VODS v1.0 — Veydrin Open Data Standard

§ 1

Overview

VODS defines the common contract that all Veydrin-family data exports share. It does not specify what data a particular domain exports — that is the responsibility of domain specs like OHDS (Open Hive Data Standard) or OCEADS. VODS specifies the envelope: the identity, mode, privacy model, and extension system that every conforming export carries regardless of domain.

Any VODS-conforming document can be processed by a generic VODS parser without knowing anything about the domain payload. Domain-specific parsers receive a VODS-valid document and additionally interpret the payload according to their own spec.

Design principle. VODS is deliberately minimal. It defines only what is universal across all possible Veydrin domain exports. When in doubt, a field belongs in the domain spec, not here.

Conventions. The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119 and RFC 8174.

Why a new standard

Existing open data formats either target enterprise and institutional use cases, focus on semantic web interoperability, or define packaging without built-in privacy guarantees. VODS fills a different gap: a minimal, privacy-first data envelope designed for individuals, communities, and citizen science — where the person who generates the data controls how it is identified, shared, and used.

The anonymization model is not optional. Internal identifiers never leave the device. And because every Veydrin domain specification inherits the VODS envelope, these protections extend automatically to beekeeping data (OHDS), controlled environment agriculture (OCEADS), household financial data (VFDS), and any future domain built on this base.

Known implementations. The Veydrin Order's Ojarim pollinator atlas uses VODS as its data protocol foundation. The Ninth Star Foundation's Nemorith application (org.ninthstar.nemorith) implements VFDS v1.0, which inherits the VODS envelope. If you ship a VODS-conforming export, open an issue on the protocols repository and we will list it here.

VODS v1.0 — Base Envelope

↓ inherited by

OHDS v1.0
Apiary Data OCEADS v1.0
Cultivation Data VFDS v1.0
Financial Data Future Domain
Any subject

All domain specs inherit the VODS envelope and extend it with domain payload

§ 2

The Envelope

A VODS-conforming document is a JSON object encoded as UTF-8 per RFC 8259. The following root-level fields constitute the VODS envelope. All required fields MUST be present. Domain specs add their own required and optional fields alongside these.

File extension. The recommended file extension for a standalone VODS export is .vods.json. Domain specs MAY define their own extensions (e.g., .ohds.json, .vfds.json) that imply VODS envelope conformance.

Field	Type	Req?	Description
`vods_version`	string	req	VODS specification version this document conforms to. Currently `"1.0"`. Consumers MUST accept any version with a matching major number.
`export_id`	string (UUID)	req	Randomly generated UUID v4, created fresh for each export. Never reused. Never derived from any internal identifier.
`export_date`	string (ISO 8601)	req	Timestamp of when this export was generated. Full datetime with timezone offset or Z suffix required. Example: `"2026-03-09T14:22:00Z"`.
`export_mode`	enum	req	Anonymization mode governing how identifiers in this export are handled. MUST be `"anonymous"` or `"tracked"`. See §3.
`source_app`	string	opt	Reverse-domain package identifier of the application that generated this export (e.g., `"org.veydrin.apiara"`). RECOMMENDED for all exports. Enables provenance tracking across multiple applications sharing the same data standard.
`source_app_version`	string	opt	Semantic version of the submitting application. SHOULD be present when `source_app` is present.
`contributor_org`	string	opt	Organization slug identifying the group this contributor belongs to (e.g., `"honey-for-humanity"`). Set by the user in the application. Enables organizations to track their members' aggregate contributions without requiring accounts or centralized management. The receiving server MAY auto-register unknown slugs on first submission.
`extensions`	object	opt	Namespace-keyed object for organization-specific fields. See §4. Consumers MUST ignore unrecognized extension namespaces.

Domain fields. Domain specs (OHDS, OCEADS, etc.) add their own version field (e.g., ohds_version) and payload arrays or objects alongside these envelope fields. The VODS envelope fields MUST always be present; domain fields follow the domain spec's own requirements.

