ExpressVPN has one of the longer-standing no-logs reputations in the VPN industry. It’s been audited, it uses RAM-only servers (TrustedServer), and it has British Virgin Islands jurisdiction. But two events since 2021 have added complexity to the privacy picture: the Kape Technologies acquisition and an employee controversy that drew FBI attention.
What ExpressVPN claims
ExpressVPN’s privacy policy states it does not log: IP addresses, browsing history, traffic destination or metadata, DNS queries, or connection timestamps. It claims to collect only: the date of connection (not time), the choice of VPN server location (not the specific server), and bandwidth used per session.
This is more than many providers claim to store, but less than what would be needed to identify a user or their activity.
The TrustedServer audit
ExpressVPN introduced its TrustedServer technology in 2019: a RAM-only server architecture where all data is wiped on each reboot and servers boot from a read-only image. This was independently audited by PwC.
The audit confirmed that TrustedServer functions as described and that ExpressVPN’s servers did not store user data in the way the policy claimed they didn’t.
The Kape acquisition: what changed
In September 2021, Kape Technologies acquired ExpressVPN for $936 million. Kape also owns CyberGhost, Private Internet Access, and ZenMate.
Kape was previously named Crossrider and operated a platform used for distributing adware and browser hijackers until 2018. The rebrand to Kape and the pivot to cybersecurity products has been substantial, but the history is factual context.
The acquisition didn’t immediately change ExpressVPN’s product, privacy policy, or technical infrastructure. The concern is structural: ExpressVPN now operates under a corporate parent with a different history and broader obligations to shareholders and acquirers.
ExpressVPN’s leadership committed at the time of acquisition to maintain operational independence and existing privacy practices. Whether that commitment holds over time is unverifiable in advance.
The 2021 UAE employee case
In December 2021, a former ExpressVPN employee (Daniel Gericke) was revealed to have been working for a US government contractor conducting surveillance operations on behalf of the UAE government, including targeting US citizens. Gericke had previously worked at the NSA and joined ExpressVPN while allegedly continuing involvement in UAE hacking operations.
The Department of Justice announced that Gericke agreed to pay $335,000 and accepted a deferred prosecution agreement for violating US export control laws.
This raised questions about insider risk: if someone with that background had access to ExpressVPN’s infrastructure, what could they have accessed? ExpressVPN stated that Gericke did not have access to user data due to TrustedServer’s architecture. The RAM-only design means there is no stored data to access even with insider access.
How ExpressVPN compares to alternatives
| Factor | ExpressVPN | NordVPN | ProtonVPN |
|---|---|---|---|
| No-logs audit | PwC (1) | Deloitte (6) | KPMG (2) |
| RAM-only servers | Yes | Yes | Partial |
| Jurisdiction | BVI | Panama | Switzerland |
| Corporate parent | Kape Technologies | Nord Security | Independent |
| Transparency score | 2/5 | 4/5 | 4/5 |
The transparency score reflects ownership disclosure and bug bounty programs. ExpressVPN scores lower because it has no bug bounty program and the Kape ownership adds opacity.
The bottom line assessment
ExpressVPN’s technical privacy infrastructure is solid: TrustedServer is a genuine implementation of RAM-only architecture, independently audited. The policy claims are specific and the audit supported them.
The concerns are structural rather than technical. Single audit by PwC versus NordVPN’s six consecutive audits by two firms. Kape ownership versus ProtonVPN’s independent Swiss structure. The UAE employee incident, while not evidencing a data breach, demonstrated insider risk that TrustedServer’s architecture mitigated but didn’t eliminate.
For users whose main concern is ISP tracking, streaming, and general privacy, ExpressVPN is a workable product. For users with higher privacy needs, NordVPN and ProtonVPN have more convincing audit track records and cleaner ownership structures.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
ExpressVPN does not keep logs in a way that would identify users or their activity. TrustedServer is technically robust and audited. The privacy concerns are about corporate structure and audit frequency, not about the product catching you. At nearly double NordVPN's price, the value case is weak. But the privacy case is not disqualifying for most users.
The Turkey seizure: the involuntary test
ExpressVPN’s no-logs claim met its hardest test in 2017, when Turkish authorities investigating an assassination seized an ExpressVPN server outright. The investigation found nothing usable on the hardware: no connection logs, no activity records, nothing tying users to sessions. It remains one of the few cases anywhere of a no-logs policy surviving physical seizure rather than polite legal process, and it predates the TrustedServer RAM-only architecture that has since made the same outcome a matter of physics as well as policy.
Fold in the audit record (PwC and successors have repeatedly examined the logging environment) and the evidence file reads strongly: voluntary verification plus one involuntary, adversarial test passed. The asterisks an honest account keeps: audits are snapshots, the Kape ownership question is reputational rather than evidentiary, and BVI jurisdiction, while genuinely strong, lacks Switzerland’s explicit statutory VPN carve-out.
What ExpressVPN does collect, and the trust synthesis
The policy’s fine print is industry-standard: account email, payment data, aggregate bandwidth totals and app diagnostics (opt-out) live on the account side; what never gets written is the operational layer of browsing, connection timestamps, source IPs and DNS queries. TrustedServer’s RAM-only design wipes server state on every reboot, making retention a deliberate act the architecture resists.
Synthesis for a buyer: ExpressVPN’s logging trust sits in the industry’s top tier alongside NordVPN and Proton, with the Turkey precedent as its distinctive credential, and our table’s 3/5 no-logs score reflecting audit cadence rather than any incident; nothing in its history contradicts the policy. The product’s real debate, as our review covers, is price, not privacy.
How to weigh this against the alternatives
Buyers comparing logging trust across the majors can rank the evidence types: Proton and NordVPN lead on audit cadence (annual, recurring), PIA on court-tested proof inside US jurisdiction, ExpressVPN on the unique seizure precedent plus solid audits, Mullvad on architectural anonymity. Every one of these is a defensible top pick on logging grounds; the differences live in which evidence persuades you and in everything else around the logging question (price, streaming, jurisdiction texture).
That’s the honest landing spot: ExpressVPN belongs on any no-logs shortlist, the Turkey precedent is genuinely distinctive, and the reasons it isn’t our overall number one are commercial rather than trust-related, as the full review lays out.
(For the methodology behind these trust assessments across every provider we cover, the verification guide linked above walks the full evidence hierarchy: claims, audits, court tests, seizures, and what each can actually prove.)
The bottom-line answer to the title’s question, for skimmers landing here from search: no, the evidence says ExpressVPN does not keep activity logs, the claim has survived both auditors and a physical server seizure, and the residual uncertainties are the ones every provider carries. Buy or skip it on price and features; logging is not the worry here.
Keep reading: How to Verify a VPN’s No-Log Policy: What Actually Counts as Proof and ExpressVPN Review 2026: Fast and Polished, But Is It Worth the Price?.