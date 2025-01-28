NCC Group, a people-powered, tech-enabled global cybersecurity business, has signed a three-year contract with TikTok to extend and enhance its role as an independent security provider to Project Clover—a comprehensive program delivering enhanced and innovative data security measures and standards for TikTok’s European users' data.

Three-year contract signed following a highly successful first year of delivery on Project Clover, TikTok’s European enhanced data security program—protecting 175 million TikTok users across the European Economic Area, Switzerland, and the United Kingdom.

Project Clover sees TikTok investing €12 billion in European data security over ten years, setting a ‘gold standard’ for data security and going above and beyond regulatory requirements and the measures of industry peers.

‘Gold standard’ measures pave the way for industry and peers to follow Project Clover’s lead and increase European data security measures across the continent.

Over the next three years, NCC Group will continue to assure, monitor, and enhance the privacy and security of TikTok’s European user data.

NCC Group is testing TikTok’s cutting-edge solutions to protect TikTok’s users, including advanced Privacy Enhancing Technologies (PETs).

Stephen Bailey, Global Director of Privacy, NCC Group, commented: “Project Clover is setting a new gold standard for data privacy and security. The innovative work that NCC Group is delivering today will form a blueprint for industry peers and regulators for years to come. Rarely does a company of TikTok’s scale hand this level of responsibility, access, and independence to a third-party security provider. As we look forward to the next three years delivering on Project Clover, we will continue to deploy cutting-edge solutions, engage with authorities, and set an example that will enhance data security for Europeans—not only through TikTok but across the industry.”

Mike Maddison, Chief Executive Officer, NCC Group, said: “Project Clover is an outstanding example of NCC Group delivering ground-breaking cybersecurity on the global stage, reflected in TikTok’s commitment to extending our role for a further three years. Project Clover is NCC Group at its best, collaborating across capabilities, innovating technical solutions to complex challenges, engaging with authorities, and delivering gold standard work for our clients that makes their customers more secure than ever before.”

Christine Grahn, Head of Public Policy for Europe at TikTok, added, “NCC Group provides an unprecedented level of transparency and independent oversight across our European data security. We are delighted with the rapid progress already made, including NCC Group now continuously monitoring the additional security gateways around our European user data, and look forward to continuing to work with them in setting new industry standards for data security over the next three years.”

What is Project Clover?

Project Clover is an initiative that delivers enhanced and innovative data security measures and protections for TikTok’s European users' data.

Project Clover represents a €12 billion investment in European data security from TikTok over ten years. The project provides European users assurance and confidence that their data is being kept safe and secure.

Project Clover is made up of several core tenets, including storing European user data in a dedicated secure enclave by default; putting additional safeguards and restrictions around that data, building on TikTok’s existing controls; having a third-party security company independently monitor and verify these safeguards; and building advanced privacy-enhancing technologies into these already robust procedures.

What is NCC Group’s role?

NCC Group is acting as a third-party security provider to independently audit TikTok’s data controls and safeguards, monitor data flows, provide independent verification of security protocols, and report any incidents.

To deliver this ground-breaking project, NCC Group colleagues are collaborating across different capability areas, including cybersecurity, data and physical security, and privacy-enhancing technologies. This pan-European project is bringing together colleagues from The Netherlands, Spain, and the United Kingdom to collaborate, innovate, and create value.

NCC Group’s role on Project Clover includes advisory activities as well as extensive assessment and assurance work. Assuring the code that makes up the security gateways protecting user data in the European Enclave, the cloud environments that house those gateways, and mechanisms used by TikTok’s engineers to maintain their infrastructure. NCC Group regularly assesses the main application and mobile applications, including a data collection assessment to understand what user data is actually collected.

NCC Group’s Managed Service team on Project Clover is going beyond a typical security operations center and has established an event monitoring center. This capability reviews the activities of authorized TikTok personnel to ensure that they are not doing anything that goes against the spirit of Project Clover.

As TikTok's Community Guidelines Enforcement Report (Platform Security report) published in September 2024 shows, NCC Group identifies areas for improvement, and TikTok acts on remediating them in line with NCC Group’s recommendations and within agreed timeframes.

How does Project Clover set a new standard for data security?

Project Clover presents a combination of data protection measures. NCC Group enforces the following measures:

Ensures EEA/UK/Swiss data is stored in a dedicated European data enclave by default.

Enforces access controls through a technical barrier that restricts access to European user data.

Controls the types of data that can be transmitted out of the European Enclave.

Provides oversight of employee access to European user data.

Determines whether TikTok collects the data that it says it collects in its Privacy Policy.

Continuously assess the robustness of privacy-enhancing technologies used to de-identify European user data.

Monitors and validates every code update of the Security Gateway that controls employee access to European user data.

Speaks to data protection authorities, cybersecurity authorities, and other government agencies without TikTok’s knowledge or presence.

How will Project Clover develop over the next three years?

This further three-year commitment enables NCC Group to not only continue the work the team is delivering but also to expand and prove the effectiveness of cutting-edge technical solutions. Project Clover presents an opportunity to deploy the very latest technologies and techniques with an unparalleled level of access and independence to operate.

NCC Group is testing the pioneering Privacy Enhancing Technologies (PETs) that are being introduced at scale on Project Clover. PETs provide enhanced protection to user data, balancing privacy risk with utility. To deploy PETs, NCC Group is analyzing the underlying code base, providing recommendations on how to improve it, and delivering assurance testing to ensure that the output created via the PETs is as intended.

Project Clover empowers NCC Group to go above and beyond the industry standard and poses challenges that require innovative solutions to deliver cutting-edge protections. The next three years provide a significant horizon for NCC Group to develop, test, and prove new measures to ensure that European user data is protected far beyond regulatory and industry standards.

What does this mean for TikTok’s 175 million users in Europe and the UK?

Project Clover creates an enhanced security environment for TikTok’s European users’ data, which far exceeds the norms of both peer and regulatory security regimes. Over the next three years, NCC Group will continue to audit, protect, and enhance the privacy and security of user data.

NCC Group is engaging proactively with data protection authorities, cybersecurity authorities, and other government agencies (both with and without TikTok’s presence and direct knowledge) to increase understanding of the work of Project Clover. Through this interaction with authorities across Europe and by setting a gold standard for industry peers, Europeans are set to gain from these cutting-edge measures being adopted more widely across Europe.