Full ISAE 3000 signed report by PwC regarding ExpressVPN's Privacy Policy

This full report is only available to download by existing customers on their account login area on ExpressVPN.com.
I have uploaded it to Dropbox, for anybody and everybody on Privacy Tools (and the public internet) to read, download, examine, etc.

Here is the full audit report done by PwC on ExpressVPN regarding their privacy policy:

PwC (PricewaterhouseCoopers AG) explain their initial situation and audit objectives, what ExpressVPN (owned by ‘ExpressVPN International Ltd.’) is responsible for, the PwC auditor’s responsibility, the specific audit procedures performed, the reports inherent limitations, and PwC’s conclusion.

This report was signed by Christopher Oehri and Marco Schurtenberger of PricewaterhouseCoopers AG located in Zurich, Switzerland on June 19th, 2019.


I find this section ot the report the most interesting:

Inherent limitations
Express VPN International Ltd. description is prepared to meet the common needs of a broad range of customers and their auditors and may not, therefore, include every aspect of the system that each individual customer may consider important in its own particular environment. Also, because of their nature, controls at a service organization, although present, may not prevent or detect and correct all errors or omissions in the areas of a privacy VPN service. Also, the projection to future periods of any evaluation of the fairness of the presentation of the description, or opinion about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail.

Furthermore, we have not assessed the following points, since these points were not in scope of our assurance engagement:

– security (confidentiality, integrity, and availability) of transferred data

– any elements of the ExpressVPN service which are not part of the description in section III


Any potential “loopholes”?

Do you think the inherent limitations of the report make this more just capitalist propaganda, than assurance of anything?

Could it be probable for ExpressVPN to pay big money to get PwC to lie on this report, cards under the table style?

What do you all think of this report?

In your other thread you mention that none of the apps are open source, and now here you are mentioning that this audit is only available for existing customers. Your quote from the report makes it clear that the security of transferred data was not even included in the audit.

Isn’t it the entire purpose of a VPN to transfer data in a secure way? Why would they go through the trouble of having their own product audited and not look at that? Why not even make it public?

1 Like