It takes many people, working across many systems, to produce and maintain an ExpressVPN app. To do it safely, ExpressVPN has to make sure everyone involved is properly vetted, set up, and trained. But that’s not enough.

That’s why ExpressVPN has implemented a rigorous build verification procedure, which ensures that no third parties are able to make unauthorized modifications to their software, including the injection of malware.

Minimizing The Risk Of Contamination

In recent years, major technology companies, including PC makers, releasing software and hardware to customers that had been infected with malicious code at some point during development or distribution.

With that in mind, ExpressVPN has developed a verification system that sharply reduces the risk that a compromised individual or machine could result in their inadvertently distributing malware to their customers.

That means you can use ExpressVPN apps confident that they don’t contain any unauthorized or malicious code.

A few of the policies and procedures they have implemented:

  • The use of PGP encryption keys issued by ExpressVPN for all source code changes
  • The requirement that all code changes be approved by an authorized person different from the individual who made the change
  • Automated audits of changes, with alerts for unexpected changes, which are followed up in person
  • The use of only the automated build environments CircleCI and Azure DevOps for the production of binaries distributed to customers

ExpressVPN Verification Processes Has Been Subject To An Assurance Engagement By PwC Switzerland

To validate these safeguards, PwC Switzerland conducted an independent assurance engagement that examined the policies and controls they have in place to distribute apps that are free of unauthorized modifications. The practitioners performed their assurance work by accessing ExpressVPN source code, servers, documentation, and people during one point in time in May 2020.

The independent assurance report is available to customers. In line with PwC Switzerland’s standards for such reports, those seeking to view the report must acknowledge the firm’s terms and conditions before accessing it. Customers can do so by logging in via this link.