Today we can share another update on Project Clover, our industry-leading initiative to provide even greater data security for our 150 million-plus European* community.

Additional protections for our users' data

As part of our industry leading initiative Project Clover, TikTok has been building additional protections around our European user data that incorporate security gateways to further restrict access. We can now announce that the gateways that relate to employee access to data and data transmission have been launched and are functioning.

These gateways are designed to enforce technical protocols so that only approved employees can access certain data types. Since last summer, for example, new security protocols have been in place designed to ensure that restricted data stored in our new European data enclave, such as private videos and phone numbers, cannot be accessed by employees based in China.

These gateways also govern access to allowable data. TikTok, like other companies in the tech sector and many other industries, from health to automotive, employs people around the world who may need access to certain data do their jobs. We are also applying technologies such as pseudonymisation to de-identify allowable data types before they can be accessed by China-based employees. This is data, such as public videos or a user's privacy settings, that needs to flow internationally for our app to function and for our 150 million European users to participate in the global TikTok community.

Our third-party independent security provider, leading cybersecurity firm NCC Group, has inspected the code for these gateways and will also inspect any code updates over time.

This builds on the extensive existing measures that were already in place to protect data. Staff can only request access to data if they have a demonstrable need to do their jobs and under the principle of least privilege, in line with others in the industry. Access is subject to strict, multi-step approval and authentication protocols, granted on a case-by-case basis, and managed by our Global Security Organization based in Europe, the US and Singapore.


New data enclave

We are investing in three new data centres in Europe, where European TikTok user data will be stored by default. We've already migrated user data to our first data centre in Ireland, and our second data centre in Norway will come online later this year.

While we anticipate all three data centres will be operational by next year, and that the process of data migration will be ongoing throughout this period and beyond, we are not waiting to implement the enhanced data security controls that are part of the Clover solution. We have already started storing European user data by default in a designated secure environment known as the European enclave. This 'enclave' includes data from our existing data centre in Ireland and designated data centres in the US on an interim basis, both of which have been inspected by NCC Group. Restricted data stored in the European enclave cannot be accessed by China-based employees.


Security testing

NCC Group has now performed initial assessments and vulnerability testing of the developing Project Clover security architecture. This early testing allows potential issues to be identified and resolved in line with recommendations from NCC Group as we continue to implement Project Clover.

During this reporting period, NCC Group encountered no incidents and found no critical vulnerabilities. A summary of their findings can be found in our quarterly Community Enforcement Guidelines Report.

NCC Group will continue these security assessments on an ongoing basis.


Ongoing investment in industry-leading data security

TikTok has committed significant resources and investment in implementing this groundbreaking project and will make further announcements on progress over the coming year, including on adding advanced Privacy Enhancing Technologies into these already robust procedures. Taken together, the measures being put in place under Project Clover will mean our 150 million-strong European community are protected by industry-leading data security.


*‘European’ refers to EEA countries, the UK and Switzerland