Skip to content
Setzt Ihr auf das richtige CMS? Kostenlose online CMS-Check
AI and automation AI & Artificial Intelligence

AI Data Privacy for Swiss SMEs: Which Solution Is Truly Compliant

When you add an AI chatbot to your website or use ChatGPT for customer communication, one uncomfortable question arises quickly: where does the data actually go? This article explains why «GDPR-compliant» on a vendor dashboard isn't enough, which providers Swiss SMEs can actually use without risk — and why server location is often the wrong criterion.

Noël Bossart
Noël Bossart
Updated: Apr 12, 2026 · 11 min read
Abstract Swiss mountain peak with Swiss cross and EU stars, representing AI data sovereignty for Swiss SMEs
Contents
At a glance
  • CLOUD Act applies even with EU server location
  • Three risk tiers for AI providers
  • Infomaniak: only Swiss-native option
  • Mistral: best EU-native compromise
  • revDSG requires documentation and legal basis

What «data-privacy compliant» actually means for AI

Many AI providers advertise GDPR compliance or EU server locations. That sounds reassuring — and still falls short. Data privacy for AI depends on three factors: server location, the legal entity of the provider, and the contractual basis.

A server location in Frankfurt or Geneva matters little when the provider is a US company. US companies are subject to the CLOUD Act — regardless of where their servers are located. This applies equally to OpenAI, Microsoft (Azure), Google (GCP), and Amazon (AWS).

The decisive question is therefore not «where is the server?» — but rather: «Which law governs the company processing my data?»

The AI chatbot as a concrete example

A website chatbot is a good example because it brings the data privacy questions into sharp focus. Every conversation flows through an AI inference API — and in doing so, potentially collects personal data: names, email addresses, concerns, purchase intentions.

Most AI gateways on the market — including those with EU branding — are US companies. This means: even if the server is in Frankfurt, US law governs the company operating it. The CLOUD Act applies.

What initially looks like a purely technical problem is in reality a legal question. And it can be solved — with the right provider choice. How a data-privacy compliant AI chatbot is concretely built is covered in a separate article.

AI chatbot for Swiss SMEs
AI chatbot for your website

SaaS or custom? When each solution makes sense and how appointment booking works directly in chat.

The CLOUD Act — the underestimated risk

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US federal law from 2018. It empowers US law enforcement to demand data access from US companies — regardless of where the data is stored.

What this means in practice: a US company that stores data on EU servers must still provide access to a US authority. It is not required to inform you or the affected individuals about this.

This is not a hypothetical scenario. US authorities actively use this capability. For Swiss SMEs with data protection obligations toward customers, employees, or authorities, this is a real legal risk — even if it rarely becomes visible in everyday operations.

Caution

A Data Processing Agreement (DPA) with a US provider reduces your compliance risk on paper. But it does not protect against government US data access. The DPA governs what the provider may do with your data — not what it must do on US government instruction.

Does an EU subsidiary protect against the CLOUD Act?

A common counterargument: Microsoft operates Microsoft Ireland, Google has Google Ireland Limited, Amazon runs Amazon EU SARL. Aren't these European companies under European law?

No — not under the CLOUD Act. The law explicitly applies to US companies and all entities they control. «Control» means the parent can direct the subsidiary. That is definitionally true of subsidiaries.

A US authority obtains an order against Microsoft Corp — not Microsoft Ireland. Microsoft Corp then directs Microsoft Ireland to produce the data. The parent has both the legal obligation and the technical means to enforce compliance. Failing to do so risks contempt of court. Server location and the EU registration of the subsidiary change nothing about this logic.

Can the EU subsidiary refuse US data access?

Theoretically yes — and here lies a genuine, unresolved legal conflict. GDPR Art. 48 states that data transfers to third countries based on foreign government orders must go through MLAT channels or recognised agreements — not direct compulsion. An EU subsidiary therefore has a legal basis to refuse.

Three reasons why this provides no safe harbour in practice:

The US court compels the parent — not the subsidiary. The order is directed at Microsoft Corp. The parent bears the obligation to comply and the risk of refusal.

There is no EU-US CLOUD Act agreement. The law includes a «qualifying foreign government» clause: if a country has signed a bilateral CLOUD Act agreement with the US, providers can challenge orders that conflict with that country's law. The UK signed such an agreement in 2022. The EU has not. Without this agreement, there is no formalised path to block US orders.

