53 inspect the server environments to confirm the absence of logging software. The transparency reports align with the findings of these external auditors. The legal department processes the paperwork, reporting the engineering constraints dictate the outcome. The system simply cannot surrender data that it never records. The publication of these metrics allows independent researchers to track the frequency of government inquiries over time. The data confirms that law enforcement agencies frequently target virtual private network providers for user identification. The zero disclosure rate validates the core privacy claims made by the engineering team.
The Assassination of Andrei Karlov and the 2017 Server Seizure Incident
On December 19, 2016, off duty Turkish police officer Mevlut Mert Altintas assassinated Russian Ambassador Andrei Karlov at an art exhibition in Ankara, Turkey. The investigation into the murder quickly shifted to the digital footprint of the assassin. Investigators discovered that an unidentified individual accessed the Gmail and Facebook accounts of the shooter to delete relevant conversations and possible evidence. The unknown actor routed their internet traffic through an ExpressVPN server located in Turkey to mask their true IP address. The authorities recognized that recovering the deleted messages required identifying the person who initiated the remote wipe.
Turkish authorities traced the connection to a specific data center. In January 2017, police raided the facility and physically seized the ExpressVPN server. Investigators aimed to extract connection logs, IP addresses, and timestamps to identify the person who deleted the digital files. The authorities inspected the hardware for any residual data that could link a specific user to the deleted social media accounts. Law enforcement agencies use physical server confiscation to bypass corporate legal departments and directly access stored data.
The physical seizure yielded zero usable data. ExpressVPN representatives stated that the company did not possess customer connection logs or activity records. The hardware inspection by Turkish law enforcement confirmed this claim. The server contained no IP addresses, no DNS queries, and no browsing history. The system only recorded anonymous metadata. This metadata included the total daily data transferred and the server location choices. This limited information proved useless for identifying the suspect. The police could not determine who accessed the accounts or what specific data the user transmitted.
The details of the seizure remained confidential until December 2017. At that time, Turkish media reported on the hardware confiscation. This prompted an official public response from ExpressVPN. The company confirmed the raid and stated that their infrastructure design prevented the storage of user activity. Following the physical confiscation, ExpressVPN executives decided to cease operating physical servers within Turkish borders. The company replaced the physical hardware with virtual server locations. These virtual servers provide users with a Turkish IP address while the actual physical machines reside in the Netherlands. This structural change protects the physical hardware from future Turkish police raids.
The 2017 incident directly influenced the development of the ExpressVPN TrustedServer technology. Engineers deployed this new architecture in 2019. The upgraded network runs entirely on volatile memory. The servers operate without hard disk drives. Every time a server reboots, the system wipes all data from the memory banks. The reporting boot sequence loads a fresh read only image of the operating system. By 2026, the entire network of over 3000 servers uses this volatile memory standard. This engineering choice ensures that future physical seizures result in the exact same outcome as the Turkish raid.
The Turkish server seizure established a precedent for how the company handles government data demands. In June 2022, the Indian government enacted laws requiring virtual private network providers to store user names, IP addresses, and usage patterns for five years. ExpressVPN refused to comply with the mandate. The company removed all physical servers from India and transitioned to virtual locations based in Singapore and the United Kingdom. As of 2026, independent auditors and legal experts continue to reference the Karlov investigation as the definitive real world test of the company privacy claims. The inability of state authorities to extract user data during a high profile murder investigation provides verified proof of the zero log architecture.
