swiss hosting

what does swiss hosting mean?

swiss hosting is based on two promises:

The data remains in Switzerland.
This data can only be accessed by third parties via the Swiss authorities.

The first promise can be upheld by large international providers with a base in Switzerland – but not the second. Any statements indicating that data protection to Swiss standards can be enforced via a contract are false. The following four cases provide interesting examples:

CLOUD Act: This US law has been in place since 2018. It allows US authorities to access data stored by US-based companies. The company’s presence in a foreign jurisdiction is irrelevant.
Schrems II: For a long time, the Privacy Shield agreement was what enabled data to be exported from the EU to the United States in line with EU standards. The ECJ declared Privacy Shield invalid as of July 2020 as a result of its ruling on Schrems II. The court considered it proven that US-based companies could not resist any desire by their domestic government authorities to access the data they store, meaning that the data is therefore not secure. In other words: A legal fiction was hereby dismantled. The Swiss Federal Data Protection and Information Commissioner (FDPIC) concurred with this ruling shortly thereafter. As a result, the parallel agreement applicable in Switzerland also collapsed. The Swiss FDPIC takes an explicit position on this in its “Guide to checking the admissibility of direct or indirect data transfers to foreign countries” (document).
The case of Crypto AG: This Swiss company supplies cryptographic devices to third-party governments and was secretly owned by the CIA and its German equivalent, the BND.
Everyday handling of data: There is ultimately a conflict between two separate obligations. A person responsible for data in a Swiss subsidiary company must comply with the laws of Switzerland, but they are also obligated to comply with instructions given by foreign superiors. In practice, data (e.g., customer data for marketing activities) is frequently shared, even when this is not in compliance with data protection legislation. But if nobody complains, no crime can be considered to have taken place. Aside from anything else, few people would wish to share a typical whistleblower's fate.

swiss hosting is a promise of a specific legal status. It states that only Swiss authorities will have access to data as part of proper proceedings, and that the affected parties will be treated in accordance with Swiss law.

advantages of swiss hosting

Unfortunately, the claim of data being stored in Switzerland is often used to give customers a false sense of security. This is because the location of the data alone is not sufficient to ensure its protection. The swiss hosting label provides transparency in cloud-based services. The label ensures both B2B and B2C customers can tell which service providers and/or applications can assure the customer that data can only be accessed via Swiss authorities and in accordance with Swiss law. The supervisory function of the Swiss authorities ends when the company is controlled from outside Switzerland.

swiss hosting is a promise of a specific legal status – not a technical one. This statement does not relate to how well the data is technically protected. It relates solely to data protection – not technical data security.

background

The trend towards cloud-hosted technologies and the rollout of GDPR have hammered home the importance of where our data is hosted. It made sense to create a quality seal in keeping with the existing swiss made tradition.

Initially launched as hosted in switzerland at the end of 2018, the new label quickly amassed great popularity. Within a short time, more than 100 companies decided to adopt the new logo, and we received extremely positive feedback. We also received the suggestion to offer hosted in switzerland as a separate logo option.

relationship between swiss made and the swiss made software label

The swiss hosting label was developed by the company swiss made software and is offered exclusively to its members. Since the cloud is still a relatively new concept, there hasn’t yet been anything specifically available to identify something as Swiss. So with this in mind, we developed swiss hosting with the aim of creating a distinctive quality benchmark. To ensure this seal carries weight, we worked closely with our members to develop our terms of use, which provides the legal framework for swiss hosting. These terms also include the option of applying sanctions in the event of abuse, which was a clear request from the members.

swiss hosting can be used in conjunction with the swiss made software logo and/or the swiss digital services logo, but this is not obligatory. However, companies must declare the intended use and agree to the relevant term and conditions.

