High-profile US app Clubhouse has pledged to review its data protection procedures after academics warned it contained security flaws that left users’ data at risk of being accessed by the Chinese authorities.

The Stanford Internet Observatory (SIO) on Friday published analysis stating that Chinese tech firm Agora Inc supplies back-end infrastructure to the invitation-only audio network app and would likely have access to users’ raw audio. Agora is subject to China’s national security laws and would be required to assist the Chinese government if it deemed an audio recording to jeopardise national security.

SIO also said it observed room metadata relayed to servers it believed were hosted in China and audio to servers managed by Chinese entities. It added, however, that it believed the Chinese government would not be able to access the data if the audio was stored in the United States.

The makers of the app, which has gained a great deal of publicity after Elon Musk and others have tweeted about using, it, said they are “deeply committed to data protection and user privacy.”

A Clubhouse spokesperson said the app had purposely not been made through app stores in China due to data privacy concerns. However, people “found a workaround” to download it meaning the conversations were transmitted via Chinese servers. It has now been blocked in China.

“We have identified a few areas where we can further strengthen our data protection. For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe—which can include servers in China—to determine the fastest route to the client.

“Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes.”

A spokesperson for Agora told Reuters that the company does not have access to or store personal data and does not route through China voice or video traffic generated from users outside China, including US users.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox