Where is your data really?
Every day your company generates and processes sensitive data: invoices, contracts, employee data, banking information, correspondence with clients and suppliers. But do you know exactly where this data is stored? On which server, in which country, under which jurisdiction?
With the entry into force of the new Federal Act on Data Protection (nFADP) on 1 September 2023, Switzerland introduced stringent obligations for the processing and localisation of personal data. For SMEs and fiduciary firms, choosing a cloud provider is no longer a purely technical decision: it is a matter of legal compliance, reputation and civil liability.
This guide analyses why Swiss cloud hosting represents the safest choice for business data, comparing CH, EU and USA jurisdictions, examining the necessary certifications and providing concrete criteria for evaluating a cloud provider in an informed manner.
nFADP and hosting obligations
The new Federal Act on Data Protection (nFADP) and the related Ordinance (FADPO) impose specific requirements for hosting and processing personal data:
Data localisation (art. 16 nFADP)
The transfer of personal data abroad is only permitted to countries with an adequate level of protection recognised by the Federal Council. In the absence of such recognition, specific contractual guarantees (SCCs) or the explicit consent of the data subject are required.
Controller's responsibility (art. 5 nFADP)
The data controller remains responsible even when entrusting data to an external cloud provider. They must verify that the provider ensures adequate security and complies with contractual processing instructions.
Technical and organisational security (art. 8 nFADP)
The controller and processor must adopt technical and organisational measures appropriate to the risk: encryption, access control, backup, logging and business continuity plans.
Record of processing activities (art. 12 nFADP)
Companies with more than 250 employees (or processing sensitive data at scale) must maintain a record of processing activities that includes data categories, purposes, recipients and security measures adopted.
Breach notification (art. 24 nFADP)
In the event of a data security breach, the controller must promptly notify the FDPIC (Federal Data Protection and Information Commissioner). Hosting in foreign jurisdictions can complicate notification timelines and procedures.
Legal differences: CH vs EU vs USA
The jurisdiction in which data resides determines which laws apply, who can access it and with what guarantees. Here is a direct comparison between the three main jurisdictions:
| Criterion | Switzerland (nFADP) | EU (GDPR) | USA (CLOUD Act) |
|---|---|---|---|
| Applicable law | nFADP + FADPO (from 1.9.2023) | GDPR (from 25.5.2018) | CLOUD Act + ECPA + sectoral laws |
| Government access to data | Only with Swiss court order; no mass access | Possible with court order; varies by Member State | CLOUD Act: extraterritorial access even to data stored abroad |
| Cross-border data transfer | Permitted only to adequate countries (FDPIC list) or with SCCs | Permitted with adequacy decision or SCCs | No outbound restrictions; strong inbound pressure (FISA 702) |
| Maximum penalties | CHF 250,000 (personal liability of executives) | €20 million or 4% of global turnover | Variable; FTC sanctions, class actions |
| Right to erasure | Yes, art. 32 nFADP | Yes, art. 17 GDPR | Limited, only in some states (CCPA in California) |
| Mutual adequacy | CH recognises EU; EU recognises CH | EU recognises CH as adequate | EU-US Data Privacy Framework (unstable, already invalidated twice) |
Warning: the US CLOUD Act allows US authorities to request access to data managed by American companies regardless of where the data is physically stored. This includes providers such as AWS, Azure and Google Cloud, even if servers are located in Europe or Switzerland.
Requirements for business cloud
A cloud provider intended to host sensitive business data must meet a series of fundamental technical and organisational requirements:
- Data centres physically located in Switzerland, with redundant infrastructure and Tier III classification or higher to guarantee availability ≥ 99.982%
- End-to-end encryption of data at rest (AES-256) and in transit (TLS 1.3), with key management separate from the provider (BYOK — Bring Your Own Key)
- Granular role-based access control (RBAC) with mandatory multi-factor authentication (MFA) for all administrative users
- Automatic daily backups with geographic replication across at least two distinct Swiss sites, and documented recovery tests at least once a year
- SLA (Service Level Agreement) with guaranteed uptime ≥ 99.9%, defined response times for critical incidents and contractual penalties for non-compliance
- Documented business continuity plan (BCP) and disaster recovery plan (DRP), tested annually, with RTO (Recovery Time Objective) ≤ 4 hours and RPO (Recovery Point Objective) ≤ 1 hour
Certifications and security standards
Certifications attest that the cloud provider adheres to internationally recognised standards for information security. Here are the most relevant for the Swiss context:
ISO/IEC 27001
The international standard for information security management systems (ISMS). It covers risk management, security policies, access control and incident management. It is the minimum requirement for any serious cloud provider.
