ExpressVPN’s Private AI Is Built on Secure Enclaves. Here’s What That Means for Your Chats
Private AI is the big promise behind ExpressVPN’s new ExpressAI platform, and the main idea is simple: your chats should stay yours. ExpressVPN says its system is built so your messages are processed inside a secure enclave, which means your chat data is isolated at the hardware level, not just protected by a normal privacy policy. This is what makes your chats, files, and saved history different from the usual AI setup.
If you use AI for work notes, drafts, coding help, or personal questions, that matters a lot. Most people do not want their prompts logged, reviewed by humans, or reused for model training. I think that concern is pretty reasonable. AI is useful, but people share more with chatbots than they often realize.
What ExpressVPN Private AI actually promises
ExpressVPN is calling its platform ExpressAI, a browser-based AI tool that gives you one interface for multiple models plus built-in web search. The privacy pitch comes down to three claims:
- Zero training: your prompts, chats, and files are not used to train models
- Zero access: ExpressVPN says it cannot access your conversations
- Zero compromise: you still get multiple models in one place
At launch, ExpressAI includes five models:
- GPT OSS 120B for writing, summaries, and general Q&A
- DeepSeek R1 Distill 32B for reasoning and analysis
- Qwen2.5-VL 32B for images, charts, and document reading
- Qwen3.5 35B-A3B for coding, long tasks, and multilingual work
- Nemotron 12B for math, code, and technical tasks
You can also compare the same prompt across several models side by side. Each model request uses one credit, and ExpressVPN Pro users get 500 daily credits, 2GB of secure storage, and a 50MB per-file upload limit.
What a secure enclave means in plain English
This is the part that sounds technical, but the basic idea is not hard.
A secure enclave is a protected area inside a computing environment where data can be decrypted and processed without exposing it to the surrounding system. In ExpressVPN’s description, your messages are handled inside a confidential computing environment that is cryptographically isolated from the rest of the infrastructure.
Think of it like this:
- A normal AI service is more like talking in an office with tinted windows. People say the room is private, but the building owner still controls the building.
- A secure enclave is more like talking inside a locked room that even the building owner cannot open because the key is created inside the room itself.
That last part matters. ExpressVPN says the encryption keys are generated inside the hardware, which helps create the isolation. So when your message enters the system, it is not just hidden by policy. It is protected by the design of the hardware-backed environment.
Why this matters for your messages and your chats
A lot of AI privacy concerns come from one question: who can see your data while it is being processed?
With many AI tools, your prompts may be stored on servers, reviewed for safety or quality, or reused to improve models. Even when companies offer controls, you are still trusting their internal access rules.
ExpressVPN’s claim is stronger than that. It says access to your data is not managed, monitored, or reviewed because it is not possible in the first place. The company also says there is no human review of your chats.
If this works as described, that changes the trust model:
- You do not need to trust that employees will behave well
- You do not need to trust that a provider will keep changing settings in your favor
- You rely more on security architecture than on promises alone
That is the real appeal of secure enclaves. They reduce the number of people and systems that could ever see your data.
How ExpressAI protects saved chat history
Live chat privacy is one thing. Stored history is another.
ExpressVPN says conversation history uses zero-access encryption, which means only you can decrypt it. If you want to keep old chats, they are protected behind user-controlled encryption. Uploaded files and images follow the same model.
There are two useful controls here:
- Encrypted vault: your past chats stay locked so only you can open them
- Ghost Mode: chats disappear automatically after use
That second feature is easy to understand and honestly one of the most practical parts of the product. Sometimes you do not want a long record of a sensitive question sitting around, even if it is encrypted.
What “zero training” means here
ExpressVPN says your chats, prompts, and files are not fed back into model training. That matters because a lot of people worry that private details shared with a chatbot could later influence future models.
For example, if you upload:
- a client draft
- a tax-related question
- a contract screenshot
- meeting notes with names and numbers
ExpressVPN says that content is not used to improve the underlying AI models. That is a major part of the platform’s private-by-design pitch.
