FalcRise

Insights

Data Sovereignty for AI: DPDP, MAS TRM, and What They Mean for Deployment

What India's DPDP Act and Singapore's MAS TRM Guidelines actually require, and how those requirements should shape where an AI system runs.

Data sovereignty for AI means the data your systems process, and the infrastructure that processes it, stays within a jurisdiction and under controls you can demonstrate to a regulator on request. In India, that increasingly means designing around the Digital Personal Data Protection (DPDP) Act, 2023. In Singapore, for regulated financial institutions, it means designing around the Monetary Authority of Singapore's Technology Risk Management (TRM) Guidelines. Both push toward the same outcome: know where data is, who can touch it, and be able to prove that.

What the DPDP Act requires

India's DPDP Act governs how organizations collect, process, and store the personal data of individuals in India. It sets defined obligations for the entities that decide how personal data is used, including consent requirements, purpose limitation, and breach notification. It also gives the government power to restrict transfers of personal data to specific countries, which means an AI system's data flows need to be traceable, not just documented in a vendor's general privacy policy.

What the MAS TRM Guidelines require

The Monetary Authority of Singapore's TRM Guidelines apply to financial institutions operating in Singapore and set supervisory expectations for technology risk, including the use of cloud and AI services. Institutions are expected to run a risk assessment before outsourcing a workload or adopting a cloud-based AI tool that touches customer data, and to maintain audit rights and a workable exit plan with any vendor involved. Examiners assess institutions against these guidelines directly, so gaps show up in supervision, not just in theory.

What both mean for where AI actually runs

Neither framework bans cloud AI outright, but both make it harder to justify for the workloads that matter most: anything touching personal, financial, or health data. Meeting either framework's expectations is considerably more direct when the data never leaves infrastructure the organization controls in the first place, because there is no subprocessor chain or cross-border transfer to document and defend.

This is also why computer vision and other AI systems that capture personal data as a by-product, such as CCTV analytics or workplace-safety monitoring, deserve the same scrutiny as an LLM handling customer records. A camera feed that identifies faces or license plates is personal data under most modern data-protection regimes, DPDP included, whether or not the system was built with that framing in mind.

The practical takeaway

Treat data sovereignty as a deployment decision made early, not a compliance checklist applied after the fact. Systems built to keep sensitive data inside a controlled boundary from day one are considerably easier to defend to a regulator than systems retrofitted later to add controls that were never part of the original design.

See how this shows up in practice: OrgBrain

Frequently asked

Does the DPDP Act require data to stay physically inside India?

Not as a blanket rule. The DPDP Act allows cross-border transfer of personal data by default, but gives the government power to restrict transfers to specific countries it names, and other Indian sector regulators impose their own stricter localization rules for specific data types. Cross-border AI data flows need active monitoring, not a one-time check.

Do the MAS TRM Guidelines apply to every company in Singapore?

No. They apply specifically to financial institutions regulated by the Monetary Authority of Singapore, including banks, insurers, and capital markets entities. Companies outside the regulated financial sector are not bound by TRM directly, though many adopt similar practices voluntarily when handling sensitive customer data.

Is on-premise AI required to comply with DPDP or MAS TRM?

Neither framework mandates on-premise deployment by name. Both describe outcomes, such as demonstrable control over data access and clear accountability for vendor risk, that on-premise or tightly controlled private infrastructure makes considerably easier to achieve and prove than a standard shared cloud API.

Does surveillance or CCTV footage count as personal data under these rules?

Generally yes. Footage that can identify a specific person, directly or through a license plate or other identifier, is treated as personal data under India's DPDP Act and under most comparable data-protection frameworks. Systems processing that footage need the same consent, access-control, and retention discipline as any other personal-data system.

What is the first step toward data-sovereign AI deployment?

Map exactly where sensitive data flows today: which systems touch it, which vendors process it, and which of those vendors sit outside the required jurisdiction or lack an auditable data-handling agreement. That map determines whether the right fix is a vendor renegotiation or a move to infrastructure the organization directly controls.

Read next

On-Premise vs. Cloud AI for Regulated Industries