Minimal valid VODS envelope

{
  "vods_version": "1.0",
  "export_id":   "a3f8c2e1-04b7-4d9e-b221-7f3a09cc1d82",
  "export_date": "2026-03-09T14:22:00Z",
  "export_mode": "anonymous"
  // domain payload fields follow here
}

VODS envelope with attribution

{
  "vods_version":        "1.0",
  "export_id":          "a3f8c2e1-04b7-4d9e-b221-7f3a09cc1d82",
  "export_date":        "2026-03-09T14:22:00Z",
  "export_mode":        "anonymous",
  "source_app":         "org.veydrin.apiara",
  "source_app_version": "2.0.0",
  "contributor_org":    "honey-for-humanity"
  // domain payload fields follow here
}

Org attribution is for the org, not the data. The contributor_org field enables organizations to track their members' aggregate contributions. It does not affect how the data is processed, validated, or stored. Servers MAY auto-register unknown org slugs on first submission. Organizations can then view their collective impact on the receiving platform.

Annotations (//) are shown for readability. Valid JSON does not permit comments — omit them in production output.

§ 3

Anonymization Model

VODS defines two privacy modes for data exports. Every domain spec MUST honour these modes in how it generates and handles any identifiers in the payload. The export_mode field declares which mode applies to the entire document — mixed-mode documents MUST NOT be produced.

Mode	Identifier behavior	Typical use
`"anonymous"`	All payload identifiers (entity refs, location refs, etc.) are randomized fresh for each export. There is no stable relationship between identifiers across exports. The same physical entity will have a different ref in every anonymous export.	One-time survey submissions, public data sharing, any context where re-identification across exports must be impossible by design.
`"tracked"`	Payload identifiers are stable pseudonyms derived per program via a salted hash of the internal entity ID. The same entity produces the same ref for the same destination program, but a different ref for a different program. Internal database IDs are never exposed.	Longitudinal programs requiring repeated measurement of the same entities over time (e.g., sentinel monitoring, cohort studies).

Hard rule. Regardless of mode, raw internal database identifiers, user account identifiers, device identifiers, and any other persistent system IDs MUST NOT appear in an exported document. The application generating the export is responsible for enforcing this before writing the file.

Tracked mode — pseudonym derivation

Applications implementing tracked mode MUST derive stable pseudonyms using a cryptographic approach that satisfies the following properties:

Deterministic — the same input always produces the same output for the same program.
Program-isolated — different destination programs produce different pseudonyms for the same entity.
Non-reversible — the internal ID cannot be recovered from the pseudonym without the application's private salt.

The recommended approach is HMAC-SHA256 keyed with a per-program salt stored in the application's private data, never included in the export. The specific algorithm is left to the implementing application as long as the three properties above are satisfied.

Scope of this spec. VODS defines the model and the required properties. It does not mandate a specific hash function or salt storage mechanism. Domain specs may add more specific guidance for their context.

§ 4

Extensions

The extensions object provides a standardized namespace for organization-specific fields that fall outside the VODS envelope and outside the applicable domain spec. Extensions allow organizations to attach custom data to exports without polluting the core field space and without breaking conforming parsers that don't understand them.

Namespace convention

Each key in the extensions object is a namespace identifier chosen by the organization. The value is a JSON object containing that organization's custom fields. There is no central registry — organizations choose their own namespace keys. Short, lowercase, collision-resistant names are recommended.

{
  "vods_version": "1.0",
  "export_id":   "...",
  "export_date": "2026-03-09T14:22:00Z",
  "export_mode": "tracked",

  // domain payload here...

  "extensions": {
    "hfh": {                          // Hives for Heroes namespace
      "program_cohort": "Spring 2026",
      "mentor_id": "M-42"
    },
    "acme_research": {              // Another org's namespace
      "study_arm": "control"
    }
  }
}

Consumer requirements

R1
Ignore unknown namespaces. A conforming consumer MUST NOT reject a document because it contains extension namespaces the consumer does not recognize. Unknown namespaces are silently ignored.
R2
Do not modify extensions. When forwarding or transforming a VODS document, a processor MUST preserve extension data it does not understand. Stripping unknown extensions is not permitted unless the consumer explicitly declares itself a lossy transformer.
R3
Extensions do not override core fields. An extension namespace MUST NOT redefine any field defined in the VODS envelope or the applicable domain spec. Conflicts are resolved in favor of the core field.

