DSCC Standards

Standards for proving sovereignty, not merely claiming it.

The DSCC Sovereignty Assurance Framework is being developed to help organizations assess, document, and strengthen sovereign control over data, AI systems, infrastructure, vendors, and governance obligations.

Explore the Framework Become a Member

DSCC standards are voluntary DSCC-developed standards and frameworks. Unless expressly stated, they are not National Standards of Canada, government-mandated standards, ISO standards, legal advice, regulatory approval, or proof of certification.

Why Standards Matter

Sovereignty cannot rely on intention alone.

Organizations need a structured way to determine where data is held, who controls it, which laws and vendors affect it, how AI systems use it, and whether it can be moved, governed, protected, audited, returned, restricted, or deleted when required.

DSCC standards are designed to convert sovereignty into operational requirements that can be understood, implemented, assessed, and eventually verified through future certification pathways.

DSCC’s Definition of Sovereignty

Sovereignty is the demonstrable ability to govern, control, audit, migrate, defend, restrict, return, delete, or refuse the operation, movement, use, or dependency of data, AI systems, and digital infrastructure.

Data sovereignty is not merely where data is stored. Geography matters, but location alone does not prove sovereignty. An organization may host data in Canada and still lack meaningful control if vendors, contracts, foreign legal exposure, AI systems, technical dependencies, or governance failures prevent it from exercising authority over the data and systems it relies on. DSCC’s standards therefore focus on demonstrable sovereign control: authority, control, accountability, portability, auditability, resilience, and rights-respecting governance.

Master Framework

DSCC Sovereignty Assurance Framework

The DSCC Sovereignty Assurance Framework (DSCC-SAF) is the master framework for evaluating whether an organization can demonstrate meaningful authority, control, accountability, portability, resilience, and auditability over the data, AI systems, vendors, infrastructure, and governance obligations it depends on.

The framework is designed to help organizations move from sovereignty claims to evidence-based governance. It provides a structured basis for readiness assessment, standards development, member resources, training, future certification pathways, and public verification.

The core test is simple: can the organization prove that it retains meaningful authority, control, accountability, portability, and auditability over the data, AI systems, vendors, and infrastructure it depends on?

Core Principles

Seven principles. One test of control.

Authority

Who has the right to decide?
Lawful, contractual, technical, operational, and governance authority over data and AI systems must be identified.

Control

Who can act on the decision?
Authority must be exercisable through policies, contracts, access controls, safeguards, vendor obligations, and governance processes.

Accountability

Who is answerable?
Responsibility must be assigned for decisions, risks, incidents, exceptions, vendors, data use, AI deployment, and evidence.

Jurisdictional Resilience

Which laws, vendors, locations, and dependencies can affect control?
Exposure to legal, contractual, operational, and geopolitical risk must be understood and managed.

Portability and Exit

Can the organization leave?
Data, workloads, models, records, and services must be migratable, returnable, deletable, restrictable, replaceable, or recoverable.

Auditability

Can the organization prove it?
Evidence must be maintained that demonstrates sovereignty posture, controls, decisions, exceptions, risks, and remediation.

Rights-Respecting Governance

Is control being exercised responsibly?
Data and AI governance must respect applicable rights, obligations, privacy, security, community interests, Indigenous authority, and public trust.

Assurance Domains

Ten domains of demonstrable control

The DSCC Sovereignty Assurance Framework organizes requirements into ten domains, each with defined capabilities and evidence expectations.

1 · Governance and Authority

Organizations must identify who has authority over data and AI systems, how that authority is exercised, and who is accountable for decisions, exceptions, incidents, vendors, and evidence.

Required capabilities
  • Governance owner identified
  • Executive accountability assigned
  • Decision rights documented
  • Escalation process defined
  • Exception process documented
  • Material changes tracked
Evidence examples
  • Governance policy
  • Board/executive mandate
  • Role matrix
  • Decision logs
  • Risk committee minutes
  • Data governance charter
2 · Data Inventory and Classification

Organizations cannot govern what they cannot identify. A sovereignty posture requires a maintained inventory of data, systems, locations, classifications, owners, vendors, and uses.