| Date | Event | Verified Outcome |
|---|---|---|
| December 19, 2016 | Assassination of Andrei Karlov | Unknown actor uses ExpressVPN to delete assassin social media data. |
| January 2017 | Turkish police seize ExpressVPN server | Hardware inspection reveals zero connection logs or user activity. |
| December 2017 | Public disclosure of the server seizure | ExpressVPN removes physical servers from Turkey. |
| April 2019 | Deployment of TrustedServer technology | All servers transition to volatile memory without hard drives. |
| June 2022 | Indian government mandates data retention | ExpressVPN removes physical servers from India to protect user data. |
| February 2026 | Publication of latest transparency report | Company confirms zero user data disclosed to law enforcement. |
Cross Border Data Transfers and British Virgin Islands Jurisdiction
ExpressVPN operates under the legal framework of the British Virgin Islands. The territory functions as an autonomous nation with an independent judiciary and legislature. The local legal code strictly limits the authority of foreign intelligence agencies. The territory maintains its own national police force and does not participate in the Fourteen Eyes intelligence sharing network. The government does not enforce mandatory data retention laws for internet service providers or virtual private networks. The jurisdiction operates outside international intelligence sharing agreements. Foreign governments cannot directly compel companies registered in the territory to produce customer records. To request data, foreign entities must petition the British Virgin Islands High Court. The court requires proof of dual criminality. The alleged offense must carry a minimum one year prison sentence under local laws. The foreign government making the request must describe the nature of the criminal activity. The petition must detail the specific evidence sought and its relevance to the case. The requesting party must provide grounds for believing the evidence exists within the British Virgin Islands. This highly burdensome process deters international investigators from pursuing subpoenas against companies in the territory.
The British Virgin Islands enacted the Data Protection Act on July 9, 2021. The legislation established a formal legal framework for personal data processing within the territory. The law applies to all incorporated entities and foreign companies using local equipment for data processing. The legislation aligns the territory with international privacy standards. The law mandates that data controllers process personal information fairly and transparently. Entities must obtain explicit consent before collecting sensitive user details. The Information Commissioners Office oversees compliance and determines penalties for violations. The office holds the authority to audit data processing facilities. Companies failing to meet legal obligations face compliance notices and chance prosecution. A conviction for severe non compliance carries a maximum penalty of a one hundred thousand dollar fine or five years imprisonment. The legislation explicitly protects individuals residing outside the territory whose data is processed by local controllers. ExpressVPN must comply with these privacy standards when handling user information.
Cross border data transfer mandates frequently clash with privacy policies. On April 28, 2022, the Indian Computer Emergency Response Team issued a directive requiring virtual private network providers to collect and store user data for five years. The Indian government enacted the new rules to combat cybercrime and track malicious actors. The mandate applied to all virtual private networks, cloud service providers, and data centers operating within the country. The regulations required companies to store customer information even after users canceled their subscriptions. The Indian Ministry of Electronics and Information Technology threatened punitive action against non compliant companies. ExpressVPN refused to comply with the data collection requirements. The company stated that logging user activity contradicts the core purpose of a privacy service. The company removed all physical servers from India to avoid the jurisdiction of the new regulations. Engineers replaced the physical infrastructure with virtual servers located in Singapore and the United Kingdom. These virtual locations provide Indian IP addresses while routing traffic through servers in countries without mandatory logging laws. The virtual server method allows the company to bypass these local data collection laws while maintaining network access.
The company publishes transparency reports detailing formal requests from government and law enforcement agencies. The legal department groups subpoenas, gag orders, and national security letters under a single reporting category. Between January and June 2025, the legal team received 374 formal requests from civil and government entities. The company also processed over one million Digital Millennium Copyright Act complaints during the same period. Even with the high volume of legal demands, the company produced zero user data records.
| Reporting Period | Legal Requests Received | Copyright Complaints | User Data Disclosed |
|---|---|---|---|
| January to June 2025 | 374 | Over 1, 000, 000 | 0 |
| July to December 2024 | 163 | 807, 788 | 0 |
The server infrastructure runs entirely on volatile memory. Routine reboots wipe all temporary data. The absence of stored connection logs renders court orders and physical server seizures useless for investigators. ExpressVPN faced a physical test when Turkish police seized a server from a local data center. The authorities attempted to extract user connection logs to identify a suspect. The inspection confirmed the company statements. The server contained no logs that could identify users or their activities. The hardware only held anonymous metadata such as app versions and total daily data transferred. This metadata proved useless for the criminal investigation. The Turkish court case established a public record of the server wiping process. The inability of law enforcement to recover data from seized hardware validates the engineering claims.
