TikTok’s mission is to inspire creativity and bring joy. With more than a billion people using our platform to discover content and share their voice each month, it’s our responsibility to ensure the safety, privacy, and security of our community. TikTok faces a high level of scrutiny as a result of our parent company’s Chinese heritage, and that scrutiny requires a unique level of transparency—and accountability. In that spirit, we are sharing details about how we’re meeting this commitment and working to address U.S. national security concerns through an initiative called Project Texas.
Put simply, Project Texas is an unprecedented initiative dedicated to making every American on TikTok feel safe, with confidence that their data is secure and the platform is free from outside influence. We’ve spent the last two years developing a framework through discussions with the Committee on Foreign Investment in the United States (CFIUS), and we’ve spent roughly $1.5 billion to date on implementation. Project Texas puts the concepts of transparency and accountability into action by addressing national security concerns head-on with concrete, measurable solutions.
The framework has five key pillars:
Data Protection and Access Control
Monitoring and Compliance
This approach will allow us to comprehensively address concerns that have been raised in the U.S. about TikTok, while also allowing us to continue to offer a globally interoperable service. We have already proactively implemented substantial portions of this framework, and we look forward to continuing our work to further ensure peace of mind for our community and our stakeholders.
Pillar 1: Independent Governance
TikTok’s parent company ByteDance was founded by Chinese entrepreneurs. Today, ByteDance is a private, global company, with roughly 60 percent owned by global institutional investors, 20 percent owned by the company’s founders, and 20 percent owned by its employees—including thousands of Americans. It is not owned or controlled by any government or state entity.
That said, it’s important to address concerns over our corporate governance structure, particularly concerns about foreign control. That is why we have created a new special purpose subsidiary called TikTok U.S. Data Security (USDS). USDS will be an entirely independent business entity tasked with managing all business functions that require access to user data identified by the U.S. government as needing additional protection and safeguarding the systems that deliver content on the app in the U.S. to ensure that it is free from foreign manipulation.
The USDS team is currently led by Interim General Manager Andy Bonillo and Interim Security Officer Will Farrell—both of whom have significant experience working with the U.S. government in the national and cyber security spaces.
In addition, under the current proposed agreement, all employees of USDS would be vetted per hiring requirements more typical of the defense industry than a social media or entertainment platform. TikTok USDS will be overseen by an independent board of directors, each with strong backgrounds in U.S. national security and highly respected in their field. USDS leaders will report directly to this board, and there will be no reporting lines outside of it. USDS will exist to operate the parts of the TikTok business in the United States that are relevant to the national security concerns identified by the U.S. government.
🔹 Key takeaway: All access to protected U.S. user data and the systems that power TikTok in the U.S. will be monitored and tightly controlled by TikTok USDS. USDS leaders and employees will report to an independent board, not to TikTok or ByteDance executives. This structure is designed to insulate USDS and its employees from any outside pressure to grant unauthorized access to user data or systems.
Pillar 2: Data Protection and Access Control
TikTok is a global platform, so it’s critical that our efforts to add additional safeguards to U.S. user data and systems don’t interfere with that global experience. To address this challenge, we’ve created a stand-alone version of the TikTok platform for the U.S. that is isolated inside servers in Oracle’s U.S. cloud environment but can communicate with the global TikTok service in controlled and monitored ways.
This U.S. version of the service contains content our U.S. users create, and our recommendation algorithm, advertising engines, e-commerce information, user data, and content moderation systems. This solution keeps U.S. user data safe, while also allowing public data—like your videos or your publicly available profile information—to be seen around the world. This system currently handles 100% of U.S. user traffic.
The TikTok service in the protected environment is surrounded by gateways. No data goes in or out of the U.S. TikTok platform without going through gateways that will be controlled by an American-based trusted technology provider (the TTP) and monitored by both the TTP and USDS. In addition to public data, some other limited data, like business metrics, will be able to leave the system. There are also limited exceptions that will allow us to address emergency situations where time is of the essence, across time zones and borders, in order to protect public safety. All of these limited exceptions are specified in our current proposed agreement with the U.S. government, but we are not waiting on an agreement to restrict which data leaves the secure environment.
