By Michael Beckerman, Vice President, Head of Public Policy, Americas

The security of the data our community entrusts us with is a top priority at TikTok, despite recent reports questioning that commitment. We have sent a letter to Congress addressing these issues and others, and also want to share with our community the steps we take to secure our U.S. user data as well as where we're headed in our commitment to keeping U.S. user data safe, private, and secure.

As we announced in May, we recently stood up a new division called U.S. Data Security (USDS) to bring heightened focus and governance to our ongoing efforts to strengthen our data protection policies and protocols, further protect our users, and build confidence in our systems and controls in the United States.

The creation of USDS was an important milestone in the goals we laid out in a blog post two years ago: minimizing employee access to U.S. user data and minimizing data transfers across regions – including to China. We are addressing who has access (and why they need it) and where those people are as two critical parts of our security protocols.


Who has access and why they need it

As a rule, security teams want to minimize the number of people who have access to data and limit it only to people who need that access in order to do their jobs. We have policies and procedures that limit internal access to user data by our employees, wherever they're based, based on need. Like many global companies, TikTok has engineering teams around the world—including in Mountain View, London, Dublin, Singapore, and China—and those teams might need access to data for engineering functions that are specifically tied to their roles. That access is subject to a series of robust controls, safeguards like encryption for certain data, and authorization approval protocols overseen by our U.S.-based security team. To facilitate those approvals, we also have an internal data classification system; the level of approval required for access is based on the sensitivity of the data according to the classification system. The intention of these processes and protocols is to ensure that the data is only accessed by those that need it to allow our business and our service to function.


Where people with access are located

To the extent possible for a global company, we want to limit not just who is accessing data, but also where there is access to data. That's why, in addition to routing all U.S. traffic through Oracle Cloud Infrastructure, we are also working to build up our U.S.-based engineering capacity to reduce the need for data transfers across regions. As we recently shared with members of Congress, we are working toward a new system in which access to U.S. user data by anyone outside of USDS will be limited by, and subject to, robust data access protocols with monitoring and oversight mechanisms by Oracle.


Managing cyber threats

In addition to our U.S.-specific work, our global security team is constantly working to stay ahead of next-generation cyber threats. We continually work to validate our security standards and collaborate with industry-leading experts to test our defenses. In the past year, we’ve earned ISO 27001 certifications in the U.S., UK, Ireland, Singapore, and India for investing in the people, processes, and technology to keep our community safe. The ioXt Alliance also certified TikTok for meeting rigorous standards and commitments to cybersecurity, transparency and privacy.

We're dedicated to earning and maintaining the trust of our global community, and we will remain focused on protecting our platform and providing a safe, welcoming, and enjoyable experience.