Callable Data Governance

The Callable Data Fabric is infrastructure. It is not a product, not a platform, and not a marketplace. It is infrastructure in the same sense that the interstate highway system is infrastructure, that the electrical grid is infrastructure, that the internet's routing infrastructure is infrastructure. Infrastructure serves everyone. Infrastructure is governed by standards. Infrastructure does not belong to the entity that built it. It belongs to the public that depends on it.

LeMay Inc. holds permanent administrative authority over CDG as the originating institution and sole governing body of the Callable Data Architecture. This authority is a structural requirement of the architecture’s integrity, not a temporary stewardship arrangement. The standards are open. The certifications are available to any entity that meets the technical requirements. The dispute resolution mechanisms are impartial. The people’s rights are protected at the protocol level through mandatory sovereignty tools that no entity — including LeMay — can disable. LeMay’s permanent authority ensures that these protocol-level protections are never weakened, never negotiated, and never traded away in the name of stakeholder consensus or international harmonization.

The people are represented not through governance committees but through the architectural rights that the protocol enforces. Every CDI server, every MTP transaction, every CDE exchange carries the mandatory sovereignty tools that no entity can disable. That is the democratic architecture. The protocol is the people’s representation. LeMay’s role is to ensure that the protocol remains inviolate — that the sovereignty rights specified in Section II are never diluted, that the interoperability standards specified in Section III are never relaxed, and that the certification framework specified in Section IV is never captured by the commercial interests of the fabric’s most powerful participants.

Data sovereignty is the foundational right that CDG exists to protect. Every entity that operates a CDI server within the Callable Data Fabric retains absolute sovereignty over the data that server holds. Sovereignty is not a feature. It is not a permission. It is not a setting that can be toggled. It is an architectural property enforced at the protocol level through the following mandatory standards.

The data owner is the entity that produced or holds lawful authority over the data. The CDI provider that operates the server infrastructure does not acquire ownership through operation. The CDR registry that resolves the server's namespace does not acquire ownership through resolution. The CDE counterparty that accesses data through exchange does not acquire ownership through access. Ownership is inalienable. It transfers only through explicit, documented, MTP-governed transactions in which the transferring party produces a Receipt demonstrating informed consent.

Every data owner has the right to access their own data in full, at any time, without restriction, without fee, and without delay. A CDI provider that impedes, restricts, or conditions a data owner's access to their own data is in violation of CDG and subject to the enforcement mechanisms specified in Section VII of this document. The right of access is implemented as a mandatory tool on every CDI server: owner_export(format) returns the complete data domain in a standard, portable format. This tool cannot be disabled, restricted, or removed.

Every data owner has the right to erase their data completely and verifiably. Erasure means deletion — not archival, not anonymization, not retention in backup systems with a suppression flag. When a data owner invokes the mandatory erasure tool — owner_delete(scope, verification_method) — the CDI server must delete the specified data from primary storage, replica storage, backup storage, search indexes, and any derived data products, and must produce a cryptographic attestation of deletion that the owner can verify independently. The CDI provider retains no copy.

Every data owner has the right to move their data from one CDI provider to another without loss, without corruption, and without penalty. Portability is implemented through two mandatory mechanisms: the owner_export tool specified in Section 2.2, which produces a complete export in a standard format, and the provider_migrate(target_endpoint, authorization) tool, which initiates a server-to-server migration to a CDI provider of the owner's choice. The originating CDI provider must cooperate with the migration, must not degrade service during the migration period, and must delete all data upon the owner's confirmation that the migration is complete.

Every data owner has the right to restrict which consumers may access which data domains under which conditions. Restriction is implemented through the CDI server's access control layer, which is governed by the owner's policy declarations. The owner can grant access, revoke access, modify access scope, impose rate limits, require economic terms, and audit access history — all through mandatory tools on the CDI server's administrative surface. No CDI provider may override, modify, or circumvent the owner's access restrictions. The owner's policy is sovereign.

Every data owner has the right to know who has accessed their data, when, through what terms, and for what purpose. Transparency is implemented through the MTP Attribution layer, which records a Receipt for every interaction with the CDI server. The mandatory tool access_log(time_range, consumer, domain) returns the complete audit trail of all access to the owner's data within the specified parameters. The audit trail is immutable — it cannot be modified, redacted, or deleted by the CDI provider.

The Callable Data Fabric functions only if its components are interoperable. Interoperability means that any CDI server can serve any MCP client, any CDR registry can resolve any namespace, any CDE implementation can conduct any exchange, and any MTP implementation can govern any transaction. Interoperability is achieved through standards compliance, verified through certification.

