Skip to main content
TikTok US Data Security Logo
About

About Project Texas

TikTok maintaining platform integrity

TikTok’s Commitment to U.S. National Security

TikTok’s mission is to inspire creativity and bring joy. With more than a billion people using our platform to discover content and share their voice each month, it’s our responsibility to ensure the safety, privacy, and security of our community. TikTok faces a high level of scrutiny as a result of our parent company’s Chinese heritage, and that scrutiny requires a unique level of transparency—and accountability. In that spirit, we are sharing details about how we’re meeting this commitment and working to address U.S. national security concerns through an initiative called Project Texas.

Put simply, Project Texas is an unprecedented initiative dedicated to making every U.S. user on TikTok feel safe, providing them with confidence that their data is secure and the platform is free from outside influence. We are committed to the framework we’ve developed through discussions with CFIUS, as demonstrated by our initial $1.5 billion investment in implementing technology and operational changes. Project Texas puts the concepts of transparency and accountability into action by addressing national security concerns head-on with concrete, measurable solutions.

The framework has five key pillars:

  • Independent Governance
  • Data Protection and Access Control
  • Software Assurance
  • Content Assurance
  • Monitoring and Compliance

This approach is designed to address concerns that have been raised in the U.S. about TikTok, while also allowing us to continue to offer a globally interoperable service. We have already proactively implemented substantial portions of this framework, and we look forward to continuing our work to further ensure peace of mind for our community and our stakeholders.

Pillar 1: Independent Governance

TikTok’s parent company ByteDance was founded by Chinese entrepreneurs. Today, ByteDance is a private, global company, with roughly 60 percent owned by global institutional investors, 20 percent owned by the company’s founders, and 20 percent owned by its employees—including thousands of Americans. It is not owned or controlled by any government or state-controlled entity.

That said, it’s important to address concerns over our corporate governance structure, particularly concerns about foreign control. That is why we have created a special purpose subsidiary called TikTok U.S. Data Security (USDS). USDS is tasked with managing all business functions that require access to U.S. user data identified by the U.S. government as needing additional protection (“protected U.S. user data”) and safeguarding the systems that deliver content on the app in the U.S. to ensure that it is free from foreign manipulation.

The USDS team is currently led by General Manager Andy Bonillo and Security Officer Will Farrell—both of whom have significant experience working with the U.S. government in the national and cyber security spaces.

In addition, USDS employees are vetted with robust background and security checks subject to U.S. employment law,. Upon full implementation, TikTok USDS will be overseen by an independent board of directors, each with strong backgrounds in U.S. national security and highly respected in their field. USDS will operate all parts of the TikTok business responsible for protected U.S. user data, and also oversee the application’s content delivery systems in the United States.

🔹 Key takeaway: Access to protected U.S. user data and the systems that power TikTok in the U.S. are monitored and tightly controlled by TikTok USDS employees.

Pillar 2: Data Protection and Access Control

TikTok’s approach to safeguarding U.S. user data must balance data protection with the need to allow U.S. users to seamlessly engage in a global service. This is a complex challenge that we have been addressing through various components of Project Texas.

The central feature of Project Texas is our work with Oracle to isolate the TikTok services serving U.S. users within Oracle’s U.S. cloud environment as an additional safeguard. Although gateways to the storage infrastructure are strictly monitored and controlled, U.S. users of the TikTok platform can still communicate and interact with global users for a cohesive global experience.

Within the secure environment, Oracle and USDS will control and monitor certain data leaving the secure environment under established protocol, including allowing certain business metrics to be shared, and certain data access under limited exceptions such as to address emergency situations. All of these exceptions are accounted for in our current proposed agreement with the U.S. government.

🔹 Key takeaway: We are designing our systems to store, by default, U.S. user data within a U.S. environment that allows us to strictly control and monitor that data. We have stringent access control measures.

Pillar 3: Technology Assurance

To safeguard against unauthorized access to our systems—such as backdoors or data leakage—every single line of source code that goes into the secure environment, whether it comes from TikTok, ByteDance, open source, or third-party, will be inspected and tested. This includes any updates to the code on an ongoing basis. The plan is that Oracle and a third-party security inspector will work to ensure that everything is performing as intended, and only validated code will be able to operate in the secure environment; if the source code does not pass inspection, it can’t run.

Oracle and third-party inspectors are expected to use dynamic testing, static testing, and manual review. Oracle will review the app source code, compile the app, and deliver it directly to the app stores to maintain the chain of custody. The app delivered to the app stores will only be able to communicate with approved systems to operate the application.

🔹 Key takeaway: With multiple layers of third-party, independent review of U.S. source code and mechanisms in place to ensure that only validated code can operate, we can safeguard against backdoor access to data or systems.

Pillar 4: Content Assurance

We want people to be confident that the content they see on TikTok is free from any government manipulation or influence.

Our content recommendation system is based on content-neutral signals from users, including what videos they have liked, shared, watched to the end, and more; the subject of the video is not taken into account by the recommendation system. Oracle will inspect and test the algorithm code and the trained model in the secure cloud environment to ensure it is not recommending content that isn’t indicated by a user’s in-app behavior.

Our content moderation systems and processes—both machine and human—will also be subject to outside review, to confirm that moderation is taking place only in accordance with our published Community Guidelines. For example, human-reviewed decisions can be audited, and the machine-based processes that look for content violations when a video is uploaded will be reviewed and tested to ensure that they aren’t also removing content based on any other factor, such as removing content critical of the Chinese government.

There are times when TikTok might promote particular content—such as boosting videos of a World Cup goal or calling attention to a high-profile creator like the Rolling Stones joining the platform—and there are times when we might filter certain content to improve user experience (like preventing multiple videos with the same audio from appearing in a row). USDS will implement these promotions and filters using applicable rules, algorithms, logic or guidelines, and Oracle will have visibility, safeguarding against unexpected changes to our system. All promotion decisions will be transparent and auditable to third-parties who can verify our decisions and to our U.S. Content Advisory Council.

🔹 Key takeaway: The processes that determine what people see or don’t see on TikTok will be continuously reviewed, tested, and monitored by third-parties to provide confidence that they are free from any foreign or outside influence.

Pillar 5: Monitoring and Compliance

We have a culture of compliance at TikTok that starts at the top, which is why the entire company is committed to building and operationalizing these initiatives. Within USDS, that means always operating with a see-something, say-something mentality when it comes to national security. While the change to our organizational structure should remove any concern that USDS could be influenced by the Chinese government or anyone else, the entire structure of this plan is based on one simple principle: you won’t have to take our word for it.

The layers of oversight that are built in at every turn in this setup are unprecedented in our industry. In addition to USDS and Oracle, a host of third-parties will be focused on ensuring that we are complying with all of our commitments. Under the currently proposed national security agreement, if anything is amiss, every party involved has legal reporting obligations directly to the government, which can impose additional mitigations or even prevent us from operating until we’re in compliance.

🔹Key takeaway: The layers of review and oversight covering every part of our U.S. service are unprecedented in our industry, and we are approaching our work with constant vigilance. With multiple third-parties reviewing our adherence to our commitments, this arrangement doesn’t rely on anyone taking our word for it.

TikTok is dedicated to remaining clear and transparent about how our business operates, especially as it relates to keeping user data and our platform secure. We will continue to use this site to keep our stakeholders informed on milestones related to Project Texas, news related to how we are keeping users safe, and updates around our future plans. We want all of our community to have the utmost confidence in the security of TikTok, so they can continue to share, create, learn, and find joy.