The revised Swiss FADP (nDSG) came into force in September 2023. Microsoft 365 default configurations don't put your data in Switzerland. The US CLOUD Act applies to American providers regardless of where your data is stored. These are solvable problems — if you know where to look.
Switzerland's revised Federal Act on Data Protection (nDSG / FADP) came into effect on 1 September 2023. It significantly strengthens individual rights, introduces mandatory breach notification within 72 hours, and requires organisations to document their data processing activities.
Unlike the EU's GDPR, the nDSG applies to both natural persons and legal entities — meaning Swiss companies can be liable for data protection violations, not just individuals.
If you process personal data — and almost every business does — you need a record of processing activities, a documented response procedure for breaches, and clarity on where your data lives and who can access it.
Key requirements that affect most Swiss businesses.
Microsoft operates two Swiss data centres — in Geneva and Zurich. To ensure your Exchange Online, SharePoint, Teams, and OneDrive data is stored there, your tenant must be specifically provisioned for Switzerland. This doesn't happen automatically.
In the Microsoft 365 Admin Centre, navigate to Settings → Org Settings → Organisation Profile → Data location. This shows where each workload's data is stored. Many Swiss tenants are surprised by what they find.
Once correctly configured, I produce a data residency documentation package — suitable for internal governance, client due diligence, legal teams, and regulatory audit purposes.
Azure resources — virtual machines, databases, storage accounts, AI services — must each be individually deployed to Swiss North (Zurich) or Swiss West (Geneva) regions. Misconfigured resources silently land in Western Europe.
What's covered and what to verify.
Microsoft, Google, AWS, Salesforce, Dropbox, and any other US-headquartered provider — regardless of where your data is physically stored. Microsoft's Swiss data centres do not protect your data from a US government request.
Swiss-domiciled providers with no US affiliation, US shareholders, or US operations. Exoscale (owned by Austrian A1 Group) and SafeSwissCloud (Swiss-owned) are not subject to CLOUD Act jurisdiction.
Identifying which of your cloud services are US-provider-dependent, assessing risk by data category, documenting your exposure position for boards and legal teams, and recommending mitigation options.
Compute, object storage, managed Kubernetes, managed databases — all hosted in Swiss data centres, not subject to the CLOUD Act. Part of the Austrian A1 Group. Billed by the second.
Owns and operates its own Swiss data centres. FINMA RS 2018/3 compliant — used by Swiss banks, healthcare providers, and organisations with the most stringent sovereignty requirements. ISO 27001/17/18 certified.
I review your current cloud setup — Microsoft tenants, Azure resources, third-party services — and identify where your data is actually stored, which services are US-subject, and where your compliance gaps are.
For Microsoft 365 and Azure, I configure data residency to Swiss regions, apply Customer Lockbox, and review Copilot data handling settings.
I produce a written data residency and compliance documentation package — suitable for your legal team, clients' due diligence requests, board reporting, or regulatory audit.
Optional: I monitor your environment for configuration drift and new services that may affect your compliance posture, and advise on changes in Swiss or EU data protection regulation.
Swiss IT compliance work is usually scoped as a fixed-price project, not open-ended billing.
Not sure what you need? Book a 30-minute call and I'll tell you honestly where your most significant risks are and what it would take to address them. No obligation.
30 minutes, no charge. I'll tell you where your real risks are and what it would take to address them.