Application Catalog Sovereignty: Your Stack, Your Infrastructure, Swiss Operations
When you outsource your database, identity provider, secrets manager, and platform tooling to a single vendor, that vendor holds the keys to your entire application stack. Jurisdiction, data residency, and operational control matter more for a full-stack engagement than for any single service.
US hyperscaler managed services (AWS RDS, Azure Database, Google Cloud SQL, Amazon ElastiCache, Azure AD) run on US-owned infrastructure under US law. The CLOUD Act allows US authorities to access your data without Swiss judicial process, regardless of which region you select.
The VSHN Application Catalog runs every service on infrastructure you choose: on-premises, Swiss public cloud (cloudscale.ch, Exoscale), or hybrid. Your data never leaves your control.
Why the Application Catalog is a strong choice for sovereignty
- Infrastructure-agnostic: You choose the provider. VSHN operates on your Kubernetes cluster, not on shared multi-tenant infrastructure
- 100% open source: Every service (PostgreSQL, MariaDB, Redis, Keycloak, OpenBao, Forgejo, Crossplane, NGINX, Varnish, vLLM, LiteLLM) is open source with standard APIs
- No vendor lock-in: Standard protocols, standard data formats. If you leave, your data and configuration come with you
- Swiss operations: All operations staff are based in Switzerland. No offshoring, no subcontracting
- Single contract: One SLA, one vendor, one legal relationship under Swiss law
Managed services sovereignty compared
| Dimension | AWS Managed Services | Azure Managed Services | GCP Managed Services | VSHN Application Catalog |
|---|---|---|---|---|
| Ownership | Amazon (USA) | Microsoft (USA) | Google (USA) | VSHN AG (Switzerland) |
| Governing law | US law | US law | US law | Swiss law |
| CLOUD Act | Exposed | Exposed | Exposed | Not exposed |
| Data location | Configurable (EU regions) | Configurable (EU regions) | Configurable (EU regions) | Switzerland or your DC |
| Source code | Proprietary service layer | Proprietary service layer | Proprietary service layer | 100% open source |
| Infrastructure choice | AWS only | Azure only | GCP only | Customer chooses provider |
| Operations team | USA | USA | USA | Switzerland (Swiss-only option) |
| Certifications | SOC 2 | SOC 2, ISO 27001 | SOC 2 | ISO 27001, ISAE 3402 Type II |
Compliance and regulatory readiness
VSHN is ISO 27001 certified since 2014 and operates exclusively from Switzerland with Swiss staff. AppCat deployments on private cloud infrastructure support:
- FINMA Circular 2018/3: Outsourcing requirements for Swiss financial institutions. VSHN provides audit documentation, Swiss-only operations, and contractual commitments for regulated customers
- EU DORA (Digital Operational Resilience Act): ICT third-party risk management provisions. AppCat on private cloud meets DORA's requirements for critical ICT service providers
- NIS2 Directive: Supply chain security requirements for essential and important entities. VSHN's ISO 27001 controls map to NIS2 Article 21 requirements
- GDPR / Swiss DPA: Swiss data residency by default. EU adequacy decision covers Swiss-EU data transfers
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026. Three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Customer chooses infrastructure provider. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent, the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4: it requires fully EU/EEA-sourced hardware supply chains and open-source foundations, structural gaps shared by every cloud provider.
Try Swiss infrastructure: Servala (managed services, free trial), Exoscale (Swiss IaaS). Want help choosing? Contact us.
Get a sovereignty assessment for your stack
Running managed services on US hyperscalers and concerned about jurisdictional risk? We assess your sovereignty profile against the EU framework and plan a migration to Swiss-operated infrastructure with the VSHN Application Catalog.