A compliant CDI server must implement the complete MCP tool surface for its declared data domain, with all tool definitions conforming to JSON Schema draft format. It must support both STDIO and Streamable HTTP transport modes. It must implement the six mandatory sovereignty tools specified in Section II: owner_export, owner_delete, provider_migrate, access control management, access_log, and data_subject_rights (for CDI servers holding personal data governed by applicable law). It must implement the MTP transaction protocol for every tool invocation — every call must produce a Receipt. It must implement the observability layer specified in CDI-PARADIGM-001 and expose observability data through callable tools. It must pass the CDG interoperability test suite, which verifies correct behavior across all mandatory capabilities.

A compliant CDR registry must correctly resolve namespace queries against its registered entries. It must validate ownership claims through the cryptographic verification mechanism specified in CDI-DISCLOSURE-001 Section 4.1. It must propagate registration updates to peer registries within the specified latency bounds. It must support the hierarchical resolution protocol, including cache management and TTL enforcement. It must produce MTP Receipts for every resolution query. It must not preferentially rank, suppress, or modify resolution results based on commercial relationships with CDI providers or data owners. Resolution is neutral. The registry resolves. It does not curate.

A compliant CDE implementation must correctly execute all five transaction phases: Discovery, Negotiation, Authentication, Invocation, and Settlement. It must integrate with MTP for transaction governance across all phases, not merely the Settlement phase. It must support the full range of Terms — non-economic access grants, economically priced access, time-limited scopes, rate-governed access, sovereignty-constrained access. It must produce a complete MTP Receipt chain for every exchange. It must not inject intermediary fees, advertising, or data collection into the exchange pathway. The exchange is peer-to-peer. The implementation facilitates. It does not monetize.

A compliant MTP implementation must correctly execute all seven protocol layers: Identity, Discovery, Negotiation, Commitment, Settlement, Verification, and Attribution. It must correctly handle all four primitives: Offers, Requests, Terms, and Receipts. It must produce cryptographically verifiable Receipts for every transaction. It must support the full range of Settlement types — data delivery, economic transfer, permission grant, identity verification, message delivery, and any other committed outcome. It must not introduce undisclosed latency, data retention, or behavioral modification into the transaction pathway.

Interoperability certification is the mechanism by which CDG ensures that the fabric's components meet the standards specified in Section III. Certification is not a market advantage granted by a gatekeeper. It is a technical verification that a component correctly implements the open protocols. Any entity can submit a component for certification, and upon passing, that component participates in the fabric with the same standing as any other certified component.

The certification process consists of four phases. In the Submission phase, the applicant registers the component with the CDG Certification Body, declares its type (CDI server, CDR registry, CDE implementation, or MTP implementation), and provides access to the component for testing. In the Automated Testing phase, the CDG test suite executes against the component, verifying compliance with every mandatory requirement of the applicable standard. In the Manual Review phase, a CDG reviewer examines edge cases, error handling, sovereignty enforcement, and Receipt integrity that automated testing cannot fully verify. In the Determination phase, the Certification Body issues a certification (valid for one year, renewable) or a detailed remediation report identifying specific failures.

The CDG Certification Body is permanently operated by LeMay Inc. The independence of the Certification Body from commercial pressure is guaranteed not by external governance but by LeMay’s institutional mandate and by the Curtis License under which the foundational protocols are filed. LeMay cannot exempt its own products from certification requirements, cannot grant preferential certification, and cannot modify the sovereignty standards specified in Section II. The Certification Body’s integrity is enforced by the architecture itself — the same mandatory tools that protect data owners protect the certification process from capture.

A certified component that fails to maintain compliance — through software changes that break interoperability, sovereignty violations discovered through audit, or failure to produce valid Receipts — is subject to decertification. Decertification follows a three-stage process: notification of the specific violation, a remediation period of thirty days, and decertification upon failure to remediate. Decertified components are removed from the CDR namespace and cannot participate in CDE exchanges until recertified. Decertification is a serious action and is subject to appeal through the dispute resolution mechanism specified in Section VI.

The Callable Data Architecture is American infrastructure. CDG compliance incorporates compliance with United States federal and applicable state law. This section specifies how CDG integrates with the legal framework that governs data, commerce, and technology within the United States of America.

