Sovereign cloud hosting for VELOX Ecommerce
The compliance problem with standard cloud
Most ecommerce platforms assume you'll host on AWS, Google Cloud, or Azure and bring a long tail of US-operated services with them. For Swiss customers in finance, healthcare, or the public sector, that's not a preference. It's a compliance problem.
What "sovereign" actually requires
Three things have to hold:
- Data residency: customer data stays in Switzerland.
- Operator jurisdiction: the infrastructure provider is Swiss-incorporated with no foreign parent that could be compelled to disclose data under foreign law.
- Full stack audit: every runtime dependency is checked, not just the cloud provider. A Zurich-hosted VM doesn't help if your pages still load Google Fonts from a US server.
That third point is where most "sovereign" claims quietly fail.
Sovereign Cloud Hosting Outside the US
We can host VELOX-sovereign deployments on Nine, Infomaniak Exoscale or on-premise.
Thus, VELOX can use these services outside of US-jurisdiction:: Kubernetes, PostgreSQL, OpenSearch, and S3-compatible object storage.
How the stack maps to sovereign infrastructure
Compute runs on Nine's managed Kubernetes Engine. We use GraalVM native images to keep memory footprints small, so a single worker node handles the bulk of the platform comfortably.
Storage consolidates onto managed PostgreSQL — covering both relational and document workloads via the DocumentDB extension. MongoDB Atlas is US-operated, so we replaced it rather than compromise.
Search runs on managed OpenSearch (the Linux Foundation fork) in a high-availability configuration.
Messaging is the one gap: Nine has no managed AMQP broker, so we self-host RabbitMQ on Kubernetes. This is operationally well-understood and works cleanly.
Identity management uses ZITADEL — a Swiss-headquartered open-source OIDC provider (St. Gallen). We chose it over Keycloak because its project governance sits in Switzerland, not with an IBM subsidiary. For deployments where Keycloak is contractually required, we retain that integration as a fallback.
Cloudflare: The CDN Gap
Cloudflare is the biggest challenge. It terminates TLS at the edge, which means it has plaintext access to every request: login credentials, cart contents, payment metadata. As a Delaware corporation, it is subject to US CLOUD Act compulsion regardless of where its edge nodes sit. Buying Cloudflare through a Swiss reseller doesn't change that.
For FINMA-regulated or public sector customers, we skip external CDN entirely. TLS terminates inside the cluster, WAF rules run at the ingress layer, and DDoS mitigation is handled at the network level through Nine. For Swiss-domestic traffic, the performance difference is negligible.
For most B2B deployments, we use Bunny.net, a Slovenian CDN service with no US parent, Swiss PoPs available. Not a perfect sovereignty match, but no CLOUD Act exposure.
Trade-offs worth knowing
No managed message broker. RabbitMQ runs on Kubernetes. We operate it. For most teams, fine.
Smaller service catalogue. No managed Kafka, no serverless, no proprietary AI/ML. If a workload depends on AWS Bedrock or Vertex AI, sovereign hosting is the wrong choice for that workload.
SLA ceiling is 99.9%. Four-nines uptime requires multi-region active-active, which Nine alone doesn't support.
Control plane is billed separately. Hyperscalers give this away as multi-tenant. Nine charges for dedicated VMs — but that means your cluster shares infrastructure with no one.
Operations remain yours. Nine manages the platform. You manage the deployment. That doesn't change.
Summary
Sovereign hosting for Swiss customers is possible without compromising architecture. Our partnership with Nine eliminates the most critical risks: your data stays in Switzerland, infrastructure providers have no US parent, and every major runtime dependency has been replaced or self-hosted. The remaining gaps are operationally manageable. This is an important step toward full digital sovereignty and we will keep adding independent services outside the US.