Data sovereignty for AI means the data your systems process, and the infrastructure that processes it, stays within a jurisdiction and under controls you can demonstrate to a regulator on request. In India, that increasingly means designing around the Digital Personal Data Protection (DPDP) Act, 2023. In Singapore, for regulated financial institutions, it means designing around the Monetary Authority of Singapore's Technology Risk Management (TRM) Guidelines. Both push toward the same outcome: know where data is, who can touch it, and be able to prove that.
What the DPDP Act requires
India's DPDP Act governs how organizations collect, process, and store the personal data of individuals in India. It sets defined obligations for the entities that decide how personal data is used, including consent requirements, purpose limitation, and breach notification. It also gives the government power to restrict transfers of personal data to specific countries, which means an AI system's data flows need to be traceable, not just documented in a vendor's general privacy policy.
What the MAS TRM Guidelines require
The Monetary Authority of Singapore's TRM Guidelines apply to financial institutions operating in Singapore and set supervisory expectations for technology risk, including the use of cloud and AI services. Institutions are expected to run a risk assessment before outsourcing a workload or adopting a cloud-based AI tool that touches customer data, and to maintain audit rights and a workable exit plan with any vendor involved. Examiners assess institutions against these guidelines directly, so gaps show up in supervision, not just in theory.
What both mean for where AI actually runs
Neither framework bans cloud AI outright, but both make it harder to justify for the workloads that matter most: anything touching personal, financial, or health data. Meeting either framework's expectations is considerably more direct when the data never leaves infrastructure the organization controls in the first place, because there is no subprocessor chain or cross-border transfer to document and defend.
This is also why computer vision and other AI systems that capture personal data as a by-product, such as CCTV analytics or workplace-safety monitoring, deserve the same scrutiny as an LLM handling customer records. A camera feed that identifies faces or license plates is personal data under most modern data-protection regimes, DPDP included, whether or not the system was built with that framing in mind.
The practical takeaway
Treat data sovereignty as a deployment decision made early, not a compliance checklist applied after the fact. Systems built to keep sensitive data inside a controlled boundary from day one are considerably easier to defend to a regulator than systems retrofitted later to add controls that were never part of the original design.
See how this shows up in practice: OrgBrain
