Why robot training data IP is worth protecting
Robot training data is not generic. The demonstration data that a humanoid program collects represents accumulated engineering decisions: which tasks to prioritize, how to structure demonstrations for maximum policy generalization, what environmental conditions matter, and what failure modes need to be represented. These decisions reflect months of research and operational insight that competitors cannot easily replicate without access to the data itself.
More concretely: a dataset of 10,000 dexterous manipulation demonstrations collected by a leading robotics company encodes that company's understanding of which grasps work, which environments generalize, and what recovery strategies succeed. If this dataset were accessible to a competitor, they could train policies that perform comparably without investing the time and resources that the original program required.
The risk when outsourcing data annotation or collection to an external vendor is that proprietary data becomes accessible to people outside the company - annotators, QA reviewers, project managers, and potentially competitors who also work with the same vendor. Managing this risk requires more than a generic NDA. It requires specific contractual provisions, technical controls, and operational procedures that limit who can access what and ensure that data is handled only for the purpose it was shared for.
The regulatory context: what China's Data Security Law actually requires
China's Data Security Law (DSL, 2021) and the Personal Information Protection Law (PIPL, 2021) create a framework for data governance that Chinese companies must comply with when handling data domestically and when transferring data internationally. Understanding what these laws actually require - rather than a general assumption that cross-border data transfer is prohibited - is important for evaluating outsourcing options.
The DSL categorizes data by sensitivity: "general data," "important data," and "core data." The most stringent restrictions apply to "core data" (national security, military, critical infrastructure) and "important data" (sector-specific definitions). For most private commercial robotics programs producing manipulation demonstration data and video annotation, the data does not meet the statutory definitions of "important data" or "core data," and cross-border transfer does not require CAC approval.
However: programs involving robotics in regulated sectors (healthcare devices, autonomous vehicles on public roads, military or dual-use applications) should conduct a specific regulatory review before any cross-border data transfer. The sector-specific regulations under the DSL impose requirements that differ from the general framework.
The practical conclusion for most private robotics programs is that cross-border transfer of training data for annotation and collection purposes is legally available but must be implemented with appropriate data processing agreements that specify purpose limitation, security obligations, and deletion requirements - the same requirements that any responsible data processor should implement regardless of regulatory obligation.
1. Contractual safeguards that constitute genuine protection
The data processing agreement (DPA) with an overseas vendor should include the following provisions as non-negotiable terms. Generic NDAs that do not address these specifics provide limited practical protection.
Data ownership clause: Explicit statement that all collected and annotated data, all derivative works (trained models, embeddings, feature representations derived from the data), and all outputs from the annotation process are owned exclusively by the customer. The vendor retains no license to use the data or derivatives for any purpose, including improving their own models or services.
Purpose limitation clause: Data provided to the vendor may be used only for the specific annotation or collection task contracted. It may not be used to train internal models, develop vendor capabilities, or fulfill other customer engagements. This clause should be explicit and enforceable with defined remedies for breach.
Annotator-level NDA: The company-level NDA should be supplemented by individual confidentiality agreements signed by each annotator, QA reviewer, and project manager who has access to the customer's data. If a company-level NDA is breached by an individual employee, the individual NDA provides a separate basis for remedy.
Verified deletion clause: At the conclusion of the program, the vendor must provide written confirmation that all copies of the customer's data have been deleted from vendor systems, with an audit log showing the deletion events. Some customers additionally require a third-party audit of the deletion. The standard of "we deleted the data" without verifiable audit trail is insufficient for programs with genuine IP sensitivity.
Breach notification: The DPA should require the vendor to notify the customer within 24 hours of any unauthorized access, security incident, or potential data exposure. The notification should include the scope of the incident, the data potentially affected, and the remediation steps taken.
2. Technical safeguards for high-sensitivity programs
Contractual provisions alone are not sufficient for programs where data exposure would cause severe competitive harm. Technical controls limit what is possible even if contractual obligations are not honored.
Air-gapped annotation environments are the most effective technical control. In an air-gapped setup, annotation workstations have no internet access, no external storage ports (USB blocked), and no ability to copy or transmit files outside the secure environment. Data enters the environment through controlled intake procedures, and annotated output leaves through monitored checkout procedures with file integrity verification.
