VODS v1.0 — Veydrin Open Data Standard

§ 1

Overview

VODS defines the common contract that all Veydrin-family data exports share. It does not specify what data a particular domain exports — that is the responsibility of domain specs like OHDS (Open Hive Data Standard) or OCEADS. VODS specifies the envelope: the identity, mode, privacy model, and extension system that every conforming export carries regardless of domain.

Any VODS-conforming document can be processed by a generic VODS parser without knowing anything about the domain payload. Domain-specific parsers receive a VODS-valid document and additionally interpret the payload according to their own spec.

Design principle. VODS is deliberately minimal. It defines only what is universal across all possible Veydrin domain exports. When in doubt, a field belongs in the domain spec, not here.

VODS v1.0 — Base Envelope

↓ inherited by

OHDS v1.0
Apiary Data OCEADS v1.0
Cultivation Data Future Domain
Any subject

All domain specs inherit the VODS envelope and extend it with domain payload

§ 2

The Envelope

A VODS-conforming document is a JSON object. The following root-level fields constitute the VODS envelope. All required fields must be present. Domain specs add their own required and optional fields alongside these.

Field	Type	Req?	Description
`vods_version`	string	req	VODS specification version this document conforms to. Currently `"1.0"`. Consumers must accept any version with a matching major number.
`export_id`	string (UUID)	req	Randomly generated UUID v4, created fresh for each export. Never reused. Never derived from any internal identifier.
`export_date`	string (ISO 8601)	req	Timestamp of when this export was generated. Full datetime with timezone offset or Z suffix required. Example: `"2026-03-09T14:22:00Z"`.
`export_mode`	enum	req	Anonymization mode governing how identifiers in this export are handled. Must be `"anonymous"` or `"tracked"`. See §3.
`extensions`	object	opt	Namespace-keyed object for organization-specific fields. See §4. Consumers must ignore unrecognized extension namespaces.

Domain fields. Domain specs (OHDS, OCEADS, etc.) add their own version field (e.g., ohds_version) and payload arrays or objects alongside these envelope fields. The VODS envelope fields must always be present; domain fields follow the domain spec's own requirements.

Minimal valid VODS envelope

{
  "vods_version": "1.0",
  "export_id":   "a3f8c2e1-04b7-4d9e-b221-7f3a09cc1d82",
  "export_date": "2026-03-09T14:22:00Z",
  "export_mode": "anonymous"
  // domain payload fields follow here
}

§ 3

Anonymization Model

VODS defines two privacy modes for data exports. Every domain spec must honour these modes in how it generates and handles any identifiers in the payload. The export_mode field declares which mode applies to the entire document — mixed-mode documents are not permitted.

Mode	Identifier behavior	Typical use
`"anonymous"`	All payload identifiers (entity refs, location refs, etc.) are randomized fresh for each export. There is no stable relationship between identifiers across exports. The same physical entity will have a different ref in every anonymous export.	One-time survey submissions, public data sharing, any context where re-identification across exports must be impossible by design.
`"tracked"`	Payload identifiers are stable pseudonyms derived per program via a salted hash of the internal entity ID. The same entity produces the same ref for the same destination program, but a different ref for a different program. Internal database IDs are never exposed.	Longitudinal programs requiring repeated measurement of the same entities over time (e.g., sentinel monitoring, cohort studies).

Hard rule. In neither mode may a raw internal database identifier, user account identifier, device identifier, or any other persistent system ID appear in an exported document. The application generating the export is responsible for enforcing this before writing the file.

Tracked mode — pseudonym derivation

Applications implementing tracked mode must derive stable pseudonyms using a cryptographic approach that satisfies the following properties:

Deterministic — the same input always produces the same output for the same program.
Program-isolated — different destination programs produce different pseudonyms for the same entity.
Non-reversible — the internal ID cannot be recovered from the pseudonym without the application's private salt.

The recommended approach is HMAC-SHA256 keyed with a per-program salt stored in the application's private data, never included in the export. The specific algorithm is left to the implementing application as long as the three properties above are satisfied.

Scope of this spec. VODS defines the model and the required properties. It does not mandate a specific hash function or salt storage mechanism. Domain specs may add more specific guidance for their context.

§ 4

Extensions

The extensions object provides a standardized namespace for organization-specific fields that fall outside the VODS envelope and outside the applicable domain spec. Extensions allow organizations to attach custom data to exports without polluting the core field space and without breaking conforming parsers that don't understand them.

Namespace convention

Each key in the extensions object is a namespace identifier chosen by the organization. The value is a JSON object containing that organization's custom fields. There is no central registry — organizations choose their own namespace keys. Short, lowercase, collision-resistant names are recommended.

{
  "vods_version": "1.0",
  "export_id":   "...",
  "export_date": "2026-03-09T14:22:00Z",
  "export_mode": "tracked",

  // domain payload here...

