Secure Cloud - Comparison for Management

Executive Summary

The key question: Do we trust our data to AWS, Azure, and Google Cloud – or do we use open-source alternatives that take into account Digital Principles, above all Nextcloud with a European (better Swiss) provider or even self-hosting?

Simple answer:

• US hyperscaler ❌
  = Powerful, global, but with a "US backpack" (CLOUD Act, permanent surveillance)
• Nextcloud in Switzerland (or the EU) ✅
  = Comparable feature diversity as hyperscalers, transparent AI use, full data control & Swiss (or EU) laws

The core problem: Vendor Lock-In

What is this?

You buy a solution and then you're trapped. A later change costs a lot of time and money.

Hyperscaler (AWS, Azure, Google)

• Hundreds of proprietary services that are interlocked with each other
• Example: AWS Lambda, DynamoDB, Azure Cosmos DB – not easily usable elsewhere
• Consequence: A change requires rewriting code, data migration, and retraining
• Costs: Often 6-12 months and seven-digit budgets

Sources: Mirantis – How public clouds actually lock you in, 2025, CAST AI – Vendor Lock-In, 2025

Nextcloud (Open-Source)

• Open standards: WebDAV, CalDAV, CardDAV, REST-APIs
• Same software, no matter if you run it yourself or switch providers
• Switching: Backup → Restore on new server, done. Days, not months
• Costs: Low, often doable in-house

Transparency: What does the provider see

Hyperscaler

❓Can we access the code?

❗No. Proprietary source code = Black Box. ☹️

❓Can the provider's employees view our data?

❗Yes. Policies are supposed to prevent this, but: Checks are difficult. 😞

❓Can authorities force access to our data?

❗Yes – that is the severe danger with US providers. Also the supposedly permanent access to our data 😧

Open Source (Nextcloud)

❓Can we access the code?

❗Yes, completely. Open Source = GitHub = Audit possible. ☺️

❓Can the provider's employees view our data?

❗With a secure provider and good configuration: No (if client encryption is active). ☺️

❓Can authorities force access to our data?

❗Only through local courts (CH/EU laws), not via the CLOUD Act. 😐

Sources: Nextcloud – Encryption & Security, 2025, Nextcloud – Security & Authentication, 2025, others

The CLOUD Act Risk – The Game Changer

What is the US CLOUD Act?

In short: A 2018 US law that allows US authorities to demand data from companies like AWS, Microsoft, Google — no matter where the data is located. There is also suspicion that US authorities have permanent access to data stored by companies with US headquarters.

Specifically:

• US company stores your data in a CH or EU data center
• US agency requests the data
• Microsoft/Google/Amazon/Apple must deliver - even if it violates GDPR or other regional laws and directives
• You usually don't find out about it (confidentiality)

Sources: Wire – CLOUD Act vs. EU sovereignty, 2025, IT-LEXIKON – What is the Cloud Act, DSB Canton of Zurich – CLOUD Act, 2024, opencloud.eu – CLOUD Act explained, 2025, others

Consequences for CH/EU companies

These are the main reasons why Swiss and EU companies are increasingly seeking an alternative... finally.

Data encryption: "At Rest" & "In Transit"

What does that mean?

🧘Data at Rest = Data in storage (with the provider)

🏃‍➡️Data in Transit = Data in transit (in the network)

Hyperscaler

Consequence: If an authority accesses, they see your data in plain text. 😧

Source: Pilotcore – AWS vs Azure vs Google Cloud 2025

Open Source (Nextcloud)

Consequence: Even if an authority forces access, data cannot be decrypted and read if implemented securely. ☺️

Sources: Nextcloud – Encryption & Hardening, 2025, YouTube – Nextcloud: Multiple layers of encryption, 2025, others

Technical abilities for devices & integration

Hyperscaler

🟩 Web, Mobile, IoT, AI, Machine Learning, serverless, globally available

🟩 Theoretic unlimited scaling

🟧 Disadvantage: Often only works with the company's own products

Open Source (Nextcloud)

🟩 Web, Desktop, Mobile (iOS/Android)

🟩 File sync, calendar/tasks (CalDAV), contacts (CardDAV), email integration

🟩 Edit documents (with Collabora or OnlyOffice)

🟩 Rest APIs for custom integration

🟩 Transparent AI integration as needed

🟧 Disadvantage: No replacement for specialized IoT platforms or AI services from hyperscalers

