Apple extends Private Cloud Compute to third-party data centers

Apple is bringing its Private Cloud Compute (PCC) platform to Google Cloud, expanding the infrastructure behind Apple Intelligence to third-party data centers.

Introduced in 2024, PCC provides cloud-based processing for AI workloads that exceed the capabilities of on-device models while maintaining Apple’s security and privacy guarantees. The system was originally built on Apple silicon and operated exclusively within Apple’s infrastructure.

Building on confidential computing

The expansion leaves PCC’s core security model unchanged. The system is built around stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency.

To support new Apple Intelligence workloads, Apple collaborated with Google and NVIDIA to extend PCC’s security and privacy guarantees to Google Cloud infrastructure and NVIDIA GPUs. NVIDIA Confidential Computing, Intel CPUs with TDX, NVIDIA GPUs, and Google’s Titan chip provide the foundation for security and privacy capabilities built on top of confidential computing technologies.

Transparency and verification

The company treats the entire computing stack, from firmware and hardware to host and guest operating systems and application code, as part of the trusted computing base, subject to verifiable transparency and no-privileged-access guarantees.

To reduce supply chain risks, Apple maintains a cryptographically verifiable, append-only ledger of all Google Cloud hardware that is part of the PCC fleet. For software attestation, components that could be exploited to exfiltrate user data rely on at least two separate roots of trust from independent vendors.

PCC on Google Cloud incorporates several security mechanisms already used in PCC on Apple silicon. Initial network data parsing for each request takes place in a dedicated process within its namespace. Shared inference software is recycled with a short time-to-live duration, and attested keys are stored in a separate confidential virtual machine isolated from external inputs.

“Together, these capabilities help ensure that even outside of Apple’s hardware and data centers, user data will continue to be protected by the full force of PCC’s extraordinary security and privacy properties,” the company said.

Apple retains complete control over PCC software regardless of where it runs, as Apple devices trust only software that has been cryptographically approved by the company.

PCC on Google Cloud will gradually gain its complete set of protections throughout the summer preview period.

Apple will publish all PCC binaries for public inspection. The company will also provide research tools and access to live PCC nodes operating in research mode through the Apple Security Bounty program.