Security Setup for Swiss Freelancers: How to Protect Client Data

As a freelancer, your office is wherever you open your laptop: the café Wi-Fi, the airport hotspot, a client’s guest network. Your client data travels over all of these connections: contracts, credentials, financial information. And not just client data: your private messages, emails, and every website you visit. You control none of these networks. Anyone on the same Wi-Fi can use freely available tools to inspect your traffic. While the risk has decreased with the near-universal adoption of HTTPS (HyperText Transfer Protocol Secure), the encrypted form of the HTTP protocol, attack and sniffing opportunities remain, particularly at the level of DNS queries, metadata, and sites that don’t yet enforce strict HTTPS redirection (HSTS).

Under the nFADP, you are responsible for protecting that data, even as a sole proprietor. The good news: that doesn’t require enterprise tooling or a security budget. A handful of tools and habits, most of them free or cheap, close the gaps that actually matter.

What the nFADP expects from you

The nFADP (revised Federal Act on Data Protection) applies to anyone processing personal data in Switzerland, including sole proprietors and freelancers. You don’t need a compliance department, but you do need “appropriate technical and organizational measures” to protect the data you handle.

In practice, this means:

• Unique passwords for every service (no reuse)
• Encryption on your devices (FileVault, BitLocker)
• A secure way to share sensitive files with clients
• Backups that are encrypted and tested
• The ability to delete client data when the engagement ends

If something goes wrong (a breach, a stolen laptop with unencrypted client data), you may need to notify the EDÖB and your affected clients. Having basic security measures in place is both your legal obligation and your best defense against liability.

The freelancer security stack

Here’s what actually matters, in priority order.

1. Password manager (critical)

This is non-negotiable. You log into client portals, project management tools, cloud storage, email, invoicing software, and dozens of other services. If you reuse passwords or keep them in a spreadsheet, a single breach anywhere cascades to everything.

A password manager generates unique passwords for every account and auto-fills them. It also protects against phishing: auto-fill only triggers on the correct domain, so a lookalike login page won’t fool it.

Recommendation: Bitwarden (free tier is excellent) or 1Password (a few CHF/month, better UX and breach monitoring). For team selection logic see the SME comparison.

2. Two-factor authentication (critical)

Enable 2FA on every account that supports it, starting with email (your email is the recovery path for everything else). Use an authenticator app (Google Authenticator, Authy), not SMS. If budget allows, a YubiKey for your most critical accounts is the strongest option. Passkeys are a modern alternative that replaces both the password and the second factor in a single, phishing-resistant step.

Your password manager can store TOTP codes, which is convenient but means a compromised master password exposes both layers. For maximum security, keep 2FA codes in a separate app.

3. Device encryption (critical, free)

Enable full-disk encryption on every device you use for work:

• Mac: FileVault (System Settings → Privacy & Security)
• Windows: BitLocker (Pro) or Device Encryption (Home)
• Phone: Enabled by default on modern iOS and Android

If your laptop is stolen, encryption means the thief gets hardware, not your client data. Without it, everything on that drive is accessible.

4. VPN (important)

A VPN encrypts your internet traffic. This matters most when you work from cafés, coworking spaces, hotels, or any network you don’t control. Even at home, a VPN reduces your ISP’s visibility into your browsing.

Recommendation: NordVPN (fast, Swiss servers, independently audited) or Proton VPN (Swiss-based, free tier available). Both cost a few CHF/month on annual plans.

Set it to auto-connect on untrusted networks. Most VPN apps make this a single toggle.

5. Encrypted backups (important)

The 3-2-1 rule: three copies, two storage types, one offsite. For a freelancer, this can be simple:

• Time Machine or Windows Backup to an external drive, encrypted with FileVault or BitLocker.
• Cloud backup with end-to-end encryption. For client data, providers with zero-knowledge architecture and a Swiss or EU base are the more defensible choice, notably Tresorit and Proton Drive. iCloud and Google Drive have their place for personal files, but client data sits under different rules.
• Test restoring a file once a quarter to confirm it works.

Before you move client data to any cloud service, the more important question isn’t “which provider” but “which data”. Document which categories of client data you handle, where they are stored, and which provider has which level of access. Once a third party processes personal data on your behalf, Art. 9 nFADP requires a data processing agreement with that provider, regardless of whether the data is actively used or sitting there only as a backup.

If ransomware encrypts your working files, a backup is the difference between a bad day and a catastrophe. An unencrypted cloud backup on a US-headquartered provider solves the ransomware problem but creates a new one under the nFADP.

6. Secure file sharing (nice to have)

Stop sending sensitive files via email attachments. Use a service with end-to-end encryption:

• Tresorit (Swiss, zero-knowledge encryption)
• Proton Drive (Swiss, integrated with Proton ecosystem)
• 1Password for sharing credentials with clients securely

What this costs

Minimum viable stack: free. Upgrade to premium tools (1Password + NordVPN) for roughly the cost of two coffees per month. Check vendor sites for current pricing.

Common mistakes freelancers make

• Using personal accounts for client work. Separate your work email, cloud storage, and tools from personal ones. A breach of your personal Netflix account shouldn’t cascade to client data.
• No encryption on external drives. That USB stick with client deliverables? If it’s unencrypted and you lose it, that’s a potential data breach under the nFADP.
• Sharing passwords via chat. WhatsApp, Slack DMs, email. All of these are searchable and persistent. Use a password manager’s secure sharing feature instead.
• No plan for device loss. Know how to remotely wipe your laptop (Find My Mac, Find My Device on Windows). Enable it now, not after it’s gone.
• Ignoring updates. Patch management sounds like a corporate concept, but it applies to you too. Enable automatic updates on your OS and apps. Known zero-day vulnerabilities are patched through updates.

The 30-minute setup

1. Install Bitwarden or 1Password. Import browser-saved passwords. Let it flag reused ones.
2. Enable 2FA on your email, cloud storage, and banking.
3. Verify FileVault/BitLocker is on.
4. Install a VPN. Set it to auto-connect on public Wi-Fi.
5. Confirm your backup is running and encrypted.

That’s it. Five steps, 30 minutes, and you’ve addressed the security gaps that actually matter for a solo operator. Everything else is optimization.