Sources: Nextcloud – Secure Sharing, 2025, VPSBG – Nextcloud Open-Source Review, 2025, others

Data retention – USA vs. UK vs. EU vs. Switzerland

The legal framework (simplified)

🇺🇸 USA

• Privacy: Fragmented, no federal level like GDPR 😧
• Access by authorities: Strong (NSA, FBI, FISA, Patriot Act, CLOUD Act) 😧
• Problem: Hyperscalers are subject to the CLOUD Act, even if data is in CH/EU 😧

🇬🇧 UK

• Post-Brexit: UK-GDPR (similar to EU-GDPR) 😐
• CLOUD Act: US providers (Microsoft, AWS in London) are subject to the CLOUD Act 😧
• Advantage over the USA: Stricter data protection, but no independent CLOUD Act equivalent 😐

🇪🇺 EU

• Data protection: GDPR – one of the strictest laws worldwide ☺️
• Access by authorities: Only through national courts & legal aid contracts 😐
• CLOUD Act: Conflict! GDPR says "No" to government access without legal assistance, the CLOUD Act says "Yes" 😧
• Reality: EU providers without a US parent (e.g., providers in Germany) are free from the CLOUD Act 😐
• US providers: Even in an EU data center = CLOUD Act risk 😧

🇨🇭 Switzerland

• Data Protection: New law (revDSG, from September 2023) - similar to GDPR, partially stricter ☺️
• Special feature: Switzerland is not in the EU, but has an agreement (Decision on Adequacy) ☺️
• CLOUD Act: Not directly applicable, but US providers with Swiss subsidiaries problematic 😧
• Advantage: Traditional strength in data protection, strict controls ☺️
• Reputation: Switzerland - Open Source = "Gold standard" for highly sensitive data ☺️

Sources: Opsone – revDSG vs. GDPR, 2024, Adnovum – Differences nDSG vs. DSGVO, 2023, KMU.admin.ch – revDSG, 2024, convotis – US cloud services & data protection, 2025, Deepcloud.swiss – US vs. Swiss data protection, 2025, UMB – Private Cloud in Switzerland, 2025

Practical scenarios – What is the best solution?

Scenario A: Swiss financial firm, highly sensitive customer data

Solution: Nextcloud on Swiss infrastructure (e.g. provider without US parent). Full revDSG compliance, CLOUD Act playes no role.

Scenario B: EU media agency, photo/video collaboration

Solution: AWS/Google Cloud in EU region, self-key management, OR Nextcloud for file sharing, specialized media service.

Scenario C: Startup, rapid scaling, global users

Solution: AWS/Azure in EU region, later GDPR-compliant setup (Data Processing Agreement). Nextcloud is slower to set up here.

Recommendation for decision-makers

Ask yourself:

1. Do we store highly sensitive data (medical, financial, governmental)?
   
   Yes → Nextcloud in CH/EU with local encryption
   
   
2. Do we need AI/machine learning/specialized cloud services?
   
   Yes → Hyperscaler (accept the CLOUD Act risk with policies)
   
   No → Nextcloud or Hybrid
   
   
3. Is data sovereignty a compliance requirement?
   
   Yes → Nextcloud
   
   No → Hyperscaler
   
   
4. Could switching providers be fatal for our business?
   
   Yes → Nextcloud
   
   No → Hyperscaler
   
   
5. Are we resident in the USA, UK, EU, or Switzerland?
   
   CH/EU with a focus on data protection → Nextcloud, local hosting
   
   US/Global → Hyperscaler
   

Conclusion

Hyperscaler (AWS, Azure, Google Cloud):

✅ Flexible, global

✅ Best performance for specialized workloads

❌ Vendor Lock-In

❌ The CLOUD Act creates legal uncertainty for CH/EU

❌ Higher costs due to dependence

Nextcloud (with CH/EU hosting):

✅ Full data control

✅ compliant with revDSG/GDPR without the risk of the CLOUD Act

✅ No lock-in

✅ Open Source = Transparency & Audit

✅ More cost-effective for basic scenarios

❌ Not for massive AI/ML/specialized workloads

The truth: It's not an either-or situation. Hybrid is often the best strategy:

🟩 Nextcloud for files, collaboration, groupware

🟨 Hyperscaler for specialized services (AI, analytics, etc.)

🟥 Sensitive data belongs to Nextcloud, not US providers.

Have fun switching to secure solutions and expanding your Digital Self-Determination.