ExpressVPN says even it cannot access your chat
One of the strongest claims around ExpressAI comes from ExpressVPN leadership: even we can’t access it.
That line sounds bold, but it matches the product’s core architecture. If chats are processed inside secure enclaves and saved using zero-access encryption, then the company itself should not be able to read them in plain text.
That is different from a service saying, “We could access your data, but we choose not to.” This is closer to, “The system is built so we cannot.”
That distinction is why the enclave design is the story here.
Independent audit: why Cure53 matters
ExpressVPN says ExpressAI was independently audited by Cure53 in February and March 2026.
According to the company’s summary, the audit included:
- penetration testing
- source code audit
- review of frontend and backend components
- checks on cryptography, key management, and infrastructure
ExpressVPN also says all identified vulnerabilities were fixed before launch, and that Cure53 concluded the system met its stated privacy goals through confidential computing enclaves and cryptographically isolated processing contexts.
No audit makes any product perfect. Still, an outside review is far better than asking users to accept a privacy claim on faith.
Availability and rollout in 2026
ExpressAI started rolling out on March 31, 2026 and is available first to new and existing ExpressVPN Pro users through a web app.
So yes, there is a catch. Not everyone gets it right away. If you are on another tier, availability may be limited.
Is this better than a normal AI chatbot?
If your top priority is privacy, it could be.
A standard AI chatbot may still be fine for casual tasks like brainstorming vacation ideas or rewriting a social caption. But if you are using AI for:
- work documents
- legal or finance questions
- health-related notes
- coding projects
- images or files with sensitive details
then the way the system handles your data matters as much as the answer quality.
ExpressAI is not really trying to win on flashy AI branding. It is trying to win on security, privacy, and control over your messages.
What to keep in mind before you use it
Even with a private-by-design setup, you should still use basic common sense.
- Do not upload anything you are not allowed to share
- Double-check AI answers before acting on them
- Use Ghost Mode when you do not need history
- Protect your password if you store encrypted chat history
- Remember that privacy and accuracy are two different things
That last point is important. A secure system can still return a bad answer. Privacy protects your data, not the quality of the model output.
Final take
ExpressVPN’s Private AI pitch is built around a smart idea: protect the chat at the system level, not just with a promise in the settings page.
If the platform works as described, secure enclaves give you a clearer privacy boundary than the usual AI model. Your conversations are processed in an isolated environment, your saved data is protected with zero-access encryption, and your prompts are not used for training. Add Ghost Mode and an independent Cure53 audit, and ExpressAI looks like a serious attempt to make private AI chats feel less contradictory.
In short, this is what secure enclaves mean for your chats: fewer eyes, less exposure, and a much stronger claim that your conversation is actually your own.
FAQ
Is ExpressVPN still trustworthy?
ExpressVPN is still widely seen as a trustworthy VPN provider because of its focus on privacy, speed, and reliability. It has a no-logs policy that has been audited by independent firms, and with ExpressAI, it is extending that privacy-first approach into AI. As always, trust should come from both company history and technical design, which is why audits and secure enclave architecture matter.
Is ExpressVPN owned by China?
No. Since September 2021, ExpressVPN has been managed by Kape Technologies, which is owned by Israeli businessman Teddy Sagi. Express Technologies Ltd. is based in the British Virgin Islands, and the service has also operated from Hong Kong. That does not make it a Chinese-owned company.
Can I be tracked with ExpressVPN?
ExpressVPN says it does not keep logs of your online activity or personal data such as browsing history, traffic destination, DNS queries, or assigned IP addresses. In the context of ExpressAI, the company also says your chats are processed in secure enclaves and are not available to ExpressVPN or model providers.
What is the downside of ExpressVPN?
The usual downside is price. ExpressVPN often costs more than some rivals, and other VPN services may bundle more tools for less money. With ExpressAI specifically, another limitation is access. At launch, it is limited to ExpressVPN Pro users, so not everyone can try it right away.