§ 5

Versioning Contract

VODS uses semantic versioning (MAJOR.MINOR) for the vods_version field. The contract governing what each version increment means is part of the standard itself.

Add optional envelope fieldAdds a new optional field to the VODS envelope.

MINOR
e.g. 1.0 → 1.1

No impact. Consumers ignore unknown fields per R2.

Extend enum valuesAdds a new permitted value to an existing enum.

MINOR
e.g. 1.1 → 1.2

Consumers receiving an unknown enum value MUST NOT reject the document. They MAY treat it as an unrecognized value.

Change required field semanticsAlters what a required field means, renames it, or removes it.

MAJOR
e.g. 1.x → 2.0

Breaking change. Consumers MUST check the major version before processing.

Change anonymization modelAlters the anonymization modes or their required behavior.

MAJOR
e.g. 1.x → 2.0

Breaking change. Any privacy-critical behavior change is always major.

Deprecation policy

When a field, enum value, or behavior is scheduled for removal, it MUST first be marked deprecated in a MINOR version release. Deprecated features continue to function, but implementers SHOULD begin migrating to the replacement. Deprecated features MUST NOT be removed earlier than the next MAJOR version. Each deprecation notice MUST identify what replaces the deprecated feature.

Consumer version compatibility rule

A consumer that implements VODS vN.x MUST:

Accept any document where the major version matches (e.g., a VODS 1.0 consumer MUST accept VODS 1.3 documents).
Reject documents with a different major version and report the version mismatch clearly.
MUST NOT reject a document solely because it contains fields, enum values, or extension namespaces the consumer does not recognize.

Domain spec versioning. Domain specs (OHDS, OCEADS, etc.) carry their own version field and follow the same semantic versioning contract independently of vods_version. A VODS minor bump does not imply an OHDS minor bump, and vice versa.

§ 6

Conformance Rules

A document or application claims VODS v1.0 conformance by meeting all of the following rules. Partial conformance is not recognized. A machine-readable schema for automated validation is available at vods-v1.0.schema.json.

C1
Envelope completeness. Every export document contains all four required envelope fields: vods_version, export_id, export_date, export_mode.
C2
Valid export_id. The export_id is a valid UUID v4, generated fresh for each export, and is never reused across exports from the same application.
C3
Valid export_date. The export_date is a valid ISO 8601 datetime string including timezone information. Date-only strings are not acceptable.
C4
Anonymization model honoured. The application correctly implements the anonymization behavior corresponding to the declared export_mode. No raw internal identifiers appear in any exported document regardless of mode.
C5
Extensions are namespaced. Any organization-specific fields appear under a named namespace key within the extensions object, not at the document root.
C6
Unknown fields tolerated. A conforming consumer does not reject a valid VODS document because it contains fields, enum values, or extension namespaces not defined in the version of the spec the consumer implements.
C7
Domain spec conformance is separate. VODS conformance does not imply conformance to any domain spec. Applications claiming conformance to OHDS v1.0, for example, MUST separately satisfy OHDS conformance rules in addition to these.

§ 7

Building on VODS — Guidance for Domain Specs

This section is informational. It describes the expected pattern for domain specifications that build on VODS. It does not impose additional conformance requirements on VODS itself.

What a domain spec adds

Its own version field (e.g., ohds_version, oceads_version).
One or more payload arrays or objects containing the domain data.
A minimum content rule — the conditions under which a document is considered non-empty and valid for the domain.
Domain-specific field definitions, enum values, required vs optional field distinctions, and validation rules.
Domain-specific guidance on how the anonymization modes apply to identifiers in the payload.