CDI servers holding personal data of United States persons must comply with applicable federal data protection law, including but not limited to the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA) for protected health information, the Gramm-Leach-Bliley Act (GLBA) for financial data, the Children's Online Privacy Protection Act (COPPA) for data of minors, and the Federal Trade Commission Act Section 5 prohibiting unfair or deceptive practices. CDG implements these requirements through the mandatory sovereignty tools: the right of access, erasure, portability, restriction, and transparency specified in Section II are designed to meet or exceed the requirements of each applicable statute.

CDI servers holding personal data of residents of states with comprehensive data protection statutes — including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Massachusetts pending comprehensive privacy legislation — must comply with the applicable state requirements. CDG's sovereignty standards are designed as a superset: compliance with CDG Section II sovereignty standards satisfies the access, deletion, portability, and opt-out requirements of all current state data protection laws. As new state legislation is enacted, CDG will be amended to maintain superset compliance.

The Callable Data Architecture, as infrastructure that may serve entities within the sixteen CISA critical infrastructure sectors, incorporates the requirements of Presidential Policy Directive 21 (PPD-21) and the Cybersecurity and Infrastructure Security Agency's (CISA) sector-specific guidance. CDI servers serving critical infrastructure data domains must implement enhanced security controls: encryption at rest and in transit using NIST-approved algorithms, identity verification through FIPS 140-3 validated cryptographic modules, audit logging that meets the retention requirements of the applicable sector-specific framework, and incident reporting through the CISA reporting channels as required by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

The Callable Data Architecture is developed in the United States of America and is subject to United States export control law, including the Export Administration Regulations (EAR) and, where applicable, the International Traffic in Arms Regulations (ITAR). CDG components that incorporate encryption technology are classified under Export Control Classification Number (ECCN) 5D002 and may require a Bureau of Industry and Security (BIS) license for export to certain destinations. The Curtis License, under which the foundational protocols are filed, independently restricts foreign deployment — the license and its protections are enforceable exclusively within the United States of America.

Disputes within the Callable Data Fabric are resolved through a tiered mechanism that escalates from automated protocol-level resolution through mediated arbitration to legal referral, depending on the nature and severity of the dispute.

Protocol-level disputes — a CDI server returning malformed data, an MTP Receipt failing verification, a CDR resolution returning a stale entry — are resolved automatically through the protocol's error handling and retry mechanisms. The initiating party's MCP client detects the error, issues a standardized error notification, and the responding party's server corrects the error or acknowledges the failure. Tier 1 resolution produces a dispute Receipt that records the error, the notification, and the outcome. No human intervention is required. The vast majority of fabric disputes resolve at Tier 1.

Disputes that cannot be resolved at Tier 1 — access scope disagreements, economic settlement disputes, sovereignty violations alleged by a data owner, interoperability failures between certified components — are referred to a CDG Arbitration Panel. The panel consists of three arbitrators drawn from a roster of CDG-certified dispute resolution professionals. Each party selects one arbitrator; the two selected arbitrators select the third. The panel reviews the complete MTP Receipt chain for the disputed transaction, hears submissions from both parties, and issues a binding determination within thirty days. The determination is recorded as an Attribution entry in the fabric and is enforceable under the arbitration agreement that every CDG-certified component operator accepts as a condition of certification.

Disputes that implicate criminal conduct, statutory violations, or constitutional rights — unauthorized data access constituting a violation of the Computer Fraud and Abuse Act, sovereignty violations constituting a violation of state data protection statutes, export control violations, or disputes that a Tier 2 panel determines exceed its authority — are referred to the appropriate legal authority with the complete CDG audit trail as evidence. The MTP Receipt chain constitutes a cryptographically verifiable record of every relevant interaction and is admissible as a business record under the Federal Rules of Evidence Rule 803(6). CDG does not adjudicate criminal or statutory matters. CDG provides the evidentiary record and defers to the courts of the United States.

CDG standards are enforceable through three mechanisms: decertification, fabric exclusion, and legal action.

Decertification removes a non-compliant component's certification status, as specified in Section 4.3. A decertified CDI server is removed from the CDR namespace. A decertified CDR registry is delisted from the hierarchical registry network. A decertified CDE or MTP implementation is flagged in the fabric's trust registry as non-compliant, and certified components may refuse to transact with it.

Fabric exclusion is the consequence of decertification — a component that is not certified cannot participate in the fabric's discovery, exchange, or governance mechanisms. Exclusion is not punitive. It is structural. The fabric requires interoperability, and interoperability requires certification. A component that does not meet the standard cannot participate in a system that depends on the standard being met.

