Architecture · Data spaces

Data spaces & federated data

How Cognitive Server connects to GAIA-X and IDS data ecosystems while keeping all inference and storage inside the operator's perimeter.

GAIA-X integration

GAIA-X defines a federated, rules-based data infrastructure for Europe. Cognitive Server participates as a compliant GAIA-X Service Offering: the operator registers the server as a self-described resource using a GAIA-X Credential, cryptographically signed by the operator's identity wallet.

The integration has three layers:

1. Self-Description — Cognitive Server generates and signs a GAIA-X Self-Description document (JSON-LD) that declares its service attributes: jurisdiction (EU), data residency (on-premises), AI Act risk class, and the applicable compliance certifications. This document is published to the operator's Catalogue endpoint and registered with the GAIA-X Federation Services.
2. Trust Anchor — Shield acts as the trust anchor. It issues tokens that carry the gx:serviceAccessPoint claim, allowing downstream GAIA-X connectors to verify that the request originates from a compliant service offering without any data leaving the perimeter.
3. Policy enforcement — GAIA-X usage policies (expressed as ODRL contracts) are translated into Shield scopes at registration time. A policy that restricts a dataset to "EU-jurisdiction operators only" becomes a scope gx:eu-only that Shield enforces on every request. No ODRL engine runs at inference time; enforcement is compile-time, not runtime.

{
  "@context": "https://www.w3.org/2018/credentials/v1",
  "@type": ["VerifiableCredential", "gx:ServiceOffering"],
  "issuer": "did:web:operator.internal",
  "credentialSubject": {
    "gx:name": "Cognitive Server — Sovereign AI",
    "gx:jurisdiction": "EU",
    "gx:dataResidency": "on-premises",
    "gx:aiActRiskClass": "limited",
    "gx:certifications": ["ISO/IEC 27001:2022", "ENS Alto"]
  }
}

IDS connector

The International Data Spaces (IDS) Reference Architecture defines a connector-based model for sovereign data exchange. Cognitive Server implements an IDS Connector adapter via Hub (APP-03), allowing it to act as both a data provider and a data consumer within an IDS dataspace without routing traffic through any cloud intermediary.

Connector identity — Each Cognitive Server instance registers as an IDS Connector with a DAPS (Dynamic Attribute Provisioning Service) token. The DAPS token is signed by the operator's PKI and carries the connector's security profile: idsc:BASE_SECURITY_PROFILE or idsc:TRUST_PLUS_SECURITY_PROFILE depending on the certification level.

Data transfer protocol — IDS uses its own Information Model (based on JSON-LD + SHACL) to describe datasets. Cognitive Server maps IDS Artifact requests onto Vault resource handles: an incoming IDS data request is translated into a vault:read call scoped to the requesting connector's tenant_id. The response is wrapped in an IDS Message envelope before leaving the server.

Policy translation — IDS Usage Control Policies (UCPs) are translated into Shield scopes at connector registration. A ids:COUNT_ACCESS policy limiting a dataset to 10 uses per connector becomes an audited counter in Chain — every access is traced and the limit is enforced by Shield before the Vault read executes.

{
  "@type": "ids:ConnectorEndpoint",
  "@id": "https://connector.operator.internal/",
  "ids:accessURL": {
    "@id": "https://connector.operator.internal/api/v1"
  },
  "ids:endpointInformation": "Cognitive Server IDS Adapter v1",
  "ids:securityProfile": {
    "@id": "idsc:TRUST_PLUS_SECURITY_PROFILE"
  }
}