Apple's Private Cloud Compute expands to Google Cloud

What Apple and NVIDIA announced

On 9 June, at Apple’s WWDC developer conference, NVIDIA confirmed its Blackwell data-centre GPUs — the chips used to run heavy AI workloads on rented servers — are now handling confidential inference inside Apple’s Private Cloud Compute (PCC), Apple’s privacy-focused cloud service. The change: PCC is, for the first time, running on Google Cloud as well as Apple’s own data centres. Apple published its own post a day earlier, on 8 June, framing the move as an extension of the same privacy architecture PCC has used since 2024 (NVIDIA blog, 9 June 2026; Apple Security Research, 8 June 2026).

The upshot for users: when someone hits an Apple Intelligence feature too large for the device to handle — the heaviest prompts, the ones that need real processing power — the request can now be answered by an NVIDIA GPU inside Google Cloud, not by Apple silicon in an Apple data centre.

Who built what

This is a joint build, in three pieces. Apple and Google worked together on the new generation of Apple Foundation Models, drawing on the technologies behind Google’s Gemini family. NVIDIA provided the GPU layer that wraps those models in a sealed environment. Apple’s software and the cryptographic keys stay on top, and Apple devices will only trust PCC software Apple has cryptographically approved (Apple Security Research).

What hasn’t changed

Apple’s core PCC requirements stay exactly the same: stateless computation, no privileged runtime access, non-targetability, and verifiable transparency. The novelty is the implementation — confidential VMs on third-party hardware — not the policy (Apple Security Research). These rules were set in 2024 when PCC was Apple-silicon-only, and Apple says they are not being relaxed for the new multi-cloud setup.

“Originally built exclusively on Apple silicon with our world-class software security technologies, PCC set a new bar for AI privacy in the cloud.” — Apple Security Engineering and Architecture, Expanding Private Cloud Compute, 8 June 2026

The transparency layer travels with the workload. Apple will publish all binaries for public inspection, ship research tooling, and grant access to live PCC nodes in research mode through the Apple Security Bounty Programme — the same depth of access it offered for first-generation PCC. A summer preview is ramping up now, with more technical detail promised at the Confidential Computing Summit later this month (Apple Security Research).

What to make of it for a small UK firm

For the next quarter at least, this is a story about a bar being set, not a product UK firms can buy. The interesting question is the one it forces on everyone else: if a consumer phone maker can run its cloud AI on rented, third-party hardware and still publish the binaries, hand out live-node access, and prove the fleet cryptographically — what does the enterprise AI contract you signed last year actually guarantee?

For a UK professional services firm handling client material, the practical takeaway is sharper. The PCC model is the most concrete published specification we have for the question UK SMEs will keep being asked: where is my data, who can see it, and how would I know if they did? You don’t need to deploy PCC. You can, however, point at it when a vendor slides past you a generic line about enterprise-grade security. The checklist Apple publishes is the one to demand. Five questions, in this order:

• Stateless processing — can the vendor guarantee the environment handling your data holds no persistent record of it?
• No privileged access — can the vendor’s own staff see your prompts or model outputs while inference is running?
• Verifiable transparency — will the vendor publish the software stack and accept external audits?
• Cryptographic attestation — can the vendor prove the chips and firmware running your workload are the ones they say they are?
• Independent research access — does the vendor actively pay external researchers to break their setup, and publish what they find?

Vendors who can’t answer those five questions have work to do.

The caveat: the same claim, made about a third-party data centre, is only as good as the transparency around it. Apple has earned the benefit of the doubt on first-generation PCC because the binaries and the bounty programme both shipped. The summer preview is where that trust is being asked for again. Watch the Confidential Computing Summit at the end of June — that’s where the technical detail will land.