The conflict falls back on the company. Complying with the CLOUD Act violates GDPR Art. 48. Refusing risks contempt of court for the parent. Microsoft and AWS attempt to create «EU Sovereign Cloud» architectures that technically prevent US staff from accessing EU data. No court has recognised this as a legal barrier.

Good to know

Data residency ≠ data sovereignty. «Data residency» refers to where data is physically stored. «Data sovereignty» refers to who ultimately holds legal control. EU subsidiaries guarantee the former. Only the absence of a US parent company in the control chain eliminates the CLOUD Act.

Three risk tiers at a glance

Not every AI solution carries the same risk. A three-tier framework helps with decision-making — depending on what data you process and what compliance requirements apply.

The classification is based on two criteria: legal entity of the provider (US or EU/CH) and data location. Both factors affect CLOUD Act risk and revDSG compliance.

Tier 1: US SaaS direct Tier 2: US model, EU routing Tier 3: EU/CH native
Server location USA EU (varies) EU/Switzerland
Legal entity US company US company EU/CH company
CLOUD Act risk High Medium None
Known examples OpenAI, Anthropic, Google Requesty EU, AWS Bedrock EU Mistral, Infomaniak, Scaleway
DPA available Yes Yes Yes
For sensitive data Not recommended With limitations Recommended

Tier 2 also includes white-label products like EUrouter (technically identical to Requesty, US parent company). Legal classification as of April 2026.

Tier 1: US SaaS direct — when is this acceptable?

Direct US providers like OpenAI, Anthropic, or Google are not prohibited per se. What matters is which data you process.

Acceptable for: non-personal data (publicly available information, generic texts), internal use without personal data, or one-time tests without data persistence.

Not acceptable for: customer data (names, email, purchase history), employee data (applications, salary information), health or financial data, and confidential documents with business secrets.

Many SMEs use ChatGPT daily — often for tasks where Tier 1 is actually problematic. The risk is real, even if it rarely becomes immediately apparent.

Good to know

OpenAI offers enterprise customers an EU data residency option. The data then stays on EU servers — but the company remains a US company. The CLOUD Act still applies. EU data storage slightly reduces the risk without eliminating it.

Tier 2: US models with EU routing

Tier 2 providers are EU-based gateways or cloud platforms that make US models available through European infrastructure. This sounds like the best of both worlds — but has a structural catch.

Requesty EU, for example, routes requests through a Frankfurt node (AWS eu-central-1). This reduces latency and maintains data residency in the EU. But the company behind Requesty is incorporated in the US. The CLOUD Act still applies.

AWS Bedrock with EU inference profiles (eu-central-1, eu-west-1) works similarly: Claude or Titan run on European servers — but Amazon remains a US company. The CLOUD Act risk persists.

EUrouter — also positioned as an EU alternative — is a white-label product of Requesty. Legally identical, despite the EU branding.

Tier 2 is a pragmatic middle ground. Often sufficient for non-sensitive data and moderate compliance requirements. Anyone processing special categories of data under revDSG should choose Tier 3.

Tier 3: EU- and Swiss-native solutions

Tier 3 providers are legally incorporated in the EU or Switzerland and operate their infrastructure there. The CLOUD Act does not apply. EU/CH data protection law applies in full. This makes them the safest option for personal and sensitive data.

The following providers are relevant for Swiss SMEs — with different strengths depending on the use case:

Mistral AI — France

  • French company, EU law, no CLOUD Act
  • Frontier model quality: Mistral Large 2, Mistral Small 3.1
  • DPA available, OpenAI-compatible API
  • Pricing from ~€0.10/M tokens (Small) to ~€6/M (Large)
  • Best choice when strong language models are needed

Infomaniak AI Tools — Switzerland

  • Swiss company (Geneva), Swiss data centres
  • Certified under revDSG and GDPR, CHF pricing
  • Open-source models: LLaMA 3, Mixtral, Gemma
  • OpenAI-compatible API, free tier (120,000 tokens/day)
  • No frontier models — sufficient for standard tasks

Scaleway Generative APIs — France

  • French public company, EU law
  • Mistral models + LLaMA 3 available
  • EU data centres, GDPR compliant
  • OpenAI-compatible, beginner-friendly pricing
  • Good choice for Mistral without a direct Mistral contract

Apertus — Switzerland (in development)

  • Swiss national project by ETH Zurich and EPFL
  • 70B model, open weights, planned Swiss infrastructure
  • Maximum data sovereignty — still limited availability
  • Timeline for broad use: 2026/2027
  • Relevant for organisations with the highest sovereignty requirements

Checklist: What to clarify before deploying AI

Before you deploy an AI service in production, fundamental questions should be clarified. This applies regardless of the provider — revDSG and GDPR require demonstrable decisions, not good intentions. A brief consultation helps find the right starting point.

