Skip to main content

Indigenous Data Sovereignty Is Not Optional — It's Our Foundation

At Indigenious, OCAP principles guide every decision we make about data. We don't just comply with Indigenous data rights—we've built our entire platform on them.

Understanding OCAP

OCAP (Ownership, Control, Access, Possession) is a framework created by Indigenous communities across Canada to assert sovereignty over Indigenous data. It recognizes that Indigenous communities have inherent rights to their collective knowledge, research data, and information.

OCAP is not a policy imposed from outside. It emerged from Indigenous leadership and is grounded in the principle that Indigenous peoples have the right to self-determination over their data, just as they do over their lands and governments.

Ownership: Communities Own Their Data

The Principle

Indigenous communities own their cultural knowledge and data. This means communities—not researchers, not government, not platforms—have the fundamental right to own, control, and benefit from data about their members, their knowledge, and their territories.

What This Means for Indigenious

  • We do not claim ownership. When Indigenous businesses register on our platform, they own their business profile and all the data within it.
  • Communities retain control. When a community validates a business, that validation record belongs to the validating community, not to us.
  • No data extraction. We don't harvest Indigenous business data to build competitive products or sell to third parties.
  • Benefit flows to communities. Any value created from aggregated, anonymized data flows back to Indigenous communities through improved services and platforms.

In Practice

  • Your business profile is your intellectual property. You determine what appears in it.
  • Community validator records are held in trust for the validating community.
  • We never license or sell Indigenous business data to third parties.
  • Aggregated reports shared with government include only anonymized, high-level data.

Control: Communities Control How Their Data Is Used

The Principle

Communities control the collection, use, and disclosure of their data. OCAP recognizes that Indigenous peoples must have agency over how their information is used. This is self-determination in practice.

What This Means for Indigenious

  • You decide what data is collected. We ask for information only when necessary for verification or matching.
  • You decide what's visible. You control whether your business profile is public, visible only to verified partners, or private.
  • You decide who it's shared with. Data is only shared with explicit consent. We don't share data in the background.
  • Community validators decide verification terms. Communities set the standards for confirming business legitimacy within their jurisdiction.

In Practice

  • When you register, you choose which information to include in your public profile.
  • You can approve or reject each specific business introduction or partnership request.
  • If a potential lender requests your profile, you authorize that specific share.
  • Community validators determine what counts as sufficient proof of affiliation.
  • You can modify your profile or visibility settings at any time.

Access: Communities Have Full Access to Their Data

The Principle

Communities have the right to access all data about themselves. This is about transparency and accountability. If we hold information about your business or community, you must be able to see it, understand it, and challenge it.

What This Means for Indigenious

  • Full transparency. You can download your complete business profile at any time.
  • Access records. You can see who has accessed your profile and when.
  • Correction rights. You can request corrections to inaccurate information immediately.
  • Community access. Communities can request access to all data their validators hold.
  • Audit trail. You can see the complete history of your profile and verification status.

In Practice

  • A "My Data" dashboard shows everything we hold about your business.
  • You can export your profile as structured data at any time.
  • If information is incorrect, you submit a correction that is processed within 5 business days.
  • Communities receive quarterly reports on validation activity within their jurisdiction.

Possession: Data Is Held Securely in Indigenous Territory

The Principle

Data must be physically held by Indigenous communities or their designated agents. OCAP recognizes that possession of data is power. Communities should control where their data is stored, who can access it, and how it's protected.

What This Means for Indigenious

  • Canadian data residency. All business and validation data is stored exclusively in Canadian data centers.
  • Never outsourced. We do not store Indigenous business data on US servers or with foreign cloud providers.
  • Encryption. All data is encrypted both in transit and at rest.
  • Community derivative records. Communities maintain copies of all validation records they create.
  • Data portability. You can request your data in portable, non-proprietary formats.

In Practice

  • Our primary data center is located in Canada. No data leaves Canada.
  • Backup systems are also Canadian-based.
  • Community validators receive secure, portable copies of all verification records.
  • Upon request, you receive your data in standard formats (CSV, JSON, PDF).
  • W3C VC certification of business verification is tamper-proof but doesn't contain sensitive data.

How Indigenious Implements OCAP

1. No Status Card Numbers—Ever

We have an absolute prohibition on collecting status card numbers, status card images, or any form of Indigenous identity document numbers. This is a core OCAP commitment.

Why? Status cards are sensitive government records. Collecting them creates unnecessary privacy risk and is not required for business verification. Community validators confirm Indigenous business legitimacy through other means: documentation, references, and community knowledge.

2. Community Validators Control Verification

Each Indigenous community (through Unations) designates community validators. These validators confirm whether a business is:

Validators operate independently of Indigenious. They follow their own community standards and are accountable to their communities, not to us.

3. Indigenous Businesses Control Their Visibility

Every Indigenous business on Indigenious controls:

4. Data Deletion on Request, No Questions Asked

You can request complete deletion of your business profile at any time. We delete your data within 30 days with no questions asked, no reason required. The only exception is anonymized aggregated data used for program reporting.

5. W3C VCs for Verification, Not Surveillance

We use W3C Verifiable Credentials to create tamper-proof verification records. VCs are cryptographically signed — once a business is verified, that credential cannot be forged or retroactively changed. The credential contains only:

It does not contain sensitive personal information, status card data, or community-specific details. It's verification with privacy.

6. Regular OCAP Audits

We conduct independent audits annually to verify our OCAP compliance. These audits assess:

7. Community Consultation and Co-Development

OCAP is not static. As Indigenous communities' data practices evolve, so should ours. We maintain an ongoing consultation with Indigenous leaders and community validators to ensure our platform reflects contemporary Indigenous data rights.

Our OCAP Commitments

Ownership

We do not claim ownership of Indigenous business data. You own your profile. Communities own their validation records.

Control

You control what data is collected, what's visible, and who it's shared with. Control rests with Indigenous businesses and communities.

Access

You have full access to all data we hold about you. Full transparency. You can request corrections or deletion immediately.

Possession

All data is stored in Canada and encrypted. We do not outsource to foreign providers. Communities can request copies of their data.

No Sensitive Collection

We never collect status card numbers, Indigenous identity documents, or other sensitive government identifiers.

Independent Audits

We conduct annual OCAP compliance audits and publish results. Third-party verification of our commitments.

Community Leadership

Community validators lead the verification process. They set standards, confirm legitimacy, and hold power over their data.

Deletion on Demand

You can request deletion of your profile at any time. We delete without question within 30 days.

Audits & Transparency

Commitments are only meaningful if they're verified. Every year, Indigenious engages an independent auditor to assess our OCAP compliance. The audit covers:

Current Status: Indigenious completed its first OCAP audit in Q1 2026. The full audit report is available upon request. Contact privacy@indigenious.ca to request a copy.

Questions About OCAP?

OCAP is complex and deserves serious engagement. If you have questions about how we implement any OCAP principle, or if you're concerned that we're not living up to these commitments, contact us:

OCAP and Data Sovereignty Inquiries
Email: ocap@indigenious.ca
Phone: +1 (403) 555-0102

We take OCAP seriously. We're accountable to Indigenous communities, and we welcome your feedback.

For Indigenous Community Leaders: If your community is interested in becoming a validator network, or if you have concerns about how Indigenious is handling community data, contact our Community Partnerships team at partnerships@indigenious.ca.