CLOUD Act
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a United States law that came into force in 2018. It regulates the conditions under which U.S. authorities may require U.S. companies or their subsidiaries to disclose data – regardless of the country in which that data is physically stored.
For companies outside the United States, the CLOUD Act is particularly relevant in the context of cloud services. If a service provider is subject to U.S. law, it may be legally obliged to disclose data to U.S. authorities, even if that data is stored in data centres located in Europe or Switzerland. In such cases, the physical location of the data alone does not provide complete protection against access.
From the perspective of Swiss and European data protection requirements, this results in a significant limitation: for services with a global data footprint or a U.S.-based development or corporate background, it cannot always be guaranteed that data is subject exclusively to local data protection law. The CLOUD Act therefore creates a potential conflict between national data protection regulations and extraterritorial access rights.
For organisations with increased requirements regarding data protection, confidentiality or regulatory compliance, it is therefore not only the storage location of the data that is decisive, but also the legal jurisdiction to which the provider is subject. These aspects should be carefully considered when selecting cloud and infrastructure services.
exaSys takes these conditions into account by offering infrastructure and cloud solutions operated from Switzerland and by relying on providers and partners outside the U.S. legal jurisdiction. The aim is to strengthen legal control over data and to minimise risks associated with extraterritorial access rights.
At the same time, depending on customer requirements, exaSys also offers solutions that involve technology or platform providers subject to U.S. law and for which the CLOUD Act may apply.
Which solution is suitable in a specific scenario depends on the technical, operational and legal requirements. exaSys therefore places great importance on transparent classification of the technologies used and supports organisations in assessing the implications for data protection, compliance and data sovereignty in a clear and comprehensible manner.