It's been one year since leading cybersecurity firm NCC Group took on the unprecedented role of independent security provider for our European data security initiative Project Clover.

We are set to invest more than 12 billion euros in this industry-leading programme over the next decade, an unprecedented commitment to safeguarding the user data of our 150-million strong European community.

NCC Group's role is to independently oversee, check, and verify our data controls and protections, monitor data flows, provide independent verification and report any anomalies, a level of transparency and oversight unmatched amongst online platforms.


Additional protections for our European user data

TikTok already had strict security protocols in place before Project Clover that ensured employees could only access data they need to do their jobs, under strict conditions and for a limited time.

As part of Project Clover, TikTok has launched additional protections around our European user data that incorporate security gateways designed to enforce technical protocols so that only approved employees can access certain data types. Since last summer, security mechanisms have been in place designed to ensure that restricted data - such as email and IP addresses - stored in our European data enclave cannot be accessed by employees based in China. NCC Group has been substantially involved in the development of these security gateways, including reviewing data set rules and inspecting the code for the gateways, and they will inspect any code updates over time. They have begun monitoring data flows across the security gateways protecting our European user data and will shortly commence continuous monitoring of them.


Security testing

NCC Group has performed initial assessments and vulnerability testing of the developing Project Clover security architecture. This testing allows potential issues to be identified and resolved in line with recommendations from NCC Group as we continue to implement Project Clover. During this reporting period, NCC Group encountered no incidents and found no critical vulnerabilities. A summary of their findings can be found in our quarterly Community Enforcement Guidelines Report. NCC Group will continue these security assessments on an ongoing basis.


European data enclave

We have started storing European user data by default in a designated secure environment known as the European enclave. This is currently hosted on servers in US, Irish and Norwegian data centres. NCC Group has completed physical inspections of our Project Clover US and Ireland data centre.


Privacy-Enhancing Technologies

TikTok is also working with NCC Group to build privacy-enhancing technologies (PETs) into these already robust procedures. This includes pseudonymisation of allowable data that may need to flow globally, so that an individual cannot be identified from that data, aggregation of individual data points into large data sets and differential privacy to prevent linking of relevant information to particular individuals. NCC Group will perform continuous validation of the efficacy of our PETs as they continue to be implemented.


Stephen Bailey, Global Director of Privacy at NCC Group, said:

"On Project Clover, we have a phenomenal network of colleagues from our cyber security, data protection and physical security teams from across Europe all coming together to collaborate on this high profile and complex programme.

The sheer scale and scope of this programme, and the extent of oversight we have into TikTok's systems, is something that is genuinely unprecedented and we look forward to continuing to play our part in delivering the enhanced data security standards that TikTok is setting."