Skip to content
Back to glossary
Cloud Strategy

What is Sovereign Cloud?

A sovereign cloud is operated under a single jurisdiction's laws and physical control, data, keys and staff stay outside extraterritorial reach.

What "sovereign" actually means

A sovereign cloud is one where every layer of the stack, physical site, hardware ownership, operational personnel, encryption keys, support workflows, is governed by a single legal jurisdiction. For a Swiss company, that means servers in Switzerland, operated by a Swiss legal entity, with engineers physically located in Switzerland and processes that exclude foreign access on demand.

The word "sovereign" exists because hyperscaler clouds, AWS, Azure, GCP, are not. Even when an AWS region is physically in Frankfurt or Zurich, the legal entity is American. Under the U.S. CLOUD Act (2018) and other extraterritorial statutes, the U.S. government can compel that entity to disclose data, regardless of where the bytes physically sit. Most regulated Swiss industries, finance, healthcare, defence, public sector, cannot accept that exposure.

What sovereignty checks look like

A serious sovereign cloud passes several tests:

  1. Jurisdiction of the operating entity. Swiss limited company, no foreign parent in a country with extraterritorial laws.
  2. Location of physical infrastructure. Datacenters in Switzerland, with documented audit access.
  3. Personnel. Operations and on-call rotations staffed by individuals subject to Swiss law and resident in Switzerland.
  4. Key custody. Encryption keys, including the keys that protect customer data, held in HSMs under the operator's control, not accessible to a foreign cloud provider.
  5. Supply chain. Hardware sources, firmware updates and software dependencies disclosed and assessed.
  6. Audit rights. The customer can audit the operator and its sub-suppliers without contractual exclusion.

A "sovereign cloud" that fails three of those tests is marketing.

Why sovereignty isn't the same as on-premise

A common misconception is that "if you want sovereignty, you have to run your own datacenter." Modern sovereign clouds, including Hikube, give you the operational benefits of a managed cloud (virtual machines and instances, Kubernetes-as-a-service, S3-compatible storage, managed databases, GPU on demand) while preserving sovereignty. You get the productivity of cloud and the legal posture of on-premise.

When to use one

A sovereign cloud is the natural choice when at least one of the following is true:

  • You handle personal health data subject to FADP (LPD) or HIPAA-like rules.
  • You're regulated by FINMA, FOPH, or similar authorities with location-of-data requirements.
  • You hold trade secrets or strategic IP whose disclosure to a foreign jurisdiction would harm the business.
  • Your customers contractually require Swiss-only data residency.

Outside these cases, a hyperscaler is usually cheaper and more feature-rich; sovereignty is a tradeoff, not a default.

Hidora and Hikube

We built Hikube precisely because Swiss customers in regulated sectors needed cloud-native infrastructure they could legally use. It runs in three Swiss datacenters, on hardware we own, with engineers based in Geneva. Compatible with Kubernetes, S3 and PostgreSQL APIs so migration is a configuration change rather than an application rewrite.