Before you start

  • Are you processing personal data? (names, email, behavioural data)
  • Is a DPA with the provider in place and signed?
  • Do you have a legal basis for data processing (Art. 6 GDPR / Art. 9 revDSG)?
  • Is the provider subject to the CLOUD Act — i.e. US law?
  • Is data used for model training? (opt-out verified?)
  • Is the data processing documented in your processing register?
  • Are data subjects informed that AI is processing their data?
  • Have you checked whether open-source or Swiss alternatives are relevant?

What revDSG concretely requires from you

Switzerland's revised Data Protection Act (revDSG), in force since September 2023, places concrete requirements on AI use. Three of them are particularly relevant for Swiss SMEs.

Information obligation. If you process personal data with AI, data subjects must be informed — actively and comprehensibly, not just in the fine print of your privacy policy.

Legal basis. Every processing operation requires a basis: consent, contract, or legitimate interest. With AI systems this is often poorly documented — especially when data flows to third-party providers.

Third-country transfer. If data is transferred to countries without equivalent protection (USA), additional safeguards are required. Standard Contractual Clauses (SCCs) are one option — but may not be sufficient for US providers due to the CLOUD Act. The Federal Data Protection Commissioner (FDPIC) has made clear: revDSG is enforced with the same instruments as GDPR in the EU — including fines.

Noël Bossart
Expert tip Von Noël Bossart

Start with the processing register. Document which AI tools you use, what data flows, and on what legal basis. This is not a bureaucratic exercise — it is the foundation on which you can demonstrate, when it matters, that you made a careful decision. One hour of effort saves many hours of explanation to the FDPIC.

Infographic: 3 risk tiers for AI data privacy in Switzerland
Free Download

Infographic: 3 Risk Tiers for AI Data Privacy

CLOUD Act, revDSG, tier model and Tier 3 providers — clearly laid out on a single page. Print or share.
Download-Formular

Conclusion: Compliance is not a certificate statement

«GDPR-compliant» and «EU server» on a vendor dashboard mean little without examining the CLOUD Act. The decisive question is: which law governs the company — not: where is the server.

For Swiss SMEs without a dedicated legal department: Tier 3 is the safe choice for sensitive data. Mistral (France) offers frontier models without CLOUD Act risk. Infomaniak (Switzerland) offers maximum local control for standard tasks.

For many everyday applications — draft texts, internal summaries, research without customer data — Tier 1 is pragmatically defensible as long as no personal data is involved.

The good news: EU- and Swiss-compliant alternatives exist, are production-ready, and are no more expensive than their US counterparts. The decision is not a budget question — it is a knowledge question. Whoever knows the options can choose confidently. And anyone who needs support with AI integration can find it without compromising on data privacy.

Noël Bossart, founder of Noevu
Implement your AI solution with data privacy built in

Which provider fits your setup and what exactly you need to document — that can be clarified in a short conversation. No jargon, tailored to your situation.

