Compliance
nLPD (Swiss data protection)
How siati.ai aligns with the Federal Act on Data Protection (nLPD / FADP).
Last updated: 2026-05-19
nLPD (Swiss FADP)
The new Federal Act on Data Protection (nLPD / FADP) is in force in Switzerland since 1 September 2023. It modernised Swiss data protection law in line with the GDPR, with a few specifically Swiss touches (notably the role of the FDPIC and the lack of direct fines for individuals).
Why nLPD matters for AI
If you process personal data with an LLM — analysing customer messages, summarising emails, generating personalised content — you trigger nLPD obligations. The same goes for fine-tuning on data that includes personal information.
The key question regulators ask: where does the data actually live, and who can compel access to it?
How we comply
Article-by-article snapshot
| nLPD Art. | Requirement | Our implementation |
|---|---|---|
| 5 | Lawfulness, transparency, purpose limitation | DPA + clear processing purposes in onboarding |
| 6 | Data minimisation | We log request metadata, not request contents (opt-in to log) |
| 7 | Data security | At-rest encryption (LUKS on NVMe), TLS 1.3 in transit, role-based access |
| 8 | Privacy by design | Default tier slow doesn't log content; admin opt-in for full logs |
| 12 | Records of processing | Auto-maintained; exportable from dashboard |
| 16 | Transfer abroad | None for inference. Data never leaves our Lugano racks. |
| 19 | Notification of breach to FDPIC | Procedure documented; 72h target |
| 24 | Data Protection Impact Assessment | Template provided to enterprise customers |
| 32 | Right of access for data subject | API: POST /me/delete for full erasure; data export on request |
Subprocessors
Short and deliberate:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Card processing for subscriptions | Ireland (EU) |
| Postmark | Transactional email (verification, receipts) | US — only sees email address + transaction ID |
DPA (Data Processing Agreement)
We sign a DPA on request for any customer who handles personal data. Template available; bilateral signature within 2 working days. Includes:
- Roles (we are the processor, you are the controller)
- Lawful basis declarations
- Subprocessor list (above) with right to object
- Security measures (TOMs)
- Audit rights (annual on-site)