What a domain spec MUST NOT do

Redefine or alter the meaning of any VODS envelope field.
Change or add permitted values to export_mode.
Place organization-specific or domain-specific optional fields outside of the extensions namespace.
Require a VODS major version other than the one the domain spec declares itself to build on.

Example — OHDS v1.0 on VODS v1.0

{
  // VODS envelope (required by VODS)
  "vods_version":  "1.0",
  "export_id":    "a3f8c2e1-04b7-4d9e-b221-7f3a09cc1d82",
  "export_date":  "2026-03-09T14:22:00Z",
  "export_mode":  "anonymous",

  // OHDS domain fields (required by OHDS)
  "ohds_version":  "1.0",
  "inspections": [
    {
      "inspection_date": "2026-03-01",
      "apiary_ref":      "A-9f4c",
      "hive_ref":        "H-2a71",
      "colony_status":   "alive"
    }
  ],

  // Optional extension data
  "extensions": {
    "hfh": { "program_cohort": "Spring 2026" }
  }
}

Why two version fields? vods_version tells any generic VODS processor what envelope rules apply. ohds_version tells an OHDS-specific processor what domain schema applies. A VODS processor doesn't need to know the OHDS version to validate the envelope. An OHDS processor needs to know both. The two fields serve different consumers and evolve independently.

§ 8

Security Considerations

VODS is a data format specification, not a transport protocol. It does not define wire-level security, authentication, or encryption. The following considerations apply to implementations producing or consuming VODS-conforming documents.

Transport and storage security

VODS does not include built-in integrity verification such as checksums or digital signatures. Applications requiring tamper detection or authenticity guarantees MUST implement these at the transport or application layer. Documents containing sensitive data SHOULD be transmitted over encrypted channels and encrypted at rest.

Extension field injection

The extensions object permits arbitrary nested values under namespace keys. Consumers MUST sanitize extension values before rendering them in user interfaces or passing them to interpreters. Unsanitized string values from extensions could enable cross-site scripting or injection attacks in downstream systems.

Pseudonym reversibility

In tracked mode, pseudonyms derived from weak or predictable salts may be reversible through brute-force or dictionary attacks, particularly when the space of internal identifiers is small. Implementations SHOULD use cryptographically random salts of at least 32 bytes. The anonymization model protects against casual re-identification but is not designed to resist a motivated adversary with access to auxiliary datasets. Applications handling high-sensitivity data SHOULD layer additional protections beyond what VODS requires.

Resource exhaustion

The VODS envelope places no size limits on the extensions object or on domain payload fields. Consumers SHOULD enforce reasonable limits on incoming document size, nesting depth, and array length to prevent memory exhaustion from malformed or adversarial input.

Identifier leakage

Conformance rule C4 prohibits raw internal identifiers in exported documents. However, VODS cannot enforce this at the format level — enforcement is the producing application's responsibility. Implementers SHOULD audit their export pipelines to verify that no internal database IDs, user account identifiers, device identifiers, or filesystem paths leak into exported documents.

§ 9

Normative References

Reference	Title	Relevance
RFC 8259	The JavaScript Object Notation (JSON) Data Interchange Format	VODS documents are JSON objects per this specification.
RFC 9562	Universally Unique Identifiers (UUIDs)	`export_id` is a Version 4 UUID per §5.4 of this RFC.
RFC 3339	Date and Time on the Internet: Timestamps	`export_date` follows this profile of ISO 8601.
RFC 2119	Key words for use in RFCs to Indicate Requirement Levels	Normative keyword definitions (MUST, SHOULD, MAY).
RFC 8174	Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words	Clarifies that only uppercase keywords carry normative weight.
RFC 2104	HMAC: Keyed-Hashing for Message Authentication	Recommended algorithm for tracked-mode pseudonym derivation.

§ 10

Changelog

Version	Date	Changes
`1.0`	2026-03-31	Added optional envelope fields: `source_app` (application provenance), `source_app_version`, `contributor_org` (organization attribution for group contribution tracking). Updated JSON schema.
`1.0`	2026-03-09	Initial release — envelope, anonymization model, extensions, versioning contract, conformance rules.