Required capabilities
  • Data inventory maintained
  • System inventory maintained
  • Data owners assigned
  • Sensitivity classifications defined
  • Critical data identified
  • Indigenous/community data flagged where applicable
Evidence examples
  • Data inventory
  • System inventory
  • Data classification policy
  • Data flow maps
  • Data owner register
  • Records of processing or equivalent internal mapping
3 · Jurisdiction and Residency

Organizations must know where data is stored, processed, backed up, replicated, accessed, and legally exposed.

Required capabilities
  • Primary storage locations documented
  • Processing locations documented
  • Backup locations documented
  • Support access locations identified
  • Cross-border access risks assessed
  • Legal and contractual exposure reviewed
Evidence examples
  • Cloud architecture diagrams
  • Hosting contracts
  • Data residency attestations
  • Backup configuration records
  • Vendor location disclosures
  • Cross-border risk review
4 · Access, Control, and Key Management

Sovereignty requires actual control. Organizations must show who can access data, who can approve access, who controls encryption keys, and how unauthorized access is prevented.

Required capabilities
  • Access roles documented
  • Least privilege enforced
  • Privileged access monitored
  • Key ownership and management defined
  • Third-party access controlled
  • Emergency access logged
Evidence examples
  • Access control policy
  • IAM configuration
  • Key management policy
  • Privileged access logs
  • Access reviews
  • Vendor access records
5 · Vendor, Cloud, and Dependency Risk

Organizations must understand whether vendors, cloud providers, subcontractors, licensing terms, foreign ownership, or technical dependencies can undermine sovereign control.

Required capabilities
  • Critical vendors identified
  • Vendor data access mapped
  • Subprocessors documented
  • Contractual rights reviewed
  • Exit clauses assessed
  • Vendor substitution risk assessed
Evidence examples
  • Vendor register
  • Cloud contracts
  • Data processing agreements
  • Subprocessor list
  • SLA documents
  • Exit provisions
  • Vendor risk assessments
6 · Portability, Return, Deletion, and Exit

An organization is not fully sovereign if it cannot leave. DSCC standards require organizations to assess whether data, workloads, models, records, and services can be migrated, returned, deleted, restricted, or replaced.

Required capabilities
  • Export capability documented
  • Return/deletion procedures defined
  • Exit plan maintained
  • Portability tested where feasible
  • Vendor lock-in risk assessed
  • Business continuity impact assessed
Evidence examples
  • Exit plan
  • Data export test
  • Backup recovery test
  • Deletion certificate process
  • Migration playbook
  • Vendor transition plan
7 · Security and Privacy Baseline

Security and privacy are not identical to sovereignty, but sovereignty fails without them. Organizations must maintain reasonable safeguards, breach response, monitoring, and governance controls. DSCC’s security domain is positioned as complementary to recognized frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework — not as a replacement.

Required capabilities
  • Security policy maintained
  • Privacy obligations considered
  • Incident response process defined
  • Breach escalation defined
  • Monitoring controls in place
  • Retention and destruction controls documented
Evidence examples
  • Security policy
  • Privacy policy
  • Incident response plan
  • Breach response records
  • Retention schedule
  • Control assessments
8 · AI Sovereignty

Organizations using AI must understand what systems are used, what data they depend on, who controls the models, how outputs are governed, whether vendors can reuse data, and whether AI dependency can be audited, restricted, or replaced.