ExpressVPN Proprietary Lightway Protocol Cryptographic Analysis
ExpressVPN engineered Lightway to replace aging off-the-shelf systems like OpenVPN and IKEv2. The company released the core codebase under an open-source license in 2021. This decision allowed independent security researchers to inspect the cryptographic foundations. The German cybersecurity firm Cure53 conducted the initial source code assessments in 2021 and 2022. These early inspections confirmed the structural integrity of the original C programming language implementation. The software defaults to the AES-256-GCM cipher for devices with hardware acceleration. The system automatically switches to the ChaCha20-Poly1305 cipher for lower-powered routers and entry-level mobile devices. The architecture establishes connections over the DTLS 1. 3 standard.
In early 2024, ExpressVPN transitioned the Lightway codebase from C to the Rust programming language. Rust eliminates specific memory safety vulnerabilities by design. The company commissioned two separate cybersecurity firms, Cure53 and Praetorian, to audit the new Rust implementation in late 2024. Cure53 registered its audit as EXP-16 and assigned five senior testers to the project for twenty-four days. The assessment divided the testing into Work Package 1 for the Lightway Core and Work Package 2 for the WolfSSL bindings. The Cure53 team discovered five security matters. One finding, labeled EXP-16-004, was a high-severity denial of service vulnerability involving unauthenticated data fragments. The remaining four were general weaknesses with low exploitation risk. Praetorian identified two low-risk vulnerabilities in a separate review. ExpressVPN patched all identified vulnerabilities. Both firms conducted retests in December 2024 and verified the fixes.
The network architecture integrates post-quantum cryptography to defend against future decryption threats. Threat actors currently harvest encrypted data to decrypt it later when quantum computers become viable. ExpressVPN deployed initial post-quantum protections in October 2023 to defend against this specific threat model. The early implementation relied on the Open Quantum Safe library. The engineering team applied the P256_KYBER_LEVEL1 parameter for UDP traffic and the P521_KYBER_LEVEL5 parameter for TCP traffic.
In January 2025, ExpressVPN upgraded the cryptographic framework to use the ML-KEM algorithm. The National Institute of Standards and Technology finalized ML-KEM as the official post-quantum encryption standard. The engineering team migrated the framework to the WolfSSL library to support this integration. WolfSSL provides enterprise-grade support and precise alignment with the finalized federal standards. The cryptographic framework uses a hybrid method. The system combines classical encryption algorithms with the new quantum-safe standards. This dual-reporting defense ensures that an attacker must break both encryption schemes to access the plaintext data.
The company introduced Lightway Turbo in March 2025 to increase data throughput. This update uses multi-lane tunneling to establish multiple connections to servers simultaneously. The method increases available bandwidth for upload and download speeds without degrading real-time latency. ExpressVPN paired this upgrade with data channel offload techniques for users who still rely on the older OpenVPN standard.
ExpressVPN scheduled a mandatory security certificate migration for March 31, 2026. The company retires older digital keys on that date. Users must update their applications to maintain connectivity. Legacy versions fail to connect to the server network after the deadline. This forced deprecation ensures all active clients use the updated ML-KEM encryption standards and the patched Rust codebase.
