# Application Catalog Sovereignty: Your Stack, Your Infrastructure, Swiss Operations

When you outsource your database, identity provider, secrets manager, and platform tooling to a single vendor, that vendor holds the keys to your entire application stack. Jurisdiction, data residency, and operational control matter more for a full-stack engagement than for any single service.

US hyperscaler managed services (AWS RDS, Azure Database, Google Cloud SQL, Amazon ElastiCache, Azure AD) run on US-owned infrastructure under US law. The [CLOUD Act](https://en.wikipedia.org/wiki/CLOUD_Act) allows US authorities to access your data without Swiss judicial process, regardless of which region you select.

The VSHN Application Catalog runs every service on infrastructure you choose: on-premises, Swiss public cloud (cloudscale.ch, Exoscale), or hybrid. Your data never leaves your control.

## Why the Application Catalog is a strong choice for sovereignty

- **Infrastructure-agnostic**: You choose the provider. VSHN operates on your Kubernetes cluster, not on shared multi-tenant infrastructure
- **100% open source**: Every service (PostgreSQL, MariaDB, Redis, Keycloak, OpenBao, Forgejo, Crossplane, NGINX, Varnish, vLLM, LiteLLM) is open source with standard APIs
- **No vendor lock-in**: Standard protocols, standard data formats. If you leave, your data and configuration come with you
- **Swiss operations**: All operations staff are based in Switzerland. No offshoring, no subcontracting
- **Single contract**: One SLA, one vendor, one legal relationship under Swiss law

## Managed services sovereignty compared

| Dimension | AWS Managed Services | Azure Managed Services | GCP Managed Services | VSHN Application Catalog |
|-----------|---------------------|----------------------|---------------------|------------------------|
| **Ownership** | Amazon (USA) | Microsoft (USA) | Google (USA) | VSHN AG (Switzerland) |
| **Governing law** | US law | US law | US law | Swiss law |
| **CLOUD Act** | Exposed | Exposed | Exposed | Not exposed |
| **Data location** | Configurable (EU regions) | Configurable (EU regions) | Configurable (EU regions) | Switzerland or your DC |
| **Source code** | Proprietary service layer | Proprietary service layer | Proprietary service layer | 100% open source |
| **Infrastructure choice** | AWS only | Azure only | GCP only | Customer chooses provider |
| **Operations team** | USA | USA | USA | Switzerland ([Swiss-only option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support)) |
| **Certifications** | SOC 2 | SOC 2, ISO 27001 | SOC 2 | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II |

## Compliance and regulatory readiness

VSHN is ISO 27001 certified since 2014 and operates exclusively from Switzerland with Swiss staff. AppCat deployments on private cloud infrastructure support:

- **FINMA Circular 2018/3**: Outsourcing requirements for Swiss financial institutions. VSHN provides audit documentation, Swiss-only operations, and contractual commitments for regulated customers
- **EU DORA** (Digital Operational Resilience Act): ICT third-party risk management provisions. AppCat on private cloud meets DORA's requirements for critical ICT service providers
- **NIS2 Directive**: Supply chain security requirements for essential and important entities. VSHN's ISO 27001 controls map to NIS2 Article 21 requirements
- **GDPR / Swiss DPA**: Swiss data residency by default. EU adequacy decision covers Swiss-EU data transfers

## VSHN sovereignty self-assessment

We applied the EU's [Cloud Sovereignty Framework](https://commission.europa.eu/document/09579818-64a6-4dd5-9577-446ab6219113_en) (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's [EUR 180M sovereign cloud tender](https://ec.europa.eu/commission/presscorner/detail/en/ip_26_833) in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.

*This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.*

| # | Dimension | Weight | Assessment | Evidence |
|---|-----------|--------|-----------|----------|
| SOV-1 | Strategic | 15% | **Strong** | Swiss AG, no foreign parent, all shareholders Swiss citizens ([Commercial Register](https://zh.chregister.ch/cr-portal/auszug/auszug.xhtml?uid=CHE-275.566.226)) |
| SOV-2 | Legal | 10% | **Strong** | Swiss law ([GTC](https://products.vshn.ch/legal/gtc_en.html)), no CLOUD Act, [EU adequacy decision](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) |
| SOV-3 | Data & AI | 10% | **Strong** | Swiss DCs by default. Customer chooses infrastructure provider. Sovereign key management via [Managed OpenBao](https://www.openbao.ch) + [Swiss HSM](https://cloud.securosys.com/cloudhsm) |
| SOV-4 | Operational | 15% | **Strong** | Swiss 24/7 ops, [Swiss-only support option](https://products.vshn.ch/support_plans.html#_option_switzerland_only_support). All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | **Strong** | Infrastructure-agnostic — [customer chooses provider](https://servala.com/providers/). Open-source software |
| SOV-6 | Technology | 15% | **Strong** | 100% open source. VSHN contributes to [K8up](https://github.com/k8up-io) (CNCF), [Crossplane providers](https://github.com/vshn), [Project Syn](https://github.com/projectsyn) |
| SOV-7 | Security | 10% | **Strong** | [ISO 27001](https://www.vshn.ch/wp-content/uploads/2025/12/ISO-27001-certificate-VSHN-2024.pdf), ISAE 3402 Type II, Swiss SOC. [FINMA-regulated customers](https://www.vshn.ch/en/solutions/solutions-for-banks-and-financial-service-providers/) |
| SOV-8 | Environmental | 5% | **Moderate** | DC operators: Green Datacenter AG (ISO 22301/27001/27701), [Exoscale sustainability](https://www.exoscale.com/sustainability/). [VSHN CSR policy](https://handbook.vshn.ch/corporate_social_responsibility_policy.html) |

**Overall: SEAL-3 equivalent**, the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4: it requires fully EU/EEA-sourced hardware supply chains and open-source foundations, structural gaps shared by every cloud provider.

Try Swiss infrastructure: [Servala](https://www.servala.com) (managed services, free trial), [Exoscale]({{partner:exoscale.signup_url}}) (Swiss IaaS). Want help choosing? [Contact us](#contact).

## Get a sovereignty assessment for your stack

Running managed services on US hyperscalers and concerned about jurisdictional risk? We assess your sovereignty profile against the EU framework and plan a migration to Swiss-operated infrastructure with the VSHN Application Catalog.