“Swiss-hosted” appears on more and more software websites. Microsoft is investing 400 million dollars in Swiss cloud infrastructure. Google and AWS operate data centres in Zurich. Hosting in Switzerland is becoming a standard feature. But “hosted in Switzerland” and “data sovereign” are not the same thing.
This article explains the difference, why it matters for regulated industries, and what questions Swiss companies should ask before choosing an AI provider.
What Data Sovereignty Means
Data sovereignty means that data is subject exclusively to the laws of the country in which it is processed. No foreign jurisdiction can compel access.
For data in Switzerland, this means: only Swiss law applies. The FDPIC is the competent supervisory authority. No foreign intelligence service, no foreign law enforcement agency can demand access, except through the channel of international mutual legal assistance.
This principle breaks down when the provider is subject to a foreign jurisdiction that holds extraterritorial access powers.
The CLOUD Act: The Concrete Problem
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) of the United States came into force in 2018. It allows US authorities to demand that US companies hand over data, regardless of where that data is physically stored.
In practice, this means: if a Swiss company stores data with a US provider (Microsoft Azure, Google Cloud, Amazon AWS, Salesforce, etc.), a US authority can demand the disclosure of that data. The server location Switzerland does not protect against the CLOUD Act, because the law attaches to the control of the company, not to the location of the data.
The provider’s contractual terms (“We will not disclose data without your consent”) cannot override the CLOUD Act. A contract sits below a federal statute in the hierarchy of norms. If a US court orders disclosure, the US provider must comply, even if its contract with the Swiss customer says otherwise.
Why This Matters for Regulated Industries
Attorney-Client Privilege (BGFA Art. 13)
Swiss lawyers are bound by professional secrecy under Art. 13 of the Federal Act on the Free Movement of Lawyers (BGFA, SR 935.61). Violation is punishable under Art. 321 SCC.
If a lawyer enters a client enquiry into an AI tool operated by a US company, there is a theoretical risk that this enquiry could be disclosed through a CLOUD Act access request. This would constitute a potential breach of professional secrecy.
FINMA Supervision
FINMA-supervised institutions (banks, insurers, asset managers) are subject to strict data security and outsourcing requirements. FINMA Circular 2018/3 “Outsourcing” requires a risk analysis when outsourcing business functions, including IT services. Outsourcing to a provider subject to a foreign jurisdiction with extraterritorial access powers is a risk that must be documented and mitigated.
Federal Act on Data Protection (FADP)
The Swiss FADP (SR 235.1) regulates cross-border data transfers in Art. 16-17. Data may only be transferred to countries with an adequate level of protection. Switzerland has not issued a general adequacy decision for the United States. Transfers to the US require additional safeguards (standard contractual clauses, binding corporate rules).
The CLOUD Act undermines these safeguards because it opens an access path that no contractual clause can block.
The Alternatives
Swiss Providers with Swiss Infrastructure
Companies like Infomaniak, Exoscale, and Safe Swiss Cloud operate data centres in Switzerland and are subject exclusively to Swiss law. No CLOUD Act. No access by foreign authorities except through formal mutual legal assistance.
For AI applications, these providers increasingly offer GPU capacities and managed AI services. Performance does not match the level of the US hyperscalers, but for most Swiss use cases it is sufficient.
Open-Source Models on Own Infrastructure
Open-source language models such as Mistral Small 4 (Apache 2.0) or Qwen3.5 run on standard hardware. A Mac Studio with 96 GB RAM can run a model with 35 billion parameters locally. No cloud. No API calls. No data leaving the building.
Swiss LLCs with Swiss Hosting
AI service providers organised as Swiss GmbHs that operate their entire infrastructure in Switzerland offer the cleanest solution: Swiss law, Swiss data, Swiss accountability.
Five Questions for Every AI Provider
Before a Swiss company in a regulated industry evaluates an AI provider, it should ask these questions:
-
In which country is your company registered? A Swiss subsidiary of a US parent company is subject to the CLOUD Act.
-
Where is data physically processed and stored? A “Swiss region” at a US hyperscaler is not the same as a Swiss data centre operated by a Swiss company.
-
Is your company subject to the US CLOUD Act or comparable foreign laws? Direct question, direct answer. Do not accept evasion.
-
Can you contractually guarantee that no data will be disclosed to foreign authorities? If so: on what legal basis? If the provider is subject to a foreign access law, this guarantee is not legally enforceable.
-
Which Swiss court has jurisdiction in case of disputes? Swiss jurisdiction is the minimum. Foreign jurisdiction in a data sovereignty offering is a contradiction.
Conclusion
Data sovereignty is not a marketing argument. For law firms, FINMA-supervised institutions, and every Swiss company that processes personal data, it is a legal requirement.
The good news: Swiss alternatives exist. Swiss cloud providers, open-source models, and Swiss AI service providers make it possible to harness the benefits of AI without losing control over data.
Further information: montvirtua.com
This article is for general information purposes and does not constitute legal advice.