Why your clients' data should not leave Switzerland

When a Swiss SME chooses where to host its client data — contact details, purchase histories, files, correspondence — it makes a decision that goes far beyond the technical scope. It takes on legal responsibility, reputation, and the trust its clients place in it. Yet many businesses do not know precisely where their data is stored. A SaaS application whose servers are in Ireland, an ERP hosted on AWS Frankfurt, email on US servers — without realising it, your client data may already have left Switzerland. Here is why that is a problem, and how to address it.

Switzerland is not the European Union

Switzerland is not an EU member and is not part of the European Economic Area. Its data protection legal framework — the nFADP — is aligned with the European GDPR but remains distinct. In practice, this means that the rules applicable to data transfers between Switzerland and other countries are specific. Switzerland maintains its own list of countries recognised as providing adequate protection. The United States is not on that list without additional contractual guarantees. If you use US cloud services to host Swiss client data, you must ensure that appropriate legal mechanisms cover that transfer — something many businesses have not put in place.

The CLOUD Act: a sword of Damocles over your data

The Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, is a US law adopted in 2018. It allows US authorities to require US technology companies to provide data stored on their servers — including servers located outside the United States. AWS, Microsoft Azure, Google Cloud, Salesforce, Microsoft 365 — all these services are operated by US companies subject to the CLOUD Act. Even if your data is physically stored in Europe or Switzerland, it remains potentially accessible to US authorities on request. For a Swiss SME hosting client files, medical information, financial data, or confidential correspondence, this is a real risk — even if the probability of it materialising remains low in day-to-day practice.

Client trust: an often underestimated argument

Beyond the legal framework, hosting your clients' data in Switzerland is a concrete commercial argument in many sectors. In regulated sectors — healthcare, finance, legal, fiduciary, insurance — data location is often an explicit requirement from clients or regulators. A law firm, fiduciary, or clinic cannot afford to answer "I don't know" to the question "where is my data stored?". But even outside regulated sectors, data location is becoming a differentiator. Swiss businesses are increasingly sensitive to digital sovereignty — and some integrate it into their supplier selection criteria. Being able to answer "your data is hosted in Switzerland, in datacenters operated by a local team, with no dependence on foreign groups" is a simple answer to an increasingly common question.

What "data in Switzerland" really means

Be careful: not all hosts that display "Swiss hosting" are equal. Here is what to check:

  • Physical server location: data must be stored on servers physically located in Switzerland. A Swiss billing address or French-speaking support does not guarantee that data is not passing through foreign servers.
  • Operator jurisdiction: the host must be a Swiss legal entity, not subject to extraterritorial legislation such as the CLOUD Act. A Swiss datacenter operated by a subsidiary of a US company does not offer the same guarantees as an independent Swiss operator.
  • Subcontracting chain: even a Swiss host may use foreign subcontractors for certain services — monitoring, backup, CDN. It is important to understand where the Swiss processing chain ends.
  • Contracting: a data processing agreement must explicitly mention data location and any transfer conditions. Without an explicit contract, oral guarantees are legally worthless.

Sectors most affected

Some sectors are particularly exposed to risks linked to the offshoring of client data:

  • Regulated professions (lawyers, notaries, fiduciaries, doctors): professional secrecy imposes strict confidentiality and data location requirements. A breach may engage the personal liability of the professional.
  • Finance and insurance: client financial data are among the most sensitive. Sector regulations (FINMA, FinIA) impose high traceability and security requirements.
  • Healthcare: medical data are sensitive data within the meaning of the nFADP. Their processing is subject to strengthened rules, and patients have extended rights over their data.
  • E-commerce and retail: order, address, and payment data constitute a sensitive asset. A leak or breach can have significant reputational consequences for the company.
  • HR and personnel management: employee data — salaries, appraisals, medical data — are among the most sensitive data a company processes.

What you can do in practice

  • Map your data flows: identify which services process client data, where those services are hosted, and which subcontractors are involved. This is the first step to knowing where you stand.
  • Audit your SaaS contracts: check the terms and privacy policies of every piece of software you use. Data location is often mentioned — sometimes in small print.
  • Prefer Swiss alternatives: for critical tools — email, storage, CRM, ERP — Swiss or European alternatives often exist. They are not always functionally equivalent, but the question is worth asking.
  • Host your infrastructure in Switzerland: for the data you directly control — databases, client files, business applications — choose an independent Swiss host with explicit contractual guarantees.

In summary

Hosting your clients' data in Switzerland is not just a legal obligation — it is a trust decision. In a context where digital sovereignty is becoming a strategic issue, being able to answer clearly the question "where is my data?" is a real competitive advantage. For Swiss SMEs handling sensitive client data, the simplest and most robust answer remains hosting with an independent Swiss operator — with clear contractual guarantees and an entirely Switzerland-based processing chain. If you would like to assess your situation or discuss your options, contact us — we can help you identify the right solution for your context.

AlpineDC has dedicated rooms in Lausanne and Crissier, with an autonomous AS198385 network and multi-operator connectivity. Our infrastructures are exclusively located in Switzerland and operated by a local team.