| Date | Event | Cryptographic Milestone |
|---|---|---|
| August 2021 | Initial Cure53 Audit | reporting independent security assessment of the original C codebase and AES-256-GCM implementation. |
| October 2023 | Post-Quantum Launch | Integrated early quantum-resistant cryptography using the Open Quantum Safe library for UDP and TCP. |
| October 2024 | EXP-16 Audit | Cure53 and Praetorian audited the new Rust implementation and verified patches for a high-severity DoS vulnerability. |
| January 2025 | ML-KEM Integration | Upgraded to the finalized federal standard for post-quantum encryption via the WolfSSL library. |
| March 2025 | Lightway Turbo Release | Deployed multi-lane tunneling to increase bandwidth and data transmission speeds. |
| March 2026 | Certificate Retirement | Scheduled deprecation of legacy security keys to enforce the use of updated ML-KEM encryption. |
DNS Leak Protection and WebRTC Vulnerability Testing Results
Independent security researchers and audit firms continuously test ExpressVPN for data leaks. A Virtual Private Network must route all Domain Name System requests and Web Real Time Communication traffic through encrypted tunnels. If a defect occurs, the application exposes the true Internet Protocol address of the user to internet service providers and external observers. Testing between 2020 and 2026 reveals specific vulnerabilities and subsequent patching pattern.
In February 2024, CNET technical writer Attila Tomaschek discovered a Domain Name System leak defect in the ExpressVPN Windows application. The flaw affected the split tunneling feature. The defect forced a small percentage of user traffic to bypass the encrypted tunnel and route through default internet service provider servers. Security researchers noted the bug existed for nearly two years before detection. ExpressVPN engineers immediately disabled the split tunneling feature on Windows and deployed a patch. The engineering team discovered the root cause involved specific network configurations where the operating system prioritized default local servers over the encrypted tunnel.
The company hired cybersecurity firm Nettitude to verify the remediation. Nettitude conducted a penetration test in March and April 2024. The auditors tested Windows application versions v12. 74. 0. 19 and v10. 51. 0. 9. The final report confirmed the engineers successfully patched the split tunneling leak. Nettitude discovered one new medium severity bug during the assessment. The new defect caused the application to assign an incorrect Virtual Private Network profile to browser applications, which temporarily leaked the internet service provider address in specific virtual machine environments. The engineers resolved the new defect before the final report publication. ExpressVPN subsequently published a technical paper on the engrXiv repository to detail new methods for testing Domain Name System leaks across the industry. The paper categorized leaks into two distinct types. Type one involves requests bypassing the tunnel entirely. Type two involves requests routing to non preferred encrypted servers. The researchers shared these findings to help competing firms patch similar defects.
Web Real Time Communication standards present another common vector for data exposure. Browsers use these standards for voice and video communication. The standards can expose a local or public Internet Protocol address even when a user connects to a Virtual Private Network. Cure53 audited the ExpressVPN browser extension in September and October 2022. The auditors found a defect in the Firefox extension. The Web Real Time Communication blocking feature failed to function correctly in Firefox and facilitated an Internet Protocol address leak. The leak exposed the server address rather than the true user address. ExpressVPN patched the Firefox extension defect, and Cure53 verified the resolution. The auditors praised the in total security foundation of the extension reporting mandated the patch for complete user protection. ExpressVPN also provides a public testing tool on their website for users to manually check their browser configurations.
To maintain continuous oversight, ExpressVPN operates a bug bounty program. The company offers up to one hundred thousand dollars for the discovery of serious vulnerabilities. Security researchers use this program to submit reports on chance Domain Name System or Web Real Time Communication leaks. The internal security team recreates each submitted defect in a controlled environment to verify the impact. The team then assigns the fix to specific engineers and verifies the patch before public release.
A 2025 independent network testing report evaluated ExpressVPN against static and reporting leak scenarios. The laboratory tested 455 network transitions. ExpressVPN passed all static Web Real Time Communication and Domain Name System leak tests. The application showed zero public Internet Protocol exposures. The testers recorded one minor Domain Name System configuration change during a reporting network switch. The configuration change did not result in any data exposure. The laboratory confirmed the application successfully blocked all IPv6 traffic to prevent secondary leak vectors.
