Blog

Expanding Private Cloud Compute

Written by Apple Security Engineering and Architecture (SEAR), User Privacy, Core Operating Systems (Core OS), Services Engineering (ASE), and Machine Learning and AI (AIML)

Alongside the next generation of Apple Intelligence, today we’re expanding Private Cloud Compute (PCC) beyond Apple’s data centers. When Apple introduced Private Cloud Compute in 2024, we defined a new frontier for private AI inference, extending the security and privacy of Apple devices into the cloud for those AI workloads more complex than on-device models can handle. Now, we are collaborating with Google and NVIDIA to run new Apple Intelligence workloads on Google Cloud, extending our industry-leading PCC privacy commitments to third-party data centers for the first time.

This year, Apple collaborated with Google to leverage the technologies behind its Gemini family of models to build the next generation of Apple Foundation Models that power our Apple Intelligence features. These models span from on-device to the cloud. For the most demanding tasks, including agentic tool-use and complex reasoning, we worked with Google and NVIDIA to extend our PCC infrastructure to Google Cloud systems using NVIDIA GPUs, while maintaining Apple's powerful security and privacy protections.

Originally built exclusively on Apple silicon with our world-class software security technologies, PCC set a new bar for AI privacy in the cloud, and continues to power the most demanding Apple Intelligence features. Since then, the wider industry has been working to provide a set of confidential inference primitives that could theoretically be combined to reach the security level of PCC. However, until today, those primitives have never been integrated into a comprehensive, end-to-end confidential inference pipeline capable of operating at global scale. That’s what we’ve done with PCC on Google Cloud, which incorporates PCC’s exceptional security and privacy properties at every stage, including the industry’s most comprehensive transparency guarantees that allow external security researchers to verify our privacy commitments.

Our core PCC requirements remain exactly the same: stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency. What's new with PCC on Google Cloud is the implementation: NVIDIA Confidential Computing with NVIDIA GPUs, Intel CPUs with TDX, and Google's Titan chip. On this foundation, Apple and Google collaborated to build capabilities that go far beyond a traditional confidential computing deployment:

  • We do not rely solely on confidential computing technologies to mitigate attacks that leverage privileged access outside of a confidential VM, including side-channel attacks. We consider every component — from firmware through the host and guest OS stacks to application code — to be part of our trusted computing base, subject to our verifiable transparency and no-privileged-access guarantees.
  • To mitigate the risk of supply chain attacks, we maintain a cryptographically verifiable, append-only ledger of all Google Cloud hardware that is part of the PCC fleet. For components that could be abused to exfiltrate user data if compromised, our software attestation is rooted in at least two separate roots of trust from independent vendors.
  • Even when deployed with confidential computing, we believe the inference stack must be designed with privacy and security from the start. PCC on Google Cloud leverages many of the same architectural security patterns as PCC on Apple silicon to implement these layered protections: initial network data parsing for each request happens in a dedicated process within its own namespace, shared inference software is recycled with a short time-to-live duration, and attested keys are held in a separate, dedicated confidential VM isolated from external inputs.

Together, these capabilities help ensure that even outside of Apple's hardware and data centers, user data will continue to be protected by the full force of PCC's extraordinary security and privacy properties. Regardless of where the infrastructure is hosted, Apple retains complete control over PCC software; Apple devices will only trust PCC software that is cryptographically approved by Apple. PCC on Google Cloud will be gradually ramping towards the complete set of protections throughout the summer preview period.

As with PCC on Apple silicon, all binaries will be published for public inspection. We will provide public research tooling, and access to live PCC nodes in research mode through the Apple Security Bounty Program, maintaining the same depth of access for the security research community. We'll share more technical detail about PCC on Google Cloud at the Confidential Computing Summit later this month, and in an update to the PCC Security Guide and research program details launching later this year.