SOC 2 Type II
An independent audit conducted according to AICPA Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy. Type II verifies the effectiveness of controls over time (typically 6–12 months).
FINMA Circulars (for the financial sector)
FINMA Circulars 2018/03 (outsourcing) and 2023/01 (operational risks) define specific requirements for IT outsourcing in the Swiss financial sector. Relevant for fiduciary firms with regulated mandates and financial institutions.
ISO/IEC 27017 and 27018
Extensions of the 27001 standard specific to cloud: 27017 covers security controls for cloud services, 27018 focuses on protection of personal data (PII) in the public cloud.
C5 / ISAE 3402
The Cloud Computing Compliance Criteria Catalogue (C5) from the German BSI and ISAE 3402 are audit standards for internal controls of service providers. Increasingly requested by Swiss companies with international operations.
How to evaluate a cloud provider
Choosing a cloud provider is a strategic decision. Here are the six fundamental criteria to analyse before entrusting business data to an external supplier:
Jurisdiction and registered office
Verify that the provider has its registered office in Switzerland and that data centres are physically located on Swiss territory. A provider based in the USA is subject to the CLOUD Act, even if servers are in Switzerland. Favour 100% Swiss companies.
Certifications and audits
Request ISO 27001, SOC 2 Type II certifications and, if you operate in the financial sector, compliance with FINMA circulars. Verify that audits are recent (last 12 months) and conducted by recognised independent bodies.
Contract and SLA
Analyse the service contract: guaranteed uptime, incident response times, penalties, exit clauses and data portability. A good provider offers SLAs with uptime ≥ 99.9% and response times ≤ 15 minutes for critical incidents.
Encryption and key management
Verify that data is encrypted at rest and in transit with current standards (AES-256, TLS 1.3). Ideally, the provider should support BYOK or HYOK (Hold Your Own Key) to guarantee you exclusive control over encryption keys.
Backup and disaster recovery
Ask for details on backup frequency, geographic replication, recovery times (RTO/RPO), documented recovery tests and incident notification procedures. A reliable provider tests recovery at least quarterly.
Support and transparency
Evaluate the quality of technical support: 24/7 availability, contact channels, escalation times, language. Check transparency on past incidents (public status page, published post-mortems) and willingness to share audit results.
Advantages of the Swiss cloud
Choosing a Swiss cloud provider offers concrete advantages that go beyond mere regulatory compliance:
Legal sovereignty
Data remains under Swiss jurisdiction, protected by the nFADP and not subject to the US CLOUD Act or extraterritorial access requests. In the event of a dispute, Swiss law applies before Swiss courts.
Political and regulatory stability
Switzerland is internationally recognised for the stability of its legal framework and legal certainty. Data protection regulations do not change with emergency decrees or executive orders.
Latency and performance
Data centres in Switzerland mean minimal latency for local users (typically < 5 ms). For real-time accounting and management applications, the physical proximity of the server makes a tangible difference.
Client and partner trust
Communicating to your clients that data is stored in Switzerland is a concrete competitive advantage, especially for fiduciary firms, law practices and companies handling sensitive financial data.
Automatic nFADP compliance
With a Swiss provider, there is no need to resort to standard contractual clauses (SCCs) or verify Federal Council adequacy decisions. Cross-border transfer simply does not exist.
Local support and language
A Swiss provider offers support in national languages (IT, DE, FR), understands the local regulatory context and can respond to specific needs of Swiss SMEs and fiduciary firms without cultural or time zone barriers.
Practical tips
- Map all cloud services currently in use at your company (email, storage, accounting, CRM) and verify for each one where data physically resides and under which jurisdiction the provider falls
- For the most sensitive data (accounting, employee data, banking information), always favour a cloud provider with its registered office and data centres exclusively in Switzerland
- Include a clause in the contract with the provider explicitly prohibiting the transfer of data outside Switzerland without your written consent
- Request up-to-date ISO 27001 and SOC 2 Type II certifications from the provider and verify that audits are conducted by accredited and independent bodies
- Define an exit plan (exit strategy) before signing the contract: how you export your data, in what format, within what timeframe and at what cost
- Activate client-side encryption for the most critical documents, so that not even the provider can access the content in clear text
- Use AccountEX to store your company's accounting data on Swiss cloud infrastructure, with encryption, nFADP compliance and automatic backups — without compromising on security
Simplify your Swiss accounting
AccountEX handles VAT, QR-invoices and bookings with AI. Start for free.
Start Free