Required capabilities
  • AI systems inventoried
  • Model owners assigned
  • Training data sources documented
  • Prompt/output governance defined
  • Vendor reuse restrictions assessed
  • Human oversight defined
  • AI shutdown/substitution considered
Evidence examples
  • AI inventory
  • Model cards or equivalent documentation
  • AI governance policy
  • Vendor AI terms
  • Data reuse restrictions
  • Human oversight procedure
  • AI impact assessment
9 · Indigenous Data Sovereignty Alignment

Where Indigenous data is involved, organizations must demonstrate alignment with relevant Indigenous authority, community governance, consent, stewardship, cultural protection, use restrictions, AI restrictions, and data return or deletion obligations.

Required capabilities
  • Indigenous/community data identified
  • Relevant authority documented
  • Consent/permission recorded
  • Data-sharing agreement maintained
  • Use restrictions documented
  • AI/secondary-use restrictions documented
  • Return/deletion protocol documented
  • Community oversight process identified
Evidence examples
  • Data-sharing agreement
  • Community approval documentation
  • Consent framework
  • Stewardship protocol
  • Cultural protection handling rules
  • AI-use restriction record
  • Return/deletion protocol
  • Community oversight records

DSCC alignment review does not replace the authority of any Indigenous Nation, government, community, or organization.

10 · Evidence, Auditability, and Claims Governance

Organizations must maintain evidence sufficient to support any sovereignty claims they make. Claims must be accurate, current, scoped, and not misleading — public claims about certification, compliance, sovereignty, or readiness can influence customers, partners, funders, and procurement decisions.

Required capabilities
  • Evidence repository maintained
  • Claims approved before publication
  • Certification status checked before use
  • Scope limitations disclosed
  • Expired/revoked status respected
  • Audit trail maintained
Evidence examples
  • Evidence register
  • Claims approval workflow
  • Public statements register
  • Certification scope record
  • Verification records
  • Change logs

Standards Streams

Three streams. One framework.

Data Sovereignty Standards

The Data Sovereignty stream addresses organizational control over data location, access, use, transfer, retention, deletion, jurisdictional exposure, vendor dependency, auditability, and portability.

Explore Data Sovereignty Standards

AI Sovereignty Standards

The AI Sovereignty stream addresses governance over AI systems, models, training data, prompts, outputs, vendors, infrastructure, automated decision-making, auditability, and dependency risk. Positioned as complementary and sovereignty-specific alongside frameworks such as ISO/IEC 42001 — not a replacement.

Explore AI Sovereignty Standards

Indigenous Data Sovereignty Alignment Standards

The Indigenous Data Sovereignty Alignment stream supports organizations in understanding and operationalizing respectful alignment where Indigenous, First Nation, Métis, Inuit, Nation, community, treaty, cultural, or community-controlled data is involved.

DSCC supports alignment. DSCC does not replace Indigenous authority.

Explore Indigenous Data Sovereignty Alignment

Standards Library

The DSCC standards library

A structured, versioned library is in development across six streams. Status labels reflect the current development stage of each document.

