Privacy Is Going Into the Silicon: NVIDIA Confidential Computing Enters Apple's Private Cloud Compute
Apple now runs PCC's server-side inference on NVIDIA Blackwell confidential-computing GPUs, and on Google Cloud. The step turns privacy from a policy promise into a chip state you can cryptographically verify.
Summary
On June 9, NVIDIA’s official blog confirmed that NVIDIA GPUs with Confidential Computing are now doing confidential inference inside Apple’s Private Cloud Compute (PCC), and that PCC is expanding beyond Apple’s own data centers to Google Cloud. On the surface this is a three-way compute partnership, with Apple, NVIDIA, and Google backing the server-side inference behind next-generation Apple Intelligence. What actually matters is that it changes how privacy gets honored.
For most of the past decade, privacy for cloud AI rested on two things: a privacy policy, plus your trust in a vendor’s internal processes. This deal swaps the anchor. By running PCC’s inference inside the confidential-computing environment of NVIDIA Blackwell GPUs, Apple shifts the guarantee from “we promise not to look at your data” to “cryptographically, no one can look at your data, including us.” Privacy is dropping from the policy layer down into the silicon. That is the baseline builders should recalibrate when they think about handling sensitive data.
The move
The facts from the blog: unveiled at Apple’s WWDC, NVIDIA is collaborating with Apple and Google to support some next-generation Apple Intelligence features, using NVIDIA Blackwell GPUs with Confidential Computing integrated into PCC’s hardware security architecture and running on Google Cloud. The GPUs serve Apple Foundation Models, custom-built by Apple and Google, leveraging the technologies behind the Gemini family of models.
Technically, NVIDIA Confidential Computing provides a hardware-based security layer for accelerated AI workloads. It isolates workloads in trusted execution environments (TEEs) to protect data while it is being processed, and it lets a system cryptographically verify that the infrastructure has not been tampered with before any sensitive data is sent to the server. The blog breaks the capabilities into four: hardware-rooted trust (establishing that systems run on genuine, untampered NVIDIA GPUs), encrypted communication paths (protecting data as it moves between components), remote attestation (software verifying the platform’s security state before releasing sensitive data), and support for accelerated inference and training (so privacy-sensitive workloads do not have to leave GPU performance behind).
For the end user, NVIDIA states it plainly: no one, not even the system’s builders, can look at their data, chats, or conversations.
The real motive
The stated reason is that Apple Intelligence needs to scale. Work that on-device models cannot carry has to land on high-performance server-side inference, a compute reality nobody pushing AI onto a billion devices can avoid.
The deeper motive is that Apple had to resolve an apparent contradiction: it wants to offload inference onto hardware it does not control and a cloud it does not own, without devaluing its privacy brand. PCC began as a privacy fortress inside Apple’s own data centers. Once it extends to Google Cloud, inference runs in someone else’s facility. If privacy still rested on “trust Apple’s controls,” that expansion would be a non-starter, because the controls are no longer fully in Apple’s hands. Confidential computing fills exactly that gap. It swaps trust in a company’s processes for trust in a hardware state that remote attestation can verify. Only with that in place could Apple put inference on Google Cloud and still claim its privacy is intact.
NVIDIA spells out the larger picture in the post: adoption of confidential computing at this scale reflects a broader shift in AI infrastructure. As AI experiences combine on-device and cloud-based processing, there is a need for high-performance server-side inference while maintaining strong privacy and security guarantees. In other words, confidential computing is not a feature custom-fit for Apple alone; it is the next foundational layer NVIDIA wants to sell to every cloud AI player. The Apple deal is its most persuasive reference case.
Who is threatened
The first thing hit is the server-side AI posture that treats privacy as a software-layer promise, backed by policy and brand trust. When a top player starts using hardware-verifiable privacy, the weight of “we promise not to look” gets diluted. The next question becomes: can you produce a remote attestation, or only show me a privacy policy. The baseline rises, and whoever cannot match it looks behind.
The second is any vendor whose “privacy moat” is built on physical control of its data centers. Apple’s move proves you do not have to lock inference inside your own facilities to maintain a privacy claim; what matters is verifiability at the chip layer, not who owns the building. That loosens an old assumption that strong privacy requires owning the data center. For anyone using “our servers, our rules” as a differentiator, this is a nudge.
To be clear: this does not mean every product without confidential computing is suddenly unsafe. Confidential computing defends a specific threat, namely data being seen or tampered with at the infrastructure layer (including by the operator) during processing. It does not solve model leakage, prompt injection, or downstream misuse for you. What is threatened is the promise-backed privacy narrative, not every other piece of security work.
What to ignore
Do not read this as “Apple is switching to NVIDIA and abandoning its own silicon.” The blog says only that server-side inference uses NVIDIA Blackwell GPUs on Google Cloud, serving Apple Foundation Models that Apple and Google custom-built together. This is a compute expansion of PCC for a specific scenario, not a turn in Apple’s on-device strategy or its in-house chip roadmap, and the post implies nothing of the sort.
Do not treat “no one can look at your data” as an absolute, covers-everything guarantee either. Confidential computing protects data from being seen at the infrastructure layer while it is processed, which is real, but it does not stop a model from memorizing and emitting training data, does not cover application-layer logic flaws, and does not govern data the user themselves authorizes out. Treat it as a key piece of the privacy puzzle, not the endgame.
Finally, do not rush to treat it as a blueprint you can copy tomorrow. The blog gives no numbers on performance overhead, cost, or availability, and a deployment at the Apple-plus-Google-plus-NVIDIA scale is not most teams’ reality. For builders today, the right move is to put “can my server-side inference offer hardware-verifiable privacy” on the selection list and ask your GPU cloud whether it has confidential-computing instances and deliverable attestation, rather than assuming the road is already smooth.
FAQ
Can you still trust Apple's privacy once inference runs on NVIDIA and Google's cloud?
The basis of trust changes, but it does not weaken. PCC used to run inference inside Apple's own data centers, so you trusted Apple's controls. Now inference extends to NVIDIA Blackwell GPUs on Google Cloud, and Apple anchors trust in hardware instead: data is processed only inside a trusted execution environment, and remote attestation verifies the platform has not been tampered with before any data is sent in. Per NVIDIA, not even the system's builders can look at users' data, chats, or conversations. You no longer have to unilaterally trust three companies' internal processes; you trust a chip state that can be cryptographically checked.
Does confidential inference slow performance down?
NVIDIA's pitch is precisely that you do not choose between privacy and GPU performance. Confidential Computing is built into the Blackwell GPU and, per the blog, supports accelerated AI inference and training, keeping privacy-sensitive workloads on the GPU rather than falling back to something slower. The official post gives no concrete overhead numbers, so the exact cost is unverified, but the product is positioned to push that cost down to acceptable.
Should an app handling sensitive data adopt TEEs now?
If your server-side inference touches users' private content, this deal raises the industry baseline a notch: a top player now uses hardware-verifiable privacy, not just a privacy policy. Standing up a confidential-computing stack yourself is still heavy in the short term, but the direction is clear. The pragmatic move is to check whether your GPU cloud offers confidential-computing instances and whether you can obtain attestation evidence to hand to customers, then put it on your selection checklist before a regulator or a large customer forces it.