Why your AI assistant should never leave Switzerland

The problem nobody mentions

When you type a message into ChatGPT, Claude, Gemini or any other mainstream AI assistant, something happens that most users don't realize: your text immediately leaves Switzerland.

It travels to servers located in the United States, Ireland, Germany, or elsewhere — depending on the provider's architecture. It is processed in data centers subject to US law, European GDPR, UK GDPR, or even the provisions of the American CLOUD Act.

For an individual asking about recipes or travel advice, this is an abstract consideration. For a Swiss lawyer, doctor, financial advisor, or HR manager, it is a concrete problem.

What Swiss law says

The Swiss Federal Act on Data Protection (nDSG/FADP), in force since September 2023, strictly governs the transfer of personal data abroad. Article 16 requires that any transfer to a country without adequate protection be subject to specific safeguards — standard contractual clauses or the explicit consent of the data subject.

But beyond the nDSG, there are sector-specific professional obligations:

• Lawyers are bound by professional secrecy under Art. 321 of the Swiss Criminal Code. Transmitting client information to an AI whose servers are abroad may constitute a violation of this secrecy.
• Doctors are bound by medical secrecy (also Art. 321 SCC) and the specific requirements of the Medical Professions Act.
• Bankers operate under banking secrecy (Art. 47 BA), with some of the strictest confidentiality obligations in the world.
• Fiduciaries and tax advisors are bound by confidentiality obligations toward their clients.

In each of these cases, using a foreign AI tool to process client data is not a technical question — it is a question of legal compliance and professional ethics.

The "hosted in Switzerland" trap

Some foreign providers claim to "host data in Switzerland" through agreements with local data centers. This is a partial truth that masks a structural problem.

When an American company hosts your data in Switzerland via a partner data center, the parent company remains subject to the US CLOUD Act. This law, in force since 2018, allows US authorities to compel American companies to provide data stored anywhere in the world — including Switzerland.

Physical data residency is not enough. What matters is the nationality of the entity that controls it.

The Nectos difference

Nectos is operated by Adopt-AI SA, a Swiss corporation, incorporated in Switzerland, subject to Swiss law, with no foreign subsidiary or parent company. Infrastructure is managed by Hidora SA, an ISO 27001 certified cloud provider whose servers are exclusively in Switzerland.

There is no American entity in the chain. No CLOUD Act. No cross-border transfer. Every byte stays in Switzerland, under Swiss jurisdiction, for the duration of your subscription — and is securely deleted upon cancellation.

This is what data sovereignty means. Not a marketing argument — a contractual, technical, and legal guarantee.

What to do now

If you are currently using a foreign AI assistant in a Swiss professional context, three questions deserve to be put to your compliance officer or legal department:

1. Where are our prompts processed? Not just stored — processed.
2. What cross-border transfers have we formally documented?
3. Does our DPA with the provider cover client data transmitted to it via AI?

If you cannot answer these three questions, the risk is real.

Nectos was designed precisely to eliminate these questions — keeping everything in Switzerland, by default, without exception.