  "extensions": {
    "hfh": {                          // Hives for Heroes namespace
      "program_cohort": "Spring 2026",
      "mentor_id": "M-42"
    },
    "acme_research": {              // Another org's namespace
      "study_arm": "control"
    }
  }
}

Consumer requirements

R1
Ignore unknown namespaces. A conforming consumer must not reject a document because it contains extension namespaces the consumer does not recognize. Unknown namespaces are silently ignored.
R2
Do not modify extensions. When forwarding or transforming a VODS document, a processor must preserve extension data it does not understand. Stripping unknown extensions is not permitted unless the consumer explicitly declares itself a lossy transformer.
R3
Extensions do not override core fields. An extension namespace must not redefine any field defined in the VODS envelope or the applicable domain spec. Conflicts are resolved in favor of the core field.

§ 5

Versioning Contract

VODS uses semantic versioning (MAJOR.MINOR) for the vods_version field. The contract governing what each version increment means is part of the standard itself.

Add optional envelope fieldAdds a new optional field to the VODS envelope.

MINOR
e.g. 1.0 → 1.1

No impact. Consumers ignore unknown fields per R2.

Extend enum valuesAdds a new permitted value to an existing enum.

MINOR
e.g. 1.1 → 1.2

Consumers receiving an unknown enum value must not reject the document. They may treat it as an unrecognized value.

Change required field semanticsAlters what a required field means, renames it, or removes it.

MAJOR
e.g. 1.x → 2.0

Breaking change. Consumers must check the major version before processing.

Change anonymization modelAlters the anonymization modes or their required behavior.

MAJOR
e.g. 1.x → 2.0

Breaking change. Any privacy-critical behavior change is always major.

Consumer version compatibility rule

A consumer that implements VODS vN.x must:

Accept any document where the major version matches (e.g., a VODS 1.0 consumer must accept VODS 1.3 documents).
Reject documents with a different major version and report the version mismatch clearly.
Never reject a document solely because it contains fields the consumer does not recognize.

Domain spec versioning. Domain specs (OHDS, OCEADS, etc.) carry their own version field and follow the same semantic versioning contract independently of vods_version. A VODS minor bump does not imply an OHDS minor bump, and vice versa.

§ 6

Conformance Rules

A document or application claims VODS v1.0 conformance by meeting all of the following rules. Partial conformance is not recognized.

C1
Envelope completeness. Every export document contains all four required envelope fields: vods_version, export_id, export_date, export_mode.
C2
Valid export_id. The export_id is a valid UUID v4, generated fresh for each export, and is never reused across exports from the same application.
C3
Valid export_date. The export_date is a valid ISO 8601 datetime string including timezone information. Date-only strings are not acceptable.
C4
Anonymization model honoured. The application correctly implements the anonymization behavior corresponding to the declared export_mode. No raw internal identifiers appear in any exported document regardless of mode.
C5
Extensions are namespaced. Any organization-specific fields appear under a named namespace key within the extensions object, not at the document root.
C6
Unknown fields tolerated. A conforming consumer does not reject a valid VODS document because it contains fields, enum values, or extension namespaces not defined in the version of the spec the consumer implements.
C7
Domain spec conformance is separate. VODS conformance does not imply conformance to any domain spec. Applications claiming conformance to OHDS v1.0, for example, must separately satisfy OHDS conformance rules in addition to these.

§ 7

Building on VODS — Guidance for Domain Specs

This section is informational. It describes the expected pattern for domain specifications that build on VODS. It does not impose additional conformance requirements on VODS itself.

What a domain spec adds

Its own version field (e.g., ohds_version, oceads_version).
One or more payload arrays or objects containing the domain data.
A minimum content rule — the conditions under which a document is considered non-empty and valid for the domain.
Domain-specific field definitions, enum values, required vs optional field distinctions, and validation rules.
Domain-specific guidance on how the anonymization modes apply to identifiers in the payload.

What a domain spec must not do

Redefine or alter the meaning of any VODS envelope field.
Change or add permitted values to export_mode.
Place organization-specific or domain-specific optional fields outside of the extensions namespace.
Require a VODS major version other than the one the domain spec declares itself to build on.

Example — OHDS v1.0 on VODS v1.0

{
  // VODS envelope (required by VODS)
  "vods_version":  "1.0",
  "export_id":    "a3f8c2e1-04b7-4d9e-b221-7f3a09cc1d82",
  "export_date":  "2026-03-09T14:22:00Z",
  "export_mode":  "anonymous",

  // OHDS domain fields (required by OHDS)
  "ohds_version":  "1.0",
  "inspections": [
    {
      "inspection_date": "2026-03-01",
      "apiary_ref":      "A-9f4c",
      "hive_ref":        "H-2a71",
      "colony_status":   "alive"
    }
  ],

  // Optional extension data
  "extensions": {
    "hfh": { "program_cohort": "Spring 2026" }
  }
}

Why two version fields? vods_version tells any generic VODS processor what envelope rules apply. ohds_version tells an OHDS-specific processor what domain schema applies. A VODS processor doesn't need to know the OHDS version to validate the envelope. An OHDS processor needs to know both. The two fields serve different consumers and evolve independently.