Status
Data protection is no longer just a «nice to have»: for many organisations, it has become an indispensable core element of their compliance strategy. This is especially true in regulated industries such as government, finance, and healthcare, where companies handle particularly sensitive data. Today, strict requirements apply not only to where data is stored, but also to who is allowed to access it.
At Nine, we increasingly work with customers who have very high expectations when it comes to compliance and data protection. It’s no longer just about standard practices like encryption or access control: many organisations face specific regulatory requirements. For example, some customers are not only prohibited from storing data abroad, but must also technically prevent any access from outside Switzerland. ISO 27001 certification and Swiss data residency are therefore mandatory, but on their own, they’re not enough.
Technically blocking access from abroad
These requirements presented a unique challenge for us in the context of our 24/7 availability and support. In addition to our Swiss team, we also rely on colleagues in Canada as part of our «follow the sun» model. That’s a global support approach where teams in different time zones take over tasks to ensure continuous service in the company’s country of residence. The Canadian members of our team handle incidents outside of regular working hours in Switzerland.
For systems with particularly strict data protection requirements, however, we had to ensure that access is technically limited exclusively to Switzerland – even in the event of a support incident.
Our solution: such systems are technically configured so that access is only possible from within Switzerland, regardless of who is on duty at any given time. Incidents outside Swiss business hours are handled on the next Swiss working day.
Trust through transparency and flexibility
A concrete example: a customer migrated from Google Cloud Switzerland to Nine because, beyond Swiss data residency, they required technically enforced and contractually binding restrictions on support access from outside Switzerland. Large hyperscalers can guarantee Swiss data residency, but they cannot offer a contractually binding, technically enforced limitation to Swiss-based support access. That was the requirement, and that is what we delivered.
Thanks to our relatively small size, we are able to act quickly and with a customer-centric mindset. We can offer individual agreements tailored to the specific data protection needs of each client, as long as they are technically and operationally feasible.
Compliant with Zurich’s data protection authority
Concretely, our solutions comply with the requirements of the Canton of Zurich’s General Terms and Conditions for the Outsourcing of IT Services (AGB Auslagerung von Informatikdienstleistungen). This is a specific selection criterion for public authorities and institutions in the Canton of Zurich and a tangible demonstration that our measures go beyond a standard ISO 27001 certification.
Data protection is not a hurdle, it’s an opportunity
At Nine, we don’t view compliance as a burden. We see it as a differentiator. We help organisations in regulated industries implement concrete regulatory requirements, both technically and contractually. We’re transparent about what’s achievable and honest about limitations. For us, data protection is not a side issue, it’s a core part of our daily operations.