Free consultation

Frequently Asked Questions

What is the CLOUD Act and why does it matter for Swiss SMEs?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) allows US law enforcement to demand data access from US companies — even if the data is stored on EU or Swiss servers. For Swiss SMEs this means: every US-based AI provider — OpenAI, Microsoft, Google, Amazon — is subject to this law regardless of where their servers are located. A Frankfurt data centre alone does not protect against US government access.
Is a Data Processing Agreement (DPA) sufficient for revDSG compliance?
A DPA is necessary but not sufficient. It governs what the provider may do with your data — but does not protect against government access under the CLOUD Act. For sensitive data, you additionally need a provider without a US parent company. Only then is the CLOUD Act risk fully eliminated.
Does an EU subsidiary of Microsoft or Google protect against the CLOUD Act?
No. The CLOUD Act explicitly applies to US companies and all entities they control. A subsidiary is definitionally controlled. A US authority compels the US parent — which in turn directs its subsidiary. Server location and the EU registration of the subsidiary do not change this obligation.
Can an EU subsidiary refuse data access requested by US authorities?
Theoretically it can invoke GDPR Art. 48 as grounds. In practice this provides little protection: the US court compels the parent, not the subsidiary. An EU-US CLOUD Act bilateral agreement that would formally protect such a refusal does not exist — the EU has not signed one (the UK did in 2022). The company is left in conflict between two legal systems with no validated way out.
Which AI providers are data-privacy safe for Swiss SMEs?
EU- and Swiss-native providers without a US parent company: Mistral AI (France, frontier models), Infomaniak AI Tools (Switzerland, open-source models), Scaleway Generative APIs (France, Mistral models). For non-sensitive data, EU-routed US services are acceptable — with documented limitations and a signed DPA.
Can Swiss SMEs legally use ChatGPT?
For generic tasks without personal data — draft texts, summaries of public information — ChatGPT with a signed DPA is defensible. For customer data, employee data, or confidential documents the legal risk is significant. OpenAI offers EU data residency, but remains a US company with CLOUD Act exposure.
What makes Infomaniak AI Tools special for Swiss companies?
Infomaniak is incorporated in Geneva, operates data centres in Switzerland, and is certified under both revDSG and GDPR. The API is OpenAI-compatible and includes a free tier (120,000 tokens/day). Limitation: no frontier models like Claude or GPT-4 — only open-source models like LLaMA 3 or Mixtral. Sufficient for many standard tasks.
How significant is the actual risk of using US AI services?
The risk depends on the data. For public, non-personal tasks it is low. For customer data, health information, or business secrets it is significant — not because something will happen tomorrow, but because in the event of an audit by the FDPIC you would be unable to demonstrate a sufficient legal basis.
Noël Bossart

About the author

Noël Bossart — Gründer & Entwickler

Noël baut seit über 25 Jahren Websites — von der Strategie bis zur Umsetzung. Als Gründer von Noevu verbindet er effiziente Prozesse mit ästhetischem Design, um Schweizer KMUs digitale Lösungen zu bieten, die wirklich funktionieren.

Termin buchen E-Mail LinkedIn
Blog posts

More articles

Two glowing twin crystals in teal and coral, connected by shimmering data lines on a dark background — a metaphor for Google's multimodal AI platform GeminiArticle
AI and automation8 minGoogle Gemini: a practical helper for Swiss SMEsMany Swiss SMEs use Google Workspace every day — without knowing that an AI assistant is already built in. Whether Google Gemini is the right tool for your company depends on a few clear factors.Noël Bossart · Apr 26, 2026
Frosted glass contact card with ethernet cable plugging in, sitting on a Squarespace square tile grid — representing direct API integrationArticle
AI and automation7 minSquarespace Contacts API: Direct CRM Integration — What's Possible NowMost Squarespace websites collect contact data every day — but passing it to a CRM has so far required paid intermediaries like Zapier. With the new Contacts API, direct integration is finally poss…Noël Bossart · Apr 15, 2026
Abstract 3D illustration of an iterative design process with wireframes and finished interfaces in warm coral and teal tonesArticle
Consulting & conception9 minRapid Prototyping: From Idea to Finished Design, FasterMany web projects fail not because of poor execution, but because of misalignment between the initial idea and the design. Rapid prototyping closes that gap — helping Swiss SMEs arrive at solid vis…Noël Bossart · Apr 9, 2026
Abstract representation of an AI chatbot conversation with connected chat bubbles and integration symbolsArticle
AI and automation9 minAI Chatbot for SMEs: What SaaS offers — and where Custom startsSaaS chatbots promise quick results — until the first sales conversation reveals that tone and instruction-following make all the difference. This article helps you decide: when an off-the-shelf to…Noël Bossart · Apr 8, 2026
Abstract representation of connected workflow nodes in warm coral and teal tones — n8n automationArticle
AI and automation7 minn8n: Smart Workflow Automation — When It's Worth ItMany SMEs still automate by copy-pasting between tools or pay for Zapier subscriptions that quickly become expensive as volume grows. n8n promises a flexible, self-hosted alternative. This article …Noël Bossart · Apr 6, 2026
Gemini constellation: four glowing data visualization nodes (bar, pie, line, scatter) connected by luminous lines on dark blue backgroundGuide
AI and automation8 minCreating Infographics with AI — The SME GuideMost AI image generators fail at one simple problem: text in graphics becomes illegible or incorrectly rendered. This guide shows why Google Gemini solves this differently — and how SMEs can use th…Noël Bossart · Mar 17, 2026
Discover all posts