As we announced in May, we recently stood up a new division called U.S. Data Security (USDS) to bring heightened focus and governance to our ongoing efforts to strengthen our data protection policies and protocols, further protect our users, and build confidence in our systems and controls in the United States. The creation of USDS was an important milestone in the goals we laid out in a blog post two years ago: minimizing employee access to U.S. user data and minimizing data transfers across regions – including to China.
As a rule, security teams want to minimize the number of people who have access to data and limit it only to people who need that access in order to do their jobs. We have policies and procedures that limit internal access to user data by our employees, wherever they’re based, based on need. Like many global companies, TikTok has engineering teams around the world—including in Mountain View, London, Dublin, Singapore, and China—and those teams might need access to data for engineering functions that are specifically tied to their roles. That access is subject to a series of robust controls, safeguards like encryption for certain data, and authorization approval protocols overseen by our U.S.-based security team. To facilitate those approvals, we also have an internal data classification system; the level of approval required for access is based on the sensitivity of the data according to the classification system. The intention of these processes and protocols is to ensure that the data is only accessed by those that need it to allow our business and our service to function.