Network Size and Virtual Server Locations Versus Physical Hardware
ExpressVPN operates a global network spanning 105 countries and over 170 distinct server locations. The company upgraded its infrastructure between 2020 and 2026 to support 10 gigabits per second bandwidth capacities. Engineers deployed TrustedServer technology across the entire network to eliminate traditional hard drives. This architecture runs entirely on volatile memory. The servers wipe all data during routine reboots to ensure no digital footprint survives a system restart. The physical hardware footprint covers every continent except Antarctica. The company expanded its United States presence significantly in July 2025. ExpressVPN added 38 new physical server locations to address growing demand for localized connections. This expansion brought the total number of United States locations to 62. The network reporting includes physical servers in all 50 states. The localized servers reduce latency for domestic users and help bypass state level internet restrictions.
The distinction between physical hardware and virtual server locations defines the actual geographic distribution of the network. A physical server operates hardware directly inside the specific country. A virtual server assigns an IP address matching the requested country while routing traffic through physical hardware located in a different nation. ExpressVPN routes traffic for virtual locations through nearby physical servers to maintain connection speeds. If a user connects to Indonesia, the network routes the traffic through a physical server in Singapore reporting assigns an Indonesian IP address. The company applies this routing technique for countries with restrictive internet regulations or poor data center infrastructure. Finding secure and reliable data centers in certain regions proves difficult. Other virtual routing examples include serving Algeria through Germany and assigning Panamanian IP addresses via servers in Brazil. The virtual routing ensures users can access localized content without exposing their traffic to unverified third party data centers.
ExpressVPN states that virtual server locations account for less than 5 percent of the total network throughput. The vast majority of user data travels through physical servers located exactly where the application indicates. Independent network analysis provides a different perspective on the advertised country count. A March 2026 investigative report by XDA Developers analyzed the server networks of major virtual private network providers. The researchers reviewed data from IPinfo to verify the physical locations of advertised servers. The investigation found that 57 percent of the 105 countries advertised by ExpressVPN operate as virtual locations. The company provides physical hardware in roughly 45 countries while relying on virtual routing to supply IP addresses for the remaining 60 nations. The report noted similar practices across the industry. Competitors like CyberGhost and NordVPN rely heavily on virtual routing to expand their advertised country coverage.
2026 VPN Network Analysis: Percentage of Virtual Server Locations
| VPN Provider | Claimed Countries | Virtual Percentage | Visual Representation |
|---|---|---|---|
| IPVanish | 108 | 61% |
|
| CyberGhost | 100 | 57% |
|
| ExpressVPN | 105 | 57% |
|
| NordVPN | 126 | 53% |
|
| Proton VPN | 110 | 51% |
|
Source: XDA Developers March 2026 Report
This architectural choice reduces operational costs and physical security risks in volatile regions. Operating physical servers in nations with authoritarian governments exposes the hardware to seizure and forensic analysis by state authorities. Virtual servers eliminate this physical risk entirely. The encryption standards and no logs policy remain identical regardless of the server type. The application interface does not always clearly distinguish between physical and virtual locations for the end user. The company publishes a complete list of virtual locations on its official website for transparency. The network size relies heavily on these virtual locations to achieve the advertised 105 country count. Users seeking strict physical routing must cross reference the official website list before selecting a connection point.
Key Personnel Backgrounds and the Daniel Gericke Controversy
The executive leadership at ExpressVPN faced intense public scrutiny in September 2021. The United States Department of Justice announced a deferred prosecution agreement involving three former military and intelligence operatives. The government named ExpressVPN Chief Information Officer Daniel Gericke as one of the defendants. The charges detailed his involvement in Project Raven. This covert operation provided mercenary hacking services to the United Arab Emirates. The timing of the announcement coincided exactly with the 936 million dollar acquisition of ExpressVPN by Kape Technologies. The simultaneous events forced the company to defend its hiring practices while integrating into a new corporate structure.
Court documents reveal that Gericke and his associates built zero click surveillance tools for the UAE monarchy. The tools allowed foreign operatives to infiltrate the devices of human rights activists, journalists, and rival politicians. The Justice Department fined the three men a combined 1.68 million dollars to resolve the cybercrime charges. Gericke received a specific monetary penalty of 335,000 dollars. He also agreed to cooperate fully with the Federal Bureau of Investigation and forfeit all foreign and domestic security clearances. The government stated that the men provided unlicensed defense services and operated systems designed to access global computer networks without authorization. The Federal Bureau of Investigation emphasized that individuals supporting such activities face strict legal consequences.