CodeStandardStreamStatusAccess
DSCC-SAF-001Sovereignty Assurance Framework — master framework, principles, domains, terminology, governance model, and relationship to future certification.Master FrameworkConsultation DraftPublic framework
DSCC-DS-100Data Sovereignty Standard — authority, control, jurisdictional awareness, access governance, residency, portability, retention, deletion, evidence, and vendor dependency management.Data SovereigntyDraftPhased access
DSCC-DS-110Data Inventory and Classification Standard — identifying, classifying, mapping, and maintaining organizational data inventories.Data SovereigntyConcept NotePhased access
DSCC-DS-120Data Residency and Jurisdictional Control Standard — proving where data is stored, processed, backed up, replicated, accessed, and legally exposed.Data SovereigntyConcept NotePhased access
DSCC-DS-130Data Portability, Return, and Deletion Standard — moving, returning, deleting, restricting, or exporting data and related records.Data SovereigntyConcept NotePhased access
DSCC-AIS-200AI Sovereignty Standard — governing AI systems, models, training data, prompts, outputs, vendors, infrastructure, dependency risk, auditability, and human accountability.AI SovereigntyDraftPhased access
DSCC-AIS-210AI System Inventory and Model Governance Standard — identifying, documenting, governing, and reviewing AI systems, models, vendors, training data, prompts, outputs, and decision pathways.AI SovereigntyConcept NotePhased access
DSCC-AIS-220AI Training Data and Secondary-Use Control Standard — controlling use of data in AI training, fine-tuning, automated decision-making, analytics, secondary research, and commercial reuse.AI SovereigntyConcept NotePhased access
DSCC-IDS-300Indigenous Data Sovereignty Alignment Standard — DSCC’s alignment requirements where Indigenous, First Nation, Métis, Inuit, Nation, community, treaty, cultural, or community-controlled data is involved. Supports alignment; does not certify Indigenous sovereignty or replace Nation-specific protocols.IDS AlignmentDraftPhased access
DSCC-IDS-310Community Authority and Consent Alignment Standard — documenting relevant Indigenous authority, consent, permission, restrictions, scope, and governance processes.IDS AlignmentConcept NotePhased access
DSCC-IDS-320Indigenous Data Stewardship, Use Restriction, Return, and Deletion Standard — stewardship, possession, access restrictions, cultural protection, AI restrictions, secondary-use controls, return, deletion, and community oversight.IDS AlignmentConcept NotePhased access
DSCC-VCJ-400Vendor, Cloud, and Jurisdictional Dependency Standard — evaluating vendor control, subcontractors, cloud dependencies, foreign ownership, access rights, support access, contractual leverage, and exit risk.Vendor / Cloud / JurisdictionDraftPhased access
DSCC-GOV-500Sovereignty Governance and Accountability Standard — board/executive oversight, assigned accountability, risk governance, exception management, policy control, escalation, and reporting.GovernanceDraftPhased access
DSCC-EAV-600Evidence, Auditability, and Verification Standard — evidence categories, audit records, document control, verification rules, record retention, audit trails, and future certification evidence expectations.Evidence / AuditabilityDraftPhased access

Each published standard will carry a version number, publication status, effective date, review dates, access level, scope statement, and revision history.

Governance

How DSCC standards are developed

Standards are developed, reviewed, and updated through a transparent, governed process.

Access

Standards access

Detailed standards documents, implementation guides, readiness tools, evidence checklists, and future certification criteria will be released through a phased access model. Some resources may be public. Others may be available through membership, training, or future certification pathways.

Open

Public Access

  • Standards summaries
  • Framework overview
  • Definitions
  • Domain descriptions
  • Public explainers
  • High-level readiness concepts
Membership

Member Access

  • Implementation guides
  • Templates
  • Checklists
  • Standards updates
  • Readiness tools
  • Webinars and member briefings
Become a Member
Future Phase

Certification Pathway Access

  • Detailed criteria
  • Evidence checklists
  • Audit preparation guides
  • Rubrics and submission instructions
  • Badge-use rules
  • Registry requirements

Access to DSCC standards, resources, or member materials does not constitute certification, legal compliance, audit approval, or government authorization.

Certification Connection

From standards to certification

Future DSCC certification pathways will be built from DSCC standards, defined criteria, evidence requirements, audit review, decision rules, badge issuance, and public verification. Certification is separate from membership and training.

Explore Certification Contact About Standards

Sovereignty is not a location claim. It is a demonstrable capability.

DSCC standards exist to help organizations prove that capability through authority, control, accountability, portability, auditability, and rights-respecting governance.

Become a Member Contact About Standards

DSCC standards are voluntary DSCC-developed standards and frameworks. Unless expressly stated, they are not National Standards of Canada, government-mandated standards, ISO standards, legal advice, regulatory approval, or proof of certification.

DSCC materials are for standards, governance, education, readiness, and assessment purposes. They do not constitute legal, regulatory, procurement, privacy, cybersecurity, Indigenous governance, or professional advice. Organizations should obtain appropriate advice for their circumstances.