Digital sovereignty means having the most independent and self-determined control of one’s digital assets, e.g. devices, file services, data, ERP and CRM software. This sovereignty is threatened from various sides, the current debate focuses heavily on government agencies, but also cybercrime, data loss, data leakage etc. threaten the self-determined handling of one’s digital assets.
This article aims to explain how we at Vertec protect the sovereignty of our customers and our own.
Law enforcement agencies in all states have intrusion rights over the privacy of companies and individuals, usually by court order. This is nothing new. What is relatively new is that US laws have extraterritorial effects, especially the Cloud act (the also frequently mentioned FISA is much older). The CLOUD Act allows US law enforcement agencies to directly access foreign data, bypassing the usual legal assistance, if an IT provider has a “US connection.” In practice, the big US-based hyperscalers (Microsoft, Amazon, Google, Oracle) are particularly affected. Recent events show that the current US administration is also making use of this right.
Although the big US tech companies are building “sovereign” clouds in Europe, the CLOUD Act is by no means safe from US government interference. This is, of course, unacceptable from a digital sovereignty perspective. By contrast, the disclosure of data based on local laws (especially criminal laws) must be accepted in any case.
At Vertec, we try to keep dependencies on large US technology companies as small as possible.
Vertec operates a management system for information security, which is certified according to ISO 27001, see e.g. our overview article on data protection at vertec.
The Vertec Cloud Suite is operated entirely with European cloud hosting companies, see the list of subcontractors. By “European cloud hosting companies” we mean companies that are headquartered in the EU, UK or Switzerland and do not operate a US subsidiary.
Most of the other cloud services, such as Customer Portal and Vertec Forum, are hosted by the same hosts. However, we also use Microsoft Azure services, namely for AI-based recognition of expense and accounts payable receipts and for document sealing. In both cases, however, no data is saved in Azure, and in the case of document sealing, the “document” to be sealed is not sent to Azure. In our opinion, this does not compromise digital sovereignty. However, customers are free to choose whether they want to use these optional Vertec services at all.
For BCM (Business Continuity Management) reasons, we use other hosters for the backups of the productive Cloud Suite data. Since we store these files only strongly encrypted, we also accept hosters with a strong US connection.
The processes for the development of Vertec software take place in-house. The source code is stored on servers operated locally in Zurich, as are the systems for the development process (Azure DevOps). An automatic intervention by authorities is therefore not possible.
For the development of other software (e.g. the Customer Portal) Gitlab is used by Gitlab Inc., Delaware. The operative headquarters of Gitlab is in San Francisco. The source code (and the development tasks) of the corresponding software is saved, but no productive data is stored in Gitlab. In addition, the software is operated by us at a hosting company in Germany. Gitlab Inc. has no access to the data.
The development team is all employed by Vertec AG in Zurich. There is no off-shoring or nearshoring. However, the development team receives occasional support from the technology company TNG Technology Consulting GmbH in Germany, e.g. in the development of the Customer Portal and the operating software for the Cloud Suite, and sporadically for AI development. TNG has a subsidiary in the USA, TNG Technology Consulting USA Inc. in Austin, Texas. However, Vertec only obtains services from Germany and TNG does not own any production data from Vertec; TNG employees work on Vertec systems.
For collaboration on client projects, we offer our customers to collaborate via Basecamp. This collaboration tool is developed and operated by 37signals, a smaller US company based in Chicago, Illinois. Confidential and personal data should not be stored there. But we can also use any other collaboration tool, including one operated by our clients.
Vertec’s email server is operated by Microsoft Azure. If confidential data (e.g. Vertec databases) is sent via email, it is encrypted. We also require our customers to encrypt sensitive data and offer more secure exchange options (e.g. an upload feature via the Vertec homepage). We use an S3 storage from AWS in Europe. Due to the encryption of the data and the only temporary storage, we consider this acceptable.
The Vertec group’s file storage, as well as the internal systems such as CRM, ERP and FAR are all operated on-premises in Zurich. An automatic intervention by authorities is therefore not possible. In addition, we collect data about and from customers only sparingly, see Data protection at vertec.