ExpressVPN released a public statement defending Gericke immediately after the court filing. The company claimed full awareness of his background prior to his hiring in December 2019. Executives stated that his expertise in offensive cyber operations directly improved the defensive architecture of the virtual private network. The company stated that its trust in Gericke remained strong. He retained his position as Chief Information Officer for nearly two more years. Gericke eventually left the company in July 2023. The departure occurred quietly without a formal press campaign. The decision to retain him during the federal investigation drew heavy criticism from privacy advocates and independent security researchers. Industry watchers questioned the ethics of employing a penalized operative to secure consumer data. The company responded by publishing additional transparency reports to validate its security claims.
| Date | Executive Event | Details |
|---|---|---|
| December 2019 | Daniel Gericke Hired | Joined ExpressVPN as Chief Information Officer. |
| September 2021 | DOJ Settlement | Gericke fined 335,000 dollars for Project Raven involvement. |
| September 2021 | Kape Acquisition | Kape Technologies purchased ExpressVPN for 936 million dollars. |
| October 2022 | Michael Truong Hired | Appointed as Chief Product Officer for the Kape Privacy Division. |
| July 2023 | Gericke Departs | Daniel Gericke left his role as Chief Information Officer. |
| August 2024 | Marketing and Partnerships Expansion | Ankit Khemka named Chief Marketing Officer and Zac Eller named General Manager of Global Partnerships. |
The corporate hierarchy shifted significantly following the Kape Technologies buyout. The parent company began consolidating leadership roles across its privacy division. ExpressVPN appointed Michael Truong as Chief Product Officer in October 2022. Truong previously managed product analytics for Grab and took over product management for multiple virtual private network brands under the Kape umbrella. The restructuring aimed to unify the engineering and design teams across CyberGhost, Private Internet Access, and ExpressVPN. The parent company maintained that customer data for ExpressVPN would remain in its own entity under British Virgin Islands jurisdiction. Truong directed a team of product managers to standardize the user experience across the entire portfolio. The integration required careful management to avoid mixing the distinct server networks of the acquired brands.
Executive expansion continued into 2024 as the company sought to increase its market share. Kape Technologies appointed Ankit Khemka as Chief Marketing Officer in August 2024. Khemka previously directed global marketing at Revolut. The company also hired former Netflix executive Zac Eller as General Manager of Global Partnerships during the same month. These appointments indicate a strategic pivot toward aggressive business development and corporate partnerships. The new leadership team focuses on expanding the subscriber base while navigating the reputational damage caused by the federal settlement. The company relies on continuous third party audits to reassure users about the integrity of its infrastructure. The current executives prioritize enterprise sales and hardware integrations to diversify revenue streams beyond individual consumer subscriptions.
Final Verdict on ExpressVPN Privacy Protections and User Risk Profile
Corporate structure changes altered the public visibility of the application parent company. In early 2026 Kape Technologies delisted from the London Stock Exchange. The parent company moved entirely under Teddy Sagi and his Unikmind private group. Private companies do not file public stock disclosures. This structural shift removes financial transparency for users evaluating the corporate entity behind the application. The provider maintains that it operates independently from other Kape brands. The company generates all revenue directly from user subscriptions. The privatization process shields internal financial operations from external analysts. Users evaluating the service must rely entirely on technical audits rather than corporate filings to verify privacy claims.
The company published its transparency report for the reporting half of 2025. The legal department received 374 formal requests from government and law enforcement agencies. This number represents more than double the volume of the previous reporting pattern. The company processed 1, 063, 598 DMCA requests during the same period. The legal team disclosed zero user data records in response to these inquiries. The application architecture prevents the collection of browsing history, DNS queries, and IP addresses. The absence of stored data guarantees that authorities receive no actionable intelligence from the provider. The privacy policy explicitly states that the service collects only account information, usage statistics, and anonymous app diagnostics. The diagnostic data includes crash reports that users can disable in the settings menu. The provider records the total bandwidth consumed and the dates connected to the network. The system does not record the specific times of connection or the duration of individual sessions.
