Powering the next era of Confidential AI

Overview

Apple is running its Private Cloud Compute system on Google Cloud for the first time, the company confirmed at WWDC 2026 in June 2026. The two firms, working with Intel and NVIDIA, built a serving platform that keeps user data encrypted even while it is being processed, so Apple Intelligence requests too large for an iPhone or Mac get handled in a sealed cloud environment. It marks the first time Apple's privacy-focused AI infrastructure runs outside Apple's own data centers.

Key Takeaways

Apple's Private Cloud Compute (PCC) now runs on Google Cloud hardware, the first time this privacy-grade AI infrastructure has operated on a third-party cloud.
The platform relies on Confidential Computing, where data stays encrypted not only at rest and in transit but also while it is in use inside Trusted Execution Environments.
Four companies built the stack: Apple defined the privacy goals, Google Cloud supplied the infrastructure and Titan security chip, Intel provided TDX processor isolation, and NVIDIA supplied confidential-computing Blackwell GPUs.
Apple keeps a cryptographically verifiable, append-only ledger of every Google Cloud machine in the PCC fleet, designed to block supply-chain tampering.
Apple and Google co-engineered an open-source host stack so outside researchers can inspect and verify the system's security claims rather than take them on trust.
Protections roll out gradually across a summer 2026 preview period, so the deployment is not yet at its full security level.

Stats & Key Facts

#4 companies collaborated on the platform: Apple, Google Cloud, Intel, and NVIDIA.
#5 core PCC requirements are preserved: stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency.
#3 layers of hardware trust span NVIDIA Blackwell GPUs, Intel TDX CPUs, and Google's Titan chip.
#Data is protected across 3 states: at rest, in transit, and in use.
#Announced at WWDC 2026 in June 2026, with full protections scaling across the summer preview period.
#1 append-only hardware ledger tracks every Google Cloud machine in the PCC fleet for supply-chain defense.

What Apple Private Cloud Compute does and why it moved to Google Cloud

Private Cloud Compute is the system Apple uses when an AI request is too heavy for the device itself.

Some Apple Intelligence tasks, such as agentic tool use and complex reasoning, exceed what the on-device models in an iPhone or Mac handle. When that happens, the request goes to Private Cloud Compute, a cloud environment Apple designed to keep that data private and out of reach of operators.

Until now, PCC ran only inside Apple's own data centers. At WWDC 2026, Apple confirmed it extended PCC onto Google Cloud, the first time this infrastructure has run on a third-party cloud. The goal is to add capacity for demanding AI work while keeping the same privacy promises Apple made when it launched PCC.

Confidential Computing keeps data encrypted even while it is being used

The core idea is protecting information at the one moment it is normally exposed: during processing.

›Most systems encrypt data at rest and in transit, but decrypt it to compute on it. Confidential Computing closes that gap by keeping it encrypted in use as well.
›Workloads run inside hardware-based Trusted Execution Environments (TEEs), sealed areas of the chip that isolate the data and give cryptographic proof of integrity.
›Because the data stays encrypted and isolated, even the cloud operator running the machine cannot read it, which is the foundation of Apple's no-privileged-runtime-access rule.

Google's Titanium architecture and custom Titan chip provide the root of trust

Google's contribution starts at the silicon level with hardware it designed itself.

Google Cloud's Titanium security architecture is built around a custom Titan chip. The chip acts as a hardware root of trust, a trusted starting point that verifies the machine booted with genuine, untampered hardware and software before any workload runs.

Titan chips are deployed across Google's server fleet and underpin the integrity and transparency of the PCC infrastructure on Google Cloud. Pairing them with Apple's requirements gives the platform an independent hardware anchor that does not depend on Apple's own silicon.

Intel TDX and NVIDIA Blackwell GPUs protect the full compute path

The processors and graphics chips both add their own confidential-computing features.

›Intel TDX (Trust Domain Extensions) isolates virtual machines at the CPU level, walling off each workload from the rest of the system.
›NVIDIA Confidential Computing on Blackwell GPUs extends that protection to the graphics processors that run high-performance AI inference.
›Together they protect the whole path from CPU to GPU, so data is not exposed as it moves between the two chips during a request.
›Using independent vendors for different parts of the stack creates dual roots of trust, so no single supplier holds all the keys.

Open-source transparency and a hardware ledger let outsiders verify the claims

Apple's design assumes users should not have to take privacy promises on faith.

Apple and Google engineered an open-source host stack for the platform so independent researchers can inspect and verify how the system enforces its security properties. Apple has said the binaries will be open to public inspection, with tooling and live node access offered through the Apple Security Bounty Program.

To guard against supply-chain attacks, Apple maintains a cryptographically verifiable, append-only ledger listing every Google Cloud machine that is part of the PCC fleet. An append-only ledger cannot be quietly edited, so any change to the hardware roster leaves a permanent, checkable record.

What this means for everyday users and the summer 2026 rollout

The practical takeaway is more AI capacity without a change to the privacy bargain.

For a non-technical user, the change happens behind the scenes. Heavier Apple Intelligence features get more cloud capacity, while Apple keeps its commitments that the data is not stored after the request, not tied to a user, and not readable by operators.

The deployment is staged. Apple says PCC on Google Cloud will ramp toward its complete set of protections across a summer 2026 preview period, so the security guarantees reach full strength over time rather than all at once. The companies have signaled more technical detail at the Confidential Computing Summit later in June 2026.

Frequently Asked Questions

Does running Apple Intelligence on Google Cloud mean Google sees my data?

No. The system uses Confidential Computing, which keeps data encrypted and isolated inside the hardware even while it is processed. Apple's design enforces no privileged runtime access, so the cloud operator running the machine cannot read the workload.

What is Private Cloud Compute in plain terms?

It is the cloud environment Apple uses when an AI request is too large for your iPhone or Mac to handle on its own. It is built to process that request privately and then keep no record of it tied to you.

Which companies are involved in this platform?

Four. Apple set the privacy requirements, Google Cloud supplied the infrastructure and its Titan security chip, Intel provided TDX processor isolation, and NVIDIA supplied confidential-computing Blackwell GPUs.

How can anyone trust that the privacy claims are real?

Apple and Google built an open-source host stack so outside researchers can inspect the system, and Apple keeps an append-only ledger of every machine in the fleet. Security researchers also get live node access through the Apple Security Bounty Program.

Is this fully live now?

Not entirely. Apple announced it at WWDC 2026 in June 2026 and said PCC on Google Cloud will gradually reach its complete set of protections across a summer preview period.

The Apple and Google Cloud collaboration shows how confidential computing lets a privacy-focused company expand its AI capacity onto an outside cloud without giving up control of user data. For business readers, it is a working example of encrypting data even while it is in use, backed by independent hardware and public verification.