Progress update on Project Clover
By Theo Bertram, Vice-President Public Policy Europe
Date: September 5, 2023
Today we are sharing an update on Project Clover, our programme to build a specially-reinforced protective environment around our European* user data.
Data Storage
We’ve committed to storing our European user data locally by default, by establishing three new data centres in Europe. Our first data centre in Dublin, Ireland, is now operational and migration of European user data to the centre has begun. The other two data centres in Norway and Ireland are under construction.
Third-Party Oversight
We have engaged a third-party European security company to independently audit our data controls and protections, monitor data flows, provide independent verification, and report any incidents. We are pleased to announce that NCC Group will conduct this oversight of our data security measures.
NCC Group is a globally respected, long-standing cybersecurity company with offices across Europe, including Germany, Portugal, the Netherlands, Spain, Denmark and the UK. Teams from several European offices and the UK will work on this programme. The NCC Group is TIBER-EU accredited and a UK National Cyber Security Centre (NCSC) approved CHECK company.
Enhanced Data Controls
As the independent security provider, NCC Group will monitor data coming in and out of the secure environment to independently validate that only approved employees can access limited data types. NCC Group will perform ongoing security assessments of the new security gateways we are building around European user data, the TikTok app, our data centres, and other TikTok infrastructure.
NCC Group will also serve as a managed security services provider for our security gateways, performing real-time monitoring to identify and respond to any suspicious or anomalous access attempts and provide assurance on the integrity of the enhanced security controls operations. They will validate that network traffic of TikTok’s European user data must pass through the security gateways.
All of these controls and operations are designed to ensure that the data of our European users is safeguarded in a specially-designed protective environment, and can only be accessed by approved employees subject to strict independent oversight and verification.
In the coming months, TikTok and NCC Group will engage with policymakers across Europe to explain how this comprehensive system will work in practice.
Stephen Bailey, Global Director of Privacy at NCC Group, said: “We’re proud that TikTok has recognised NCC’s cyber security track record and expertise and chosen us as the independent third-party security provider on this project. Our objective scrutiny, monitoring and assurance means platform users in Europe and the UK can have confidence in the enhanced data security standards that TikTok is setting, which go above and beyond European regulatory requirements.”
*‘European’ refers to EEA countries, the UK and Switzerland