>Join the label

conditions for using the logo

The following conditions must be met before a license holder can market their services with the swiss hosting logo:

The license holder and its management must be legally and physically situated in Switzerland (see Art. 49 (1) Markenschutzgesetz [Trademark Protection Act]).
Hosting services relating to
-offered applications
-data
-factual data (business information, financial data, research results etc.)
must be located in/running at a data center located within Switzerland. Data protection and data security requirements must be subject to Swiss law.
If the label-bearing product is software as a service (SaaS), only those for which the host also meets the requirements mentioned above can carry the swiss hosting logo. The license holder shall obtain written assurance of this from the host.
Access to the hosting environment and/or the data for operation from abroad and administration by the host must be protected in such a way that data remains entirely in Switzerland and cannot be accessed or claimed by a foreign organization or government, no matter whether directly or indirectly. This also applies to foreign companies within the Group.
in the case of mixed offerings (where hosting located both within Switzerland and abroad is possible), the logo may only be used for offerings that fully meet the criteria. The intended audience must be able to clearly distinguish between the offerings that do and do not meet the criteria.

hands-on

SaaS providers must sign the swiss hosting contract and obtain written confirmation from their hosting partner that the general conditions are met. The document "Contract for hosters/cloud partners not affiliated with swiss made software" is available for this purpose. If the hoster is already a member of swiss hosting, this step does not apply. The SaaS provider should nevertheless make sure that the service it procures meets the criteria, as not all hosters affiliated with swiss hosting only offer services that meet these criteria (in this case, the individual services should be individually labeled).

>The contract for SaaS providers can be found here

>The contract for the hoster/cloud provider can be found here

>The contract for hosting partners can be found here (applies only for hosters not already a member of swiss hosting

Important: With the relaunch, foreign hosters / cloud providers can no longer be used in combination with swiss hosting (Ali Baba, Amazon, Azure, Google, as well as Swiss companies in third countries). Clarify this with your partner using the form provided above.

hosting-partner of swiss hosting

The hosters, hosting providers, webhosting providers and/or cloud providers listed here are direct partners of swiss hosting, thus guaranteeing that the general conditions are met. Some providers use the swiss hosting label only for part of their offering. These products and services are marked accordingly. The provider list is not exhaustive. Detailed product and service offerings are here. The list of all swiss hosting providers including SaaS offers is here.

-AlpHosting - TiZoo Gmbh

-Sileo Information Management AG

If you are already a swiss hosting partner (Level 2 members with hosting and cloud services for third parties, such as SaaS providers) but not on the list, please contact us.

faq

Information for the practical implementation of the contract.

system access from abroad. show detail hide detail

Employees on vacation/business trip - system access from abroad is permitted, provided that technical measures are taken for protection (password, encryption, VPN, etc.) These measures must be technically up to date and are not limited to the examples given here.
Temporary access for third parties - for example maintenance, importing updates, etc.: System access is permitted as long as it is ensured that access does not take place at root level, or that there is no possibility of copying or sucking off customer data.
Support within the scope of 24-hour on-call service: System access is permitted provided that the employees abroad are employed directly by the parent company in Switzerland or by the subsidiary which is solely owned by the parent company. Third party companies may not be commissioned for this purpose. Subsidiaries may not have a legal claim to the data. It must be ensured at the organizational level that no data may be sucked out or copied. At the same time, technical measures ensuring data protection must be in place like those described in point 1.

transitional arrangements for hosted in switzerland show detail hide detail

hosted in switzerland, the predecessor of swiss hosting, may continue to be used until the end of 2020. After that, hosted in switzerland is no longer valid and must be removed by all companies that still use it. From 01.01.2021 only swiss hosting in connection with the signed framework agreement is valid.

lecture - the legal aspects of swiss hosting show detail hide detail

A presentation (in German) by Prof. Dr. Simon Schlauri (Attorney at Law, Prof. University of Zurich), who was also involved in the development of the swiss hosting contract: The legal aspects of swiss hosting. Here, the legal subtleties in the interaction between DSG and swiss hosting are explained compactly and clearly.

limits of swiss hosting show detail hide detail

The world is complex – that’s why swiss hosting alone isn’t enough to ensure full control over your own data. Some examples:

You use a swiss hosting application, but export the data to send it via email, perhaps to exchange it with your application service provider.
You use standard Office products to edit and/or share data from swiss hosting applications. In these cases, you should check to see whether automatic cloud saving is activated or if your service provider is able to operate these services in isolation from the provider..
You use common messaging applications to edit and/or share data from swiss hosting applications.

payment providers show detail hide detail

The logo can also be used for offerings where payment functionality can only be provided with the involvement of foreign providers, provided that all other requirements restricting the use of the logo are met. Cooperation with foreign providers for the purposes of enabling payments is therefore permissible. However, this fact must be made transparent to users.

This is because it is currently not clear whether a Swiss solution exists that meets the requirements of swiss hosting. This is being investigated currently.