CLOUD Act Exposure Scanner
Which tool falls under the US CLOUD Act?
Type your tools and see whether your data can fall under US law. With matching Swiss or EU alternatives.
Free to run, no account needed.
Every claim is linked and verifiable. See an example entry →
| Tool | Risk | HQ | US access | CH region | DPA | E2EE | nFADP |
|---|---|---|---|---|---|---|---|
| Microsoft 365 | Medium | USA | Yes | ✓ | ✓ | – | SCC |
| Slack | High | USA | Yes | – | ✓ | – | SCC |
| Proton | Low | CH | No | ✓ | ✓ | ✓ | – |
| Google Workspace | Medium | USA | Yes | – | ✓ | – | SCC |
| Zoom | High | USA | Yes | – | ✓ | – | SCC |
| Dropbox | High | USA | Yes | – | ✓ | – | SCC |
Sample data
Scan your tools
Type the tools you use.
We'll email you the full exposure summary.
We log which tools are checked to prioritize coverage. No tracking, no personal data.
Your stack's full assessment by email
The assessment covers risk verdicts, matching Swiss or EU alternatives, and verifiable sources. Leave your email and we'll send it to you when it's ready.
The problem
Data stored in Switzerland is not automatically out of US reach
Plenty of providers advertise "data in Switzerland." That is often true, but it does not answer the real question: who controls the company and its data processors?
The US CLOUD Act compels US companies to hand over data they control, regardless of which country the servers sit in. A Swiss datacenter run by a US parent does little to change that.
Still, not every US provider is the same: some now offer genuine Swiss storage. The scan tells these cases apart.
Inside the report
What's in it
The report covers the tools that SMEs use every day, from Microsoft 365 to Slack to HubSpot.
We assess each tool against the same criteria and make every finding verifiable, with a dated source.
The tool table
- Provider and parent company
- Physical storage location (default plus CH/EU option)
- Swiss region available?
- Disclosed sub-processors (especially US-based)
- US and CLOUD Act exposure
- End-to-end encrypted, or metadata only?
- nFADP transfer mechanism
- The Swiss or EU alternative
- One source per claim, dated
The self-audit framework
A step-by-step method you apply to your own stack, not an off-the-shelf tool inventory.
- 1
Walk your stack
Go through exactly the applications your team runs.
- 2
Flag the exposure
Mark where data in your stack touches US jurisdiction.
- 3
Evaluate alternatives
Check which Swiss or EU alternative could replace what's exposed.
Sample
What an entry looks like
A fully researched entry, with a source per row. Microsoft 365 as the example.
| Provider & parent company | Microsoft Corporation (USA) |
|---|---|
| Swiss region | Yes. Datacenters near Zurich and Geneva, Advanced Data Residency available for Switzerland. Source |
| CLOUD Act exposure | Yes. The US parent falls under the CLOUD Act, regardless of storage location. Microsoft commits to challenging unlawful government requests. Source |
| End-to-end encrypted? | No, not by default. The EU Data Boundary governs storage location, not access: Microsoft can process content. |
| nFADP transfer | Standard Contractual Clauses / Swiss-US Data Privacy Framework |
| Swiss / EU alternative | Proton, Infomaniak or Tresorit, depending on the use case |
Excerpt. In the report every row carries a source and an as-of date, plus a reminder to verify with your vendor.
Methodology
How the report is researched
Every claim comes from primary sources: the providers' own data processing agreements, trust centers and sub-processor lists, never secondhand. Each row is dated and linked.
The report assesses facts, not legal positions: where data physically sits, who controls the legal entity, which mechanisms a provider discloses. That is verifiable, and that is the point.
Note: This report is a factual, researched overview, not legal advice. For the legal assessment of their own situation, users should consult a qualified professional.
Questions
Common questions
Is the scan free?
Yes. Scanning your tools and getting your exposure summary is free. The full researched 2026 report (every tool, sourced and dated) is the paid deep version.
Will the report stay current?
It is a dated 2026 edition, not a subscription. Providers change their practices, so every claim carries a date and a reminder to verify with the vendor.
Is this legal advice?
No. Factual research and a framework, not a legal assessment.
Which tools are covered?
The business tools SMEs actually use day to day, not just the ones that are easy to research. Missing one? Add it in the scanner and we'll include it.