Apple extends Private Cloud Compute to Google Cloud with NVIDIA GPUs

Apple's Security Engineering and Architecture (SEAR), User Privacy, Core OS, Services Engineering, and Machine Learning and AI teams jointly announced the expansion of Private Cloud Compute (PCC) to Google Cloud, marking the first time PCC's privacy commitments have been extended to a third-party data center. The move is tied to the next generation of Apple Intelligence, which leverages technologies from Google's Gemini family of models to build new Apple Foundation Models spanning on-device to cloud deployments. For the most demanding tasks — specifically agentic tool-use and complex reasoning — Apple worked with Google and NVIDIA to extend PCC infrastructure to Google Cloud systems using NVIDIA GPUs.

The new implementation is built on NVIDIA Confidential Computing with NVIDIA GPUs, Intel CPUs with TDX, and Google's Titan chip.

The new implementation is built on NVIDIA Confidential Computing with NVIDIA GPUs, Intel CPUs with TDX, and Google's Titan chip. Apple and Google went beyond a standard confidential computing deployment in several ways: the trusted computing base covers every component from firmware through host and guest OS stacks to application code; a cryptographically verifiable, append-only ledger tracks all Google Cloud hardware in the PCC fleet to mitigate supply chain attacks; and software attestation is rooted in at least two separate roots of trust from independent vendors. Architectural security patterns from PCC on Apple silicon are carried over, including dedicated processes with isolated namespaces for initial network data parsing, short time-to-live recycling of shared inference software, and attested keys held in a separate confidential VM isolated from external inputs.

Apple's five core PCC requirements — stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency — remain unchanged. Apple retains complete control over PCC software regardless of where infrastructure is hosted, and Apple devices will only trust PCC software that is cryptographically approved by Apple. The rollout will ramp gradually through a summer preview period; all binaries will be published for public inspection, and the security research community will have access to live PCC nodes in research mode through the Apple Security Bounty Program.

Key facts

1. 01Apple is expanding Private Cloud Compute (PCC) to Google Cloud for the first time, partnering with Google and NVIDIA.
2. 02The expansion targets demanding Apple Intelligence workloads, specifically agentic tool-use and complex reasoning.
3. 03The hardware foundation uses NVIDIA Confidential Computing with NVIDIA GPUs, Intel CPUs with TDX, and Google's Titan chip.
4. 04Apple's five core PCC requirements remain unchanged: stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency.
5. 05A cryptographically verifiable, append-only ledger tracks all Google Cloud hardware in the PCC fleet to guard against supply chain attacks.
6. 06Software attestation is rooted in at least two separate roots of trust from independent vendors.
7. 07Apple retains complete control over PCC software; Apple devices will only trust PCC software cryptographically approved by Apple.
8. 08All binaries will be published for public inspection, and live PCC nodes in research mode will be accessible via the Apple Security Bounty Program.

Topics