Safe Swiss Cloud is certified ISO 27001, ISO 27017 and ISO 27018 – the following table summarises our certifications and compliance standards:
|FINMA RS 2018/3
Below you will find details of our certifications and the standards we comply with.
Safe Swiss Cloud is 100% Swiss:
- It is Swiss owned.
- Our data centres are all located in Switzerland.
As a result, we are able to guarantee our customer’s data sovereignty, because we do not fall under the Cloud Act or other regulations which might impact our customer’s data sovereignty. We are a member of Swiss Hosting:
Find out about the advantages of Swiss Made Hosting here.
ISO 27001 – Information Security Management System
Safe Swiss Cloud has had the ISO 27001 certification for Information Security Management Systems, which includes compliance with the ISO 27018 standard for Personally Identifiable Information (PII) in the cloud since 2015.
It has been audited and had its certification confirmed every year since then.
ISO/IEC 27001:2013 specifies the requirements for the creation, implementation, maintenance and continuous improvement of the information security management system in an organisation. For further details please visit the official ISO 27001 website.
ISO 27017 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and other ISO27k standards.
The code of practice in this standard provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002, in the cloud computing context.
The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section.
ISO 27018 – Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
ISO/IEC 27018:2014 defines generally accepted control objectives, controls and guidelines for implementation measures to ensure that personal data is protected in accordance with the privacy principles of ISO/IEC 29100 for Public Cloud Computing Environments. For more details, please visit the official ISO 27018 website. It is an extension of and part of the ISO 27001 certification.
Do you have more questions about compliance and certifications?
Our specialists have a lot of knowhow about general compliance standards that are required by law, like the Swiss Data Protection Act or the EU’s GDPR but also in various industry standards, that for example are applicable in the financial or healthcare industries.
Contact us to get a briefing about how Safe Swiss Cloud can help you with your compliance:
FINMA Circular 2018/3 – Outsourcing Banks
Circular 2018/3 of the Swiss Financial Market Supervisory Authority (FINMA) describes the conditions under which outsourcing solutions are compliant with requirements for appropriate service providers, banking secrecy and data protection. The official FINMA Circular can be downloaded here as a pdf file.
BAFIN / BAIT: Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions
Circular 10/2017 (BA) of BAFIN, the German financial markets regulator describes the supervisory requirements for IT in financial institutions. Safe Swiss Cloud is compliant with these requirements.
The Swiss Federal Act on Data Protection (FADP or DPA) is compatible with the EU’s GDPR regulations and specifies the laws governing the privacy of individual data in Switzerland.
FMH Recommendations for doctors
The FMH is Switzerland’s professional association for doctors. The FMH has published details of what doctors, medical practitioners and healthcare services have to consider in order to be compliant with the Swiss DPA (German only).
Safe Swiss Cloud meets these requirements.
EU GDPR – General Data Protection Regulation
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
HIPAA – Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
Which data centers are used?
Safe Swiss Cloud uses its own data centers in Switzerland.
Which laws are applicable?
The Swiss Federal Law on Data Protection: SR 235.1 requires respect for the privacy of individuals and companies. Accordingly, Safe Swiss Cloud’s computing resources and data are only available to our customers or to parties authorized by them.
The decision of the European Commission 2000/518/EC (Official Journal L 215/1 of 25.8.2000) states that Swiss law provides adequate protection for personal data and data transfers from member states to Switzerland (Art. 25(1) of the EU Directives).
This means that Safe Swiss Cloud is the optimal choice for European companies that want to ensure compliance with EU data protection directives.
Frequently asked Questions
Safe Swiss Cloud takes many steps to ensure the security of our customer’s data and computing resources:
- Keep the operating systems on the all the hosts of our cloud systems up to date.
- Two factor authentication TFA for access to cloud management systems.
- Keeping the cloud systems up to date.
- Physical security at the data centres.
- Regular network scans to detect irregularities.
- Regular employee security training.
- Regular reviews of access rights.
In addition, customers who delegate (parts of) their IT Operations to Safe Swiss Cloud benefit from the following:
- Anti-Malware installed on the customer’s servers.
- Security Operations Center (SOC): monitoring with daily review of security events.
- Regular backups to separate, independent systems which are out of reach for Ransomware.
- Managed firewalls.
- Penetration tests and vulnerability scans.
- Two factor authentication TFA for access to customer’s servers (VMs).
- Regular security updates (“patching”) of customer servers (VMs).
- Proactive customer confirmation of allowed users.
The above and our internal security processes are documented according to ISO 27001, 27017, 27018. They are audited and certified annually.
German Federal Financial Supervisory Authority: BAFIN / BAIT: Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions (PDF)
ISO 27001 / 27018: Information Security Management and PII in the cloud. Verify the official ISO certification of Safe Swiss Cloud at TüV Rheinland’s Certipedia page.
All computing resources and data are in Safe Swiss Cloud’s own world class data centers in Switzerland. In the heart of Europe, Switzerland is politically and geographically one of the most stable countries in the world.
Our processes and data centers have the appropriate certifications required for the compliance of businesses large and small.
Safe Swiss Cloud is a great choice for European companies and organisations who want to ensure compliance with EU data protection / GDPR.
Respect for the privacy of individual and company data is required by Swiss law: SR 235.1 Federal Act on Data Protection. Safe Swiss Cloud computing resources and data are accordingly only accessible to our client or parties authorized by them.
Safe Swiss Cloud is compliant with the European Union’s (EU) comprehensive data protection laws, GDPR. For more details about European Union’s GDPR, visit this European Commission page.
As a 100% Swiss owned company, Safe Swiss Cloud is bound only by Swiss, European and accepted International legal practice.
The European Union (EU) considers Swiss data protection to be adequate to allow individuals and businesses in the EU to use Swiss based data processing. This makes Safe Swiss Cloud a good choice for EU companies who want to ensure compliance with the EU’s GDPR data protection directives.