On June 8, 2026, Apple announced that Private Cloud Compute (PCC) now runs outside Apple's own data centers. The most demanding Apple Intelligence requests, the ones a phone cannot handle alone, now run on Google Cloud, on NVIDIA GPUs and Intel CPUs, under the same privacy rules Apple set out in 2024. Apple built PCC originally on its own silicon. Two years later, the same design runs on hardware from a third party.
This matters to us at Edgeless Systems, because it is the idea we have built on for years: you can send sensitive data to the cloud for AI inference without giving the operator access to it. Apple has now confirmed that idea at a scale few companies could match, and on hardware it does not own.Ā
What PCC is, and what changed recently
When Apple introduced PCC in 2024, the goal was to extend the privacy of an iPhone into the cloud. Normally, processing data in the cloud means the operator can read it. PCC was designed so that Apple itself cannot, even while running the model. The system rests on five principles:
- Stateless computation: user data serves the request and is not retained afterward.
- Enforceable guarantees: security depends on a small, checkable set of components rather than on policy.
- No privileged runtime access: no operator, not even Apple staff handling an incident, can reach user data.
- Non-targetability: an attacker cannot steer a chosen user's request to a compromised machine.
- Verifiable transparency: Apple publishes its builds, along with a transparency log and research tooling, so outside researchers can check them.
What changed in June 2026 is the foundation. The original PCC ran only on Apple silicon. The new deployment runs on Google Cloud using NVIDIA Confidential Computing on NVIDIA GPUs, Intel CPUs with TDX, and Google's Titan security chip. The five principles are unchanged, but the hardware enforcing the confidential computing environment is now standard data-center hardware that anyone can rent.
Why this matters
The technology that makes all of this possible is confidential computing. Encryption already protects data at rest and in transit; confidential computing adds the state in between, protecting data while it is in use. A confidential VM (CVM) runs inside a hardware-isolated region of a CPU, and its memory stays encrypted, so the hypervisor, the host operating system, and the cloud operator cannot access any processed data. Until recently, this protected ordinary workloads on CPUs. NVIDIA then brought the same idea to its H100 and later GPUs, which is what makes confidential AI inference practical.
The original PCC was built on Apple's own silicon, a stack only Apple could produce. The new deployment uses common data-center hardware: NVIDIA GPUs in confidential mode, Intel CPUs with TDX, combined with a Google security chip. When one of the most privacy-conscious company in the industry meets its own privacy bar on standard, third-party hardware, the building blocks of confidential AI are no longer exotic. They are becoming a baseline that any serious provider can reach, and that many users will come to expect.
That changes what matters. When confidential computing and remote attestation are more and more implemented, confidentiality alone no longer sets a service apart. The real difference is how much of the claim you can verify, and who does the verifying.
How far the verification goes
At its best, this design means that not even Apple can see what its users process with AI. How close it comes depends on verification, and here Apple goes further than most providers. It publishes the binary image of every production build, releases the source for a subset of security-critical components, maintains an append-only transparency log of what runs, and gives researchers tooling and live access through its bounty program.
Limits remain. The published source is a subset, offered under a research-only license, not the full stack as open source that anyone can build, run, and compare. Independent researchers verify Apple's claims on everyone else's behalf, rather than each user being able to verify for themselves. As long as the whole software chain is not transparent, trust in Apple still remains necessary. For Apple's own users that may be reasonable, since they already trust Apple with the device in their hand. For other AI use-cases in a hospital, a bank, or the public sector, it is worth asking whether the operator and the party you have to trust should be one and the same.
Privatemode: the same approach, open to everyone
Privatemode AI applies the principles behind PCC to an AI service anyone can integrate. It is an end-to-end encrypted inference API. Prompts and responses are encrypted on the client, decrypted only inside a confidential VM, and encrypted again before they are returned. Neither Edgeless Systems nor the infrastructure provider can read them.
Mapped to Apple's principles, the design lines up closely:
- Hardware isolation and runtime encryption (stateless computation): workloads run in confidential VMs on AMD SEV-SNP, with NVIDIA H100 and B200 GPUs in confidential-computing mode.
- A small trusted base (enforceable guarantees): the guarantee rests on the hardware and a defined set of attested components, not on a privacy policy.
- No privileged access (no privileged runtime access): there are no operator roles that can bypass the isolation and reach prompts or responses.
- Client-side verification (verifiable transparency): a client-side proxy performs remote attestation and encryption for the user. The proxy collects the attestation evidence and verifies it in an environment the user controls.
The last point is the real difference from PCC. With Privatemode, the user can verify the deployment end-to-end, with no need to trust the service provider. The source code is public and the builds are reproducible, so everyone can confirm that the software running in the confidential computing environment is exactly the software that was published.
Three differences from PCC
Apple's implementation is in some ways very thorough. It treats every component, from firmware to application code, as part of its trusted base, keeps an append-only ledger of its hardware fleet, and roots attestation in two independent vendors. The architecture, as far as it can be assessed from outside, resembles the one behind Privatemode AI. Two practical differences set the products apart, and a third, deeper one, decides how much trust you have to place in the operator.
First, who can use it. PCC is the AI backend for Apple's own services, such as Siri. You cannot use it on its own, for example for integrating it into your own product. Privatemode is an API that any application can call, on any platform.
Second, the models. Apple's next-generation foundation models are built on Google's proprietary Gemini technology. Privatemode runs open-weight models, which can be inspected and are not tied to a single vendor.
Third, verification, which decides who you ultimately have to trust. PCC publishes binaries, a transparency log, and a subset of source under a research license, and researchers verify Apple's claims on behalf of everyone else witch only limited access to the software stack. Privatemode publishes full source with reproducible builds, and the user's own client can perform the verification. The difference is who holds the check, and how completely the code can be reproduced.