British Virgin Islands-based virtual private network firm ExpressVPN has flagged the completion of 27 independent security audits, bringing in Berlin-headquartered cybersecurity specialist Cure53 to validate two of its newest privacy tools: ExpressMailGuard and Identity Defender.

ExpressVPN said the milestone underscored its belief that privacy cannot simply be promised but must be enforced by architecture and verified by independent experts.

The company classed Cure53 as a key cybersecurity specialist, noting its rigorous white-box penetration testing, and conducting of comprehensive source-code reviews and infrastructure assessments of both products.

“Security audits are not a checkbox exercise for us,” said Aaron Engel, CSO at ExpressVPN. “Every product we build that touches user data gets handed to independent researchers whose job is to break it. Twenty-seven audits later, we remain committed to the same standard: trust must be earned, not assumed.”

ExpressMailGuard allows users to generate unlimited anonymous email aliases, breaking the link between their real inbox and the services they sign up for. Specifically, Cure53’s audit focused on the secure relay layer: verifying that the system strips identifying metadata, routes messages through aliases, and deletes delivered messages from ExpressVPN’s servers, ensuring the relay cannot be used to build user profiles or retain communication archives.

Identity Defender, available as a standalone app for U.S. users, actively monitors public records, home and auto titles, court records, changes to financial records that may indicate fraud, and dark web data for early signs of identity theft. It also includes an automated data-removal tool that continuously scrubs personal information from data-broker sites. Cure53 stress-tested the backend infrastructure powering these monitoring services, validating that sensitive personally identifiable information (PII) remains isolated and protected against unauthorised access.