The SEC, the regulatory sandbox and AI in the Philippines: a clear, fact-based explanation for Philippine businesses, with osFoundry as the example and dgm as an independent partner.

dgm is an independent osFoundry implementation partner — not affiliated with osFoundry’s developer (the company OS LLC), and it has not yet completed any client integrations.

The Securities and Exchange Commission (SEC) regulates capital markets, corporations and certain fintech in the Philippines, and runs a regulatory sandbox — relevant context for AI in investment and crypto-asset services.

What the SEC regulates

The SEC oversees securities, corporations, lending and financing companies, crowdfunding and crypto-asset service providers. It institutionalized the SEC Strategic Sandbox (StratBox) through Memorandum Circular No. 9 of 2024 and issued rules for Crypto-Asset Service Providers (MC Nos. 4 and 5 of 2025). A dedicated SEC issuance specifically on AI, beyond the general sandbox and fintech framework, has not been confirmed.

What it means for a business

If AI supports lending decisions, investment services or crypto-asset operations, you sit within the SEC’s remit as well as the Data Privacy Act. Use the sandbox where appropriate, keep human oversight of automated decisions, and document the data and logic.

Keeping data in the Philippines

osFoundry pins the data region to the United States, the EU or Japan, runs models locally on your own hardware, and supports self-hosting (BYO Cloud) on a cloud account you control. There is no dedicated managed Philippines region inside osFoundry, and — importantly — no hyperscaler operates a generally available full cloud region inside the Philippines as of 2026: Amazon Web Services runs a Local Zone in Manila (an extension of its Singapore region, not a full region), while Microsoft Azure and Google Cloud serve the country from Singapore. The honest implication is straightforward. The Data Privacy Act of 2012 does not impose a general private-sector data-localization requirement; cross-border transfer runs on an accountability model, so a deployment in the nearest Singapore region can be compliant provided your business stays accountable for the data. Where you need strict in-country control, the honest path is self-hosting on infrastructure you run in the Philippines, or running open-weight models locally (local-first). One further point worth weighing: data held by a United States-headquartered provider can fall within the reach of the US CLOUD Act regardless of where it physically sits, so pinning to a US provider’s Singapore region does not by itself remove US legal jurisdiction — a reason some businesses prefer EU or self-hosted open-weight options. Always confirm the current position with the National Privacy Commission or qualified counsel.

Important note

This article is general information and is not legal, tax or grant advice. Tax incentives, grants, rules and rates change, and only the relevant authorities (among them the National Privacy Commission, the Bureau of Internal Revenue, PEZA, the Board of Investments, the Bangko Sentral ng Pilipinas and the SEC) decide eligibility and awards. dgm is not a registered business enterprise, accredited incentive provider or intermediary. Always confirm the current terms with the official source or a qualified tax or legal adviser.

How dgm helps

dgm is an independent implementation partner that helps businesses in the Philippines adopt osFoundry — from identifying the first practical use case, through building it, to connecting AI to the systems you already use. dgm works independently of osFoundry’s developer (the company OS LLC) and has not yet completed any client integrations; everything above is therefore a description of the service offered, not a delivered result. If you would like to look at a sensible first step, dgm is happy to think it through with you. Arrange a no-obligation conversation with dgm.