When a Swiss client trusts us with their patient records, financial data, or audit logs, the question of where that data lives matters. The harder question is who can compel access to it. That second question, not pricing, not features, is why Luzid runs its production hosting on Infomaniak in Switzerland and Hetzner in Germany rather than on a US-controlled cloud.
Our hosting setup
For a long time, the default option for any engineering team picking a cloud has been one of the large US-headquartered hyperscalers. Azure, AWS, Google Cloud. The pitch is consistent: managed services, the option of a regional data centre, mature tooling. It is the same default a lot of European companies still pick.
We made a different call for our own platform. Production hosting runs on Infomaniak, a Swiss-owned company headquartered in Geneva, and on Hetzner, a German-owned company near Nuremberg. Microsoft 365 stays in the picture, but only for our internal email and document collaboration. No client production data goes through it.
The reason is not technical. It is a question of jurisdiction.
The CLOUD Act, in one paragraph
In 2018, the United States passed a law called the CLOUD Act. It does one main thing: it lets US authorities compel any company headquartered in the US to hand over customer data, regardless of where in the world that data is physically stored. Microsoft, Amazon, and Google are all US-headquartered. So if a US prosecutor or agency issues a valid CLOUD Act request, those companies are required to comply, even for data sitting on a server in Zurich, Frankfurt, or Geneva. The customer often does not learn it happened.
This is not speculation. On 18 June 2025, Anton Carniaux, Microsoft France’s director of public and legal affairs, told a French Senate inquiry under oath that Microsoft could not guarantee data on French citizens would not be transferred to the US government under the CLOUD Act. AWS’s own CLOUD Act compliance page commits the company to “challenge requests that conflict with the law, are overbroad, or otherwise inappropriate” - a fight, not a guarantee. Google Cloud’s published position is comparable: follow legal process, notify customers where permitted, challenge requests it believes are unjustified. The choice all three offer European customers is “we will push back on what we consider unreasonable”, not “your data is unreachable”.
For most workloads, that is a tradeoff people accept. For client data we are entrusted with, particularly in healthcare, finance, and the public sector, it became a tradeoff we did not want to keep accepting.
Why a “Swiss region” is not the same as Swiss jurisdiction
The misunderstanding we see most often goes like this: “We picked the Swiss region on Azure, so our data is in Switzerland, so Swiss law applies.”
The first half is true. The second half is not.
Jurisdiction does not follow the data centre’s GPS coordinates. It follows the legal entity that operates the service. Azure’s Swiss region is operated by Microsoft, a US company. The control plane, the corporate parent, and the legal authority that can compel disclosure are all American. The Swiss region buys you data residency. It does not buy you Swiss jurisdiction.
A complementary point: in 2020, the European Court of Justice ruled (in a case known as Schrems II) that US surveillance law is incompatible with European data-protection requirements. European courts are no longer pretending the gap is theoretical.
What “Swiss made” means when it comes to hosting
Luzid is a Swiss Made Software certified company. Historically that label has meant “the software was designed and engineered in Switzerland”. The conversation in the industry has shifted. Increasingly, “Swiss made” is understood as operated in Switzerland too, end to end, including the hosting layer. A Swiss-built application running on a US-controlled cloud has a Swiss-shaped front door and a foreign-shaped back door.
The Swiss Made Software association has been clear that members should prefer hosting providers not under direct or indirect control of a foreign state. We agree with that position. It is the only reading of “Swiss made” that survives a serious audit conversation about data access.
Why Infomaniak (Switzerland)
Infomaniak is Swiss-owned, family-run, headquartered in Geneva, with all of its data centres in Switzerland. They publish a transparency report on legal requests. They are ISO 27001 certified. They are aligned with the new Swiss data-protection law (nLPD / FADP).
For workloads where the regulatory frame is Swiss, where the data subject is a Swiss citizen, where the regulator is Swiss, where the audit is Swiss, Infomaniak gives the cleanest answer. There is no foreign legal entity in the chain. There is no extraterritorial law that overrides the customer contract.
Why Hetzner (Germany / EU)
Hetzner is German-owned, with data centres in Germany and Finland. No US parent, no US holding company, no CLOUD Act exposure. For workloads where the regulatory frame is European rather than specifically Swiss, where the data subject is an EU citizen and GDPR is the governing law, Hetzner is the right home. It keeps data inside the EU jurisdiction the regulation was written for.
What this means for our clients
Concretely, we offer four hosting shapes - and the choice is project-by-project, driven by requirements and budget rather than by default:
- Fully Swiss jurisdiction: everything on Infomaniak. For Swiss patient data, financial data, or government workloads where any foreign legal exposure is unacceptable.
- Fully EU jurisdiction: everything on Hetzner. For EU-citizen data covered by GDPR.
- Hybrid (Swiss + EU): the most sensitive records on Infomaniak in Switzerland, the rest of the workload on Hetzner. We only go hybrid when a project genuinely needs both Swiss-grade sovereignty for some data and EU economics for the bulk - it adds operational complexity, so it is not a default.
- Custom / client-defined: a different shape entirely, on infrastructure the client already owns or specifies. We help design and operate it to the same sovereignty standards we apply to our own platform.
We pick one of the four with each client up front. Every client we host knows whether they are 100 % Swiss-jurisdiction, 100 % EU, hybrid, or on a custom shape they have defined - and what that choice does to their cost-per-resource and to their audit story.
In all four shapes, our internal email, calendar, and document collaboration stay on Microsoft 365. We are honest about that in our privacy policy. It is also why client production data never lands there.
The tradeoffs we accepted
Azure offers more managed services than the others. Managed Postgres with everything turned on. Managed Kubernetes. Built-in observability. We gave up some of that. On Infomaniak and Hetzner we run more of the stack ourselves: our own Kubernetes clusters, our own Postgres, our own Loki and Grafana for logs and metrics.
We were willing to accept that because operational craftsmanship is one of the pillars we already work to. We run mission-critical infrastructure for clients elsewhere; running our own here is consistent, not a stretch. The result is more code we maintain, but a setup we control end to end.
Why we wrote this
For clients who can never afford to fail, “where can my data be compelled to go?” deserves an architectural answer, not a marketing answer. Picking sovereign Swiss and EU hosting was that answer for our own platform. If the same question is on your audit checklist, we can help you arrive at it for yours.
Sovereignty is a working standard, not a marketing line
Hosting on a US-controlled provider, even in a Swiss region, leaves customer data reachable by US legal process. For regulated Swiss clients, that is a structural risk, not a theoretical one.
Infomaniak (Swiss-owned, Swiss-operated) and Hetzner (EU-owned, EU-operated) put data under jurisdictions where Swiss and European law govern access end to end.
If you operate in healthcare, fintech, or any field where an audit asks "could a foreign authority access this?", we can help you design a hosting and data architecture that answers with a clean "no".