🔹 Key takeaway: We have replicated the TikTok service inside a tightly controlled and heavily monitored environment so that all access to protected U.S. user data is controlled by TikTok USDS, which will be overseen by an independent board. Any access outside of USDS (such as for business metrics or public safety) will be monitored by an outside trusted technology partner to ensure compliance.
Pillar 3: Technology Assurance
To guarantee that there is no unauthorized access to our systems—no backdoors or data leakage—every single line of source code that goes into the protected environment, whether it comes from TikTok, ByteDance, open source, or third-party, will be inspected and tested. This includes any updates to the code on an ongoing basis. The TTP and a third-party source code inspector will work to ensure that everything is performing as intended, and only validated code will be able to operate in the secure environment; if the source code does not pass inspection, it can’t run.
The TTP and third-party inspector will use dynamic testing, static testing, and manual review. Nothing is allowed in the secure environment unless it has been approved. For the mobile app, the TTP will review the app source code, compile the app, and deliver it directly to the app stores—a first-of-its-kind arrangement to maintain the chain of custody. The app delivered to the app stores will only be able to communicate with approved systems to operate the application.
🔹 Key takeaway: With multiple layers of third-party, independent review of U.S. source code and mechanisms in place to ensure that only validated code can operate, we can ensure that there is no backdoor access to data or systems.
Pillar 4: Content Assurance
We want people to be certain that the content they see on TikTok is free from any government manipulation or influence.
Our content recommendation system is based on content-neutral signals from users, including what videos they have liked, shared, watched to the end, and more; the subject of the video is not taken into account. The TTP will inspect and test the algorithm code and the trained model in the secure cloud environment to ensure it is not recommending content that isn’t indicated by a user’s behavior.
Our content moderation systems and processes—both machine and human—will also be subject to outside review, to ensure that moderation is taking place only in accordance with our published Community Guidelines. For example, human-reviewed decisions can be audited, and the machine-based processes that look for content violations when a video is uploaded will be reviewed and tested to ensure that they aren’t also removing content based on any other factor, such as removing content critical of the Chinese government.
There are times when TikTok might promote particular content—such as boosting videos of a World Cup goal or calling attention to a high-profile creator like the Rolling Stones joining the platform—and there are times when we might filter certain content to improve user experience (like preventing multiple videos with the same audio from appearing in a row). USDS will implement these rules, and the TTP will have full visibility, guaranteeing that there are no unexpected changes to our system. All promotion decisions will be transparent and auditable to the third-party monitors and our U.S. Content Advisory Council.
🔹 Key takeaway: The processes that determine what people see or don’t see on TikTok will be continuously reviewed, tested, and monitored by third-parties to ensure that they are free from any foreign or outside influence. Any changes to these systems will be triple-tested and validated by USDS, the TTP, and a third-party inspector before they can be deployed.
Pillar 5: Monitoring and Compliance
We have a culture of compliance at TikTok that starts at the top, which is why the entire company is committed to building and operationalizing these initiatives. Within USDS, that means always operating with a see-something, say-something mentality when it comes to national security. While the change to our organizational structure should remove any concern that USDS could be influenced by the Chinese government or anyone else, the entire structure of this plan is based on one simple principle: you won’t have to take our word for it.
The layers of oversight that are built in at every turn in this setup are unprecedented in our industry. In addition to USDS and the TTP, a host of third-party monitors, auditors, and inspectors will be focused on ensuring that we are complying with all of our commitments. Under the proposed national security agreement, if anything is amiss, every party involved has legal reporting obligations directly to the government, which can impose additional mitigations or even prevent us from operating until we’re in compliance.
🔹Key takeaway: The layers of review and oversight covering every part of our U.S. service are unprecedented in our industry, and we are approaching our work with constant vigilance. With multiple third-parties reviewing our adherence to our commitments, this arrangement doesn’t rely on anyone taking our word for it.
TikTok is dedicated to remaining clear and transparent about how our business operates, especially as it relates to keeping user data private and our platform secure. We will continue to use this site to keep our stakeholders informed on milestones related to Project Texas, news related to how we are keeping users safe, and updates around our future plans. We want all of our community to have the utmost confidence in the security of TikTok, so they can continue to share, create, learn, and find joy.