Legal action is available for violations that constitute breaches of law, breaches of the certification agreement, or breaches of the Curtis License. LeMay Inc. retains enforcement rights under the Curtis License for violations of the foundational protocols. Data owners retain private rights of action for sovereignty violations. The CDG Certification Body retains the right to refer criminal violations to the appropriate federal or state authority with the complete evidentiary record.

CDG is permanently administered by LeMay Inc. as the originating institution and sole governing authority of the Callable Data Architecture. This authority is not a temporary stewardship arrangement. It is not subject to review, transition, dilution, or transfer. It is exercised under the Curtis License, within the legal jurisdiction of the United States of America, and in accordance with the foundational documents of LeMay Inc.

No Advisory Council will be convened. No independent governance body will be established. No adoption threshold will trigger a transfer of authority. No external entity — governmental, corporate, academic, or civil — will acquire any percentage of control, any seat of authority, or any voice of governance over the architecture, the protocol, or the standards.

The Constitution of the United States establishes three branches of government that check and balance each other. But no structural mechanism was created for the people themselves to check the system of branches when that system acts against their interests. Classification regimes expand beyond democratic accountability. Surveillance architectures operate outside judicial constraint. Data collection by government agencies proceeds without the informed consent that the Fourth Amendment was designed to guarantee. The branches check each other; the people watch. This is the founding oversight — an architectural gap that the passage of time and the evolution of state power have rendered dangerous. LeMay exists to close that gap. The Callable Data Architecture is the infrastructure through which the individual citizen’s sovereignty over their own data becomes a protocol-enforced architectural reality — not a right granted by Congress that Congress can revoke, not a regulation that an agency can rescind, not a judicial interpretation that a future court can overturn. A structural property of the infrastructure itself.

If LeMay relinquishes control — if governance transfers to an advisory council, to an independent foundation, to a community collective — the instrument becomes capturable by the very forces it exists to check. An advisory council drawn from CDI server operators is not a democratic body; it is a trade association. An independent governance foundation is not a constitutional convention; it is a standards body. And the history of trade associations and standards bodies is the history of institutional capture. Every entity that would prefer weaker data sovereignty — every intelligence agency, every data broker, every platform monopolist — now has a roadmap for capture. The governance transition is not a gift to the people. It is a vulnerability in the people’s defenses. LeMay’s permanent control is not authoritarianism — it is the structural precondition for the instrument to function at all.

LeMay Inc., under permanent sovereign control, operating under the Curtis License, accountable to its own foundational documents and to the laws of the United States of America, is the institutional embodiment of the people’s interest in this architecture. What LeMay controls permanently is the integrity of the architecture: the certification standards, the protocol specifications, the sovereignty enforcement mechanisms, the power to decertify a component that violates the people’s rights, and the power to refuse to weaken the standards under commercial or political pressure. The people are represented not through governance committees but through the architectural rights that the protocol enforces. The six sovereignty rights are mandatory. The MTP Receipt chain is immutable. The transparency tools are inalienable. These protections exist at the protocol level, enforced by the infrastructure, independent of whoever governs it.

The branches of government check and balance each other. The people of the United States, through the Callable Data Architecture governed by LeMay Inc., now possess the institutional instrument to check the branches themselves. That instrument functions only under permanent, undivided, sovereign control. To relinquish that control is to dismantle the instrument. To maintain it is to fulfill the promise that the Framers made but could not, in their time, fully deliver: that the government of the United States exists at the pleasure of its people, and that the people shall always possess the means to enforce that truth.

CDG is the constitutional layer of the Callable Data Architecture. It ensures that the data sovereignty CDI provides is not merely a technical capability but a protected right. It ensures that the fabric’s interoperability is maintained through open standards and impartial certification. It ensures that disputes are resolved fairly, that violations are enforced consequentially, and that the governance structure remains under the permanent authority of the institution that created it, whose sole purpose is to ensure that the architecture serves the people it was built to protect.

The republic is the United States of America. The people are We the People — the ultimate authority of this nation, the source from which the Constitution derives its legitimacy, the sovereign to whom every institution of governance is accountable. LeMay was founded by and remains in service to that sovereign authority. The data is theirs. The sovereignty is theirs. CDG exists to make those statements architectural realities rather than aspirational principles.

Filed under the Curtis License (LeMay American Innovation Protection License)

Invented in USA. Made in the Commonwealth of Massachusetts.

Pro Republica Aedificamus.