The provider commissioned 23 third party audits by 2025. KPMG completed its third assessment of the privacy policy and TrustedServer technology in June 2025. The audit confirmed the servers do not retain activity or connection logs. The assessment occurred under the International Standard on Assurance Engagements 3000 Type 1 framework. KPMG verified that the server design actively prevents log collection. The servers reboot regularly to wipe all accumulated data from the volatile memory. Cure53 and Praetorian evaluated the Rust rewrite of the Lightway protocol in late 2024. The security firms identified one exploitable vulnerability and several low risk items. Engineers patched these faults by December 2024. Cure53 also audited the browser extensions in June 2024 and found only two minor vulnerabilities. The firm conducted a retest in July 2024 to verify the successful implementation of the security patches.
A separate technical fault occurred in April 2025 when a Windows application leak exposed real IP addresses for RDP traffic. This event marked the second significant leak incident since 2022. The engineering team deployed a patch to resolve the DNS routing problem. The company then hired an external firm to verify the remediation of the split tunneling fault in April 2024. The provider secured multiple ISO certifications in 2025 to validate internal management processes. The ISO 27001 certification confirms the structured management of information security risks. The ISO 9001 certification verifies quality management practices. These certifications validate organizational processes reporting do not replace the technical code reviews required to prove the zero data retention claims.
| Metric | Data Point | Verification Source |
|---|---|---|
| Parent Company Status | Private under Unikmind (2026) | Financial Filings |
| Formal Data Requests (H1 2025) | 374 | Transparency Report |
| DMCA Requests (H1 2025) | 1, 063, 598 | Transparency Report |
| Data Records Disclosed | 0 | Transparency Report |
| Total Published Audits | 23 | Trust Center |
| Recent Technical Fault | Windows RDP IP Leak (April 2025) | Security Bulletins |
| Latest KPMG Audit | June 2025 | ISAE 3000 Type 1 Report |
The technical infrastructure demonstrates verified privacy protections. The RAM only servers and regular third party code reviews provide measurable security benefits. The April 2025 Windows leak proves that software vulnerabilities still occur. Users must weigh the verified zero data disclosure track record against the private ownership structure of Kape Technologies. The service delivers high grade encryption and strict data minimization. The continuous publication of transparency reports confirms the legal department rejects all data demands. The application remains a highly audited tool for network encryption.
**This ExpressVPN Investigative Review was originally published on our controlling outlet and is part of the Media Network of 2500+ investigative news outlets owned by Ekalavya Hansaj. It is shared here as part of our content syndication agreement.” The full list of all our brands can be checked here. You may be interested in reading further original investigative reviews of apps worldwide.
Aussieze
Part of the global news network of investigative outlets owned by global media baron Ekalavya Hansaj.
Aussieze is where fearless journalism meets global accountability. From the heart of Australia and New Zealand to the rising corridors of power in the world's emerging superpowers, we uncover the stories others won't tell. Corruption, political maneuvering, corporate greed — we investigate it all, shining a light on the forces that shape nations and impact lives. We follow the money trails that lead to backroom deals. We expose the policy failures that governments try to sweep under the rug. We report on the environmental destruction masked as progress and the human rights violations ignored by those in power. Our investigations hold the powerful to account — because no title, fortune, or influence can shield the truth. But our lens doesn’t stop at scandals. Aussieze also tracks the rise of nations challenging the global order. We explore the ambitions, conflicts, and strategies shaping the future of geopolitics — offering sharp, fact-checked insights into the forces driving today’s world. When stories are silenced and facts are twisted, we break the cycle. No censorship. No compromises. Just fearless reporting that demands answers. This is Aussieze. Truth without borders.