Air-gapped programs are operationally more expensive than standard annotation programs because they require physical security infrastructure, controlled intake/checkout procedures, and monitoring overhead. The additional cost is 20-40% above standard program rates for comparable annotation tasks. For programs where data exposure would cause significant competitive harm, this premium is appropriate.
Data watermarking embeds imperceptible identifiers in images or video frames that allow the source of a data leak to be traced back to the specific annotator workstation and session that handled the watermarked data. Watermarking does not prevent data leakage but enables forensic identification of the source and provides evidentiary support for breach claims. Watermarking can be applied before data enters the annotation environment as a passive protection layer.
Compartmentalization divides the program data into subsets that are assigned to different annotator teams, so that no single team sees the complete dataset. A team that annotates object detection labels sees different frames than the team that annotates action segmentation boundaries. This limits the value of any individual annotation team's access and reduces the information that could be extracted from a single source of exposure.
3. Operational controls that reduce exposure risk
Beyond contracts and technical controls, operational procedures reduce the probability of unauthorized access through human factors.
Background verification for annotators on sensitive programs should include employment history verification and, where legally available, criminal background checks. Annotators should understand before assignment to a sensitive program that their access to this data is subject to individual confidentiality obligations with personal liability for breach.
Minimum access principle: annotators should have access only to the specific data required for their annotation task, not to the full program dataset. A team annotating episode 1-500 should not have system access to episodes 501-1000. Role-based access controls in the annotation tooling enforce this constraint.
Session logging: all access to customer data should be logged with annotator identity, timestamp, and data accessed. Logs should be immutable and available to the customer for audit. The existence of comprehensive session logs deters unauthorized access and enables forensic investigation if an incident occurs.
No third-party subcontracting without approval: the DPA should prohibit the vendor from subcontracting annotation work to third parties without explicit customer written consent. Subcontractors who have not signed customer-specific NDAs represent unauthorized data exposure even if the primary vendor's contractual obligations are met.
DataX Power offers IP-protected annotation and collection programs with air-gapped environment options, individual annotator NDAs, verified deletion protocols, and session audit logs. Contact our team to discuss the appropriate IP protection tier for your program.
Discuss IP protection requirements- Does using a Vietnam-based vendor expose my robot training data to Chinese government access?
- No. Vietnam is a separate jurisdiction from China and Vietnamese data processors are not subject to Chinese law. Data processed in Vietnam is subject to Vietnamese data protection law, not Chinese law. The risk of unauthorized government access to your data in Vietnam is not meaningfully different from the risk in other standard offshore data processing locations.
- What is the difference between an NDA and a Data Processing Agreement?
- An NDA (non-disclosure agreement) covers confidentiality of information. A data processing agreement (DPA) specifically governs how a data processor handles personal data or proprietary data on behalf of a data controller. For robot training data programs, you need both: an NDA covering the confidentiality of your business context and technical specifications, and a DPA covering the specific handling, security, retention, and deletion of the data itself. A DPA without an NDA leaves business context unprotected. An NDA without a DPA leaves data handling obligations underspecified.
- How do I verify that my data has actually been deleted after the program ends?
- Require the vendor to provide a deletion certificate with the specific storage locations (server names or cloud storage paths) from which data was deleted, the deletion timestamps, and the method of deletion (whether the storage was overwritten or simply dereferenced). For maximum assurance, require that the vendor's IT team confirms deletion in a signed letter and that you retain audit rights to verify compliance within 30 days of the certificate. Third-party deletion audits are available from data governance firms for programs where independent verification is required.
- Should I use an overseas vendor or build in-house annotation capacity for sensitive data?
- The in-house vs. outsource decision for sensitive data should be based on program scale and risk profile, not reflexive preference. In-house annotation avoids third-party exposure but requires recruiting and managing an annotation workforce, which has its own security challenges (employee turnover, insider threat, inadequate technical controls). External vendors with mature IP protection infrastructure and verifiable controls often provide stronger protection than hastily built internal capabilities. Evaluate the actual security posture of each option rather than assuming internal is inherently more secure.


