# Application Operations Sovereignty: Your Product, Swiss Operations

When a regulated customer buys your software as a managed service, they inherit your operations provider's jurisdiction. If your operations run on US hyperscaler infrastructure, your customer's data falls under the [CLOUD Act](https://en.wikipedia.org/wiki/CLOUD_Act), accessible to US authorities without Swiss judicial process, regardless of which region you select.

For ISVs selling into Swiss finance, healthcare, and government, this is a deal-breaker. Your customers need Swiss data residency and a Swiss operations provider to pass due diligence.

VSHN operates your software on Swiss infrastructure from Cloudscale or Exoscale, or on your customer's own premises. Swiss company, Swiss staff, Swiss law. Your customers' data stays under Swiss jurisdiction.

## Why VSHN operations strengthen your sovereignty story

- **Swiss company, Swiss law**: VSHN AG is incorporated in Switzerland with all shareholders Swiss citizens. No foreign parent, no CLOUD Act exposure
- **Infrastructure you choose**: Each customer instance runs on Cloudscale, Exoscale, or customer premises, with no hyperscaler dependency
- **On-premises option**: When regulation or contract requires it, VSHN operates your software inside your customer's data center with the same 24/7 operations
- **Swiss operations team**: All on-call engineers are based in Switzerland. [Swiss-only support option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support) available
- **ISO 27001 certified**: Since 2014, with ISAE 3402 Type II attestation
- **Your compliance evidence**: VSHN's certifications and regulated-industry references (HIN, Finnova, acrevis, Swiss Federal Archives) become part of your customer's due diligence package

## Operations sovereignty compared

| Dimension | Your ops on AWS/Azure/GCP | Your ops team in-house | VSHN Application Operations |
|-----------|--------------------------|----------------------|----------------------------|
| **Governing law** | US law | Your jurisdiction | Swiss law |
| **CLOUD Act** | Exposed | Not exposed | Not exposed |
| **Data location** | Configurable (US-controlled) | Your choice | Switzerland or customer DC |
| **Operations team** | US-based vendor staff | Your hires | Swiss-based VSHN engineers |
| **24/7 coverage** | Vendor-dependent | 4-6 FTE minimum | Included from CHF 800/month |
| **Compliance evidence** | Vendor's certifications | You build from scratch | ISO 27001, ISAE 3402, named references |
| **On-premises** | Not available | You manage | VSHN manages on customer site |

## Compliance and regulatory readiness

VSHN operations support your customers' compliance requirements:

- **FINMA Circular 2018/3**: Outsourcing requirements for Swiss financial institutions. VSHN provides audit documentation, Swiss-only operations, and contractual commitments for regulated customers
- **EU DORA** (Digital Operational Resilience Act): ICT third-party risk management provisions. Swiss-hosted operations with documented SLAs meet DORA's requirements for critical ICT service providers
- **NIS2 Directive**: Supply chain security requirements for essential and important entities. VSHN's ISO 27001 controls map to NIS2 Article 21 requirements
- **GDPR / Swiss DPA**: Swiss data residency by default. EU adequacy decision covers Swiss-EU data transfers

## VSHN sovereignty self-assessment

We applied the EU's [Cloud Sovereignty Framework](https://commission.europa.eu/document/09579818-64a6-4dd5-9577-446ab6219113_en) (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's [EUR 180M sovereign cloud tender](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.

*This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.*

| # | Dimension | Weight | Assessment | Evidence |
|---|-----------|--------|-----------|----------|
| SOV-1 | Strategic | 15% | **Strong** | Swiss AG, no foreign parent, all shareholders Swiss citizens ([Commercial Register](https://zh.chregister.ch/cr-portal/auszug/auszug.xhtml?uid=CHE-275.566.226)) |
| SOV-2 | Legal | 10% | **Strong** | Swiss law ([GTC](https://products.vshn.ch/legal/gtc_en.html)), no CLOUD Act, [EU adequacy decision](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) |
| SOV-3 | Data & AI | 10% | **Strong** | Swiss DCs by default. Sovereign key management via [Managed OpenBao](https://www.openbao.ch) + [Swiss HSM](https://cloud.securosys.com/cloudhsm) |
| SOV-4 | Operational | 15% | **Strong** | Swiss 24/7 ops, [Swiss-only support option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support). All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | **Strong** | Infrastructure-agnostic, [customer chooses provider](https://servala.com/providers/). Open-source tooling |
| SOV-6 | Technology | 15% | **Strong** | Open-source operations tooling. VSHN contributes to [K8up](https://github.com/k8up-io) (CNCF), [Crossplane providers](https://github.com/vshn), [Project Syn](https://github.com/projectsyn) |
| SOV-7 | Security | 10% | **Strong** | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II, Swiss SOC. [FINMA-regulated customers](https://www.vshn.ch/en/solutions/solutions-for-banks-and-financial-service-providers/) |
| SOV-8 | Environmental | 5% | **Moderate** | DC operators: Green Datacenter AG (ISO 22301/27001/27701), [Exoscale sustainability](https://www.exoscale.com/sustainability/). [VSHN CSR policy](https://handbook.vshn.ch/corporate_social_responsibility_policy.html) |

**Overall: SEAL-3 equivalent**, the same level achieved by the winners of the EU's own sovereignty tender.

## Make sovereignty part of your product

When your regulated customers ask "where is my data and who can access it?", you want a clear answer: Swiss infrastructure, Swiss operations, Swiss law. VSHN gives you that answer without building an operations team yourself.

[Get a cost estimate](#contact) for Swiss-operated application operations.