Clubhouse is a popular social audio app and the company was recently valued at a reported $1 billion.

The Stanford Internet Observatory (SIO) said it confirmed that Shanghai-based company Agora Inc., which makes real-time engagement software, “supplies back-end infrastructure to the Clubhouse App.” The SIO also found that users’ unique Clubhouse ID numbers and chatroom IDs are transmitted in plaintext (likely meaning Agora could access to raw Clubhouse audio).

The SIO tweeted, “For mainland Chinese users, this is troubling.”

The SIO researchers said they found metadata from a Clubhouse room “being relayed to servers we believe to be hosted in” the People’s Republic of China, and found that audio was being sent to “to servers managed by Chinese entities and distributed around the world.”

Agora told the SIO the company “does not have access to, share, or store personally identifiable end-user data,” the spokesperson said, adding that “voice or video traffic from non-China based users — including US users — is never routed through China.”

The company told SIO that it was going to roll out changes “to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers” and said it would hire an external security firm to review and validate the updates.

Read more here