Skip to main content

Jurisdictional dossier

Hosting in Switzerland

Outside the EU and outside the Five-Eyes; telecommunications secrecy is a constitutional right and metadata retention is capped at six months.

The operating notes for this jurisdiction: telecommunications secrecy enshrined in the federal constitution; Politically neutral, outside the EU and Five Eyes; Modern data-protection regime (revFADP, in force since 2023); Tier III+ datacenters with multi-decade uptime track records; Direct CIX peering and premium-tier carrier mix; Stable currency and predictable corporate enforcement environment.

Legal context

Swiss law treats telecommunications data as protected under articles 13 and 36 of the Federal Constitution. Surveillance requires a federal court warrant under the BÜPF and metadata retention is capped at six months. The revised Federal Act on Data Protection (revFADP) mirrors GDPR rights and adds criminal penalties for breach of professional secrecy, including by hosting providers.

Switzerland is not a member of the European Union and not a member of the European Economic Area. The country is politically neutral, outside the Five-Eyes intelligence-sharing alliance, and outside the formal Fourteen-Eyes expansion. The practical consequence for a hosting customer is that a foreign subpoena does not arrive via a treaty fast-lane; it arrives via a mutual-legal-assistance request that a Swiss federal court evaluates on its own terms, against a body of case law that takes telecommunications secrecy seriously.

Telecommunications data is treated as protected under articles 13 and 36 of the Federal Constitution. Surveillance requires a federal court warrant under the BÜPF — the federal act on the surveillance of correspondence by post and telecommunications — and the standard for issuing the warrant is not the same as the administrative-subpoena standard familiar from US law. The leading precedent on what the BÜPF applies to — ProtonMail v UVEK (2021) — held that an end-to-end-encrypted application is not a "full" telecommunications provider for the heavier duties the statute imposes. Metadata retention is capped at six months for ISP-level subscriber data and the cap is not a minimum that providers are encouraged to exceed; it is a ceiling.

The revised Federal Act on Data Protection (revFADP), in force since September 2023, mirrors the substantive rights of the GDPR and adds criminal penalties for breach of professional secrecy — including by hosting providers and their staff. A hosting operator who discloses subscriber data outside the warrant process is exposed to personal criminal liability, which is a structural disincentive against the informal cooperation patterns common in less rigorous jurisdictions.

There is no Swiss equivalent to the DMCA. Copyright disputes are resolved through the civil courts on a case-by-case basis, and the intermediary-liability safe-harbour analysis for an intermediary host is meaningfully more protective of the host than the equivalent US framework. Switzerland additionally carries a long-standing data adequacy decision with the European Union, renewed in 2024, which makes the jurisdiction practically usable for any subscriber processing EU personal data.

Datacenter and network context

The facility sits in the Zurich metropolitan area, on the carrier spine that serves the Swiss financial-sector datacentres. The carrier mix at the facility includes Init7, Swisscom, Lumen, NTT, and Hurricane Electric — direct peering at the Community-IX (CIX) and SwissIX exchanges puts the facility one short hop from the majority of European eyeball networks. Latency to Western European endpoints is in the 5-15 millisecond range; latency to North-American endpoints via the major transatlantic routes is in the 80-110 millisecond range.

Certifications carried by the operating facility include ISO 27001, ISO 27017, PCI-DSS, and FINMA-aligned controls — the latter being the Swiss financial-supervisory authority's framework for operational resilience, which a non-financial host meets voluntarily because the controls are appropriate to the threat model. Power is sourced from the Swiss grid, which is itself predominantly hydroelectric and nuclear.

Carriers terminating at the facility include Init7, Swisscom, Lumen, NTT, Hurricane Electric.

Certifications carried by the facility: ISO 27001, ISO 27017, PCI-DSS, FINMA-aligned.

Observable facts

Country
Switzerland
ISO 3166-1
CH
Capital
Bern
Facility city
Zurich
EU membership
Outside the European Union
GDPR posture
GDPR-equivalent regime applies
DMCA posture
No DMCA equivalent
Data retention
6-month metadata cap
Surveillance treaty
Outside the Five-Eyes and the Fourteen-Eyes. Politically neutral. Not a NATO member; not a party to the principal SIGINT-sharing instruments.

Plans operated from this jurisdiction

The plans below can be deployed from this country. The full specification for each plan, the editorial standfirst, and the operator's contact email live on the linked detail page.

VPS hosting

VPS-1 $8/mo
1 vCPU (AMD EPYC), 2 GB DDR4 ECC, 25 GB NVMe SSD
VPS-2 $16/mo
2 vCPU (AMD EPYC), 4 GB DDR4 ECC, 60 GB NVMe SSD
VPS-4 $32/mo
4 vCPU (AMD EPYC), 8 GB DDR4 ECC, 120 GB NVMe SSD
VPS-8 $64/mo
8 vCPU (AMD EPYC), 16 GB DDR4 ECC, 240 GB NVMe SSD
VPS-16 $128/mo
16 vCPU (AMD EPYC), 32 GB DDR4 ECC, 480 GB NVMe SSD

Dedicated machines

DS Lite $89/mo
Intel Xeon E-2236 (6c / 12t @ 3.4 GHz), 32 GB DDR4 ECC, 2× 480 GB NVMe (RAID-1)
DS Mid $149/mo
AMD Ryzen 9 5950X (16c / 32t @ 3.4 GHz), 64 GB DDR4 ECC, 2× 1 TB NVMe (RAID-1)
DS Pro $249/mo
AMD EPYC 7443P (24c / 48t @ 2.85 GHz), 128 GB DDR4 ECC, 2× 2 TB NVMe (RAID-1)
DS Beast $449/mo
2× Intel Xeon Gold 6338 (32c / 64t each), 256 GB DDR4 ECC, 4× 4 TB NVMe (RAID-10)

Email service

Mail Solo $3/mo
10 GB
Mail Team $9/mo
50 GB total
Mail Unlimited $19/mo
Unlimited fair-use

Closing notes

A lawyer operating in an adversarial jurisdiction, an NGO whose donor list is itself a target, or a research project storing interview transcripts that a foreign government may later seek will find the Swiss posture difficult to penetrate by ordinary subpoena. The constitutional protection of telecommunications secrecy is not rhetorical; it has been tested and the courts have held the line.

The dossier is not a recommendation. Switzerland is more expensive to operate from than Iceland and the latency profile suits a different audience. The operator publishes the facts here so the reader can decide whether the trade-off fits the work in front of them.

Legal milestones — Switzerland

  1. 1999

    Federal Constitution (revision)

    Constitution of the Swiss Confederation · 18 April 1999

    The 1999 total-revision of the Swiss federal constitution renumbered the telecommunications-secrecy clause to its current Article 13 paragraph 1. The Federal Tribunal's interpretation in BGE 140 IV 181 extended the article's protection to digital communications infrastructure, which is the load-bearing case-law basis for the Swiss hosting posture as the operator reads it today.

  2. 2017

    Federal Intelligence Service Act

    FIS Act (NDG) · 1 September 2017

    The 2017 act regulates Swiss federal intelligence operations. The act's per-target authorisation requirement for bulk collection — Articles 26 and 27 — is the statutory expression of Switzerland's non-membership in the Five-Eyes intelligence-sharing arrangement and the structural reason a hosting customer with intelligence-leaning adversaries fares better in Switzerland than in a Five-Eyes jurisdiction.

  3. 2019

    ProtonMail v. UVEK

    Federal Administrative Tribunal · A-550/2019

    The Swiss Federal Administrative Tribunal's decision in ProtonMail v. UVEK narrowed the BÜPF's applicability to hosting providers. The tribunal held that a provider whose service does not include real- time message delivery is not a 'provider of derived communication services' within BÜPF and is therefore not subject to its retention or production obligations. The decision is load-bearing for the operator's hosting posture.

  4. 2023

    Revised Federal Act on Data Protection

    revFADP · 1 September 2023

    The revised FADP came into force on 1 September 2023 and established an EU-comparable data-subject-rights regime applicable to the operational metadata a Swiss hosting provider holds about its customers. Combined with Article 13 and the BÜPF reading above, the revFADP completes the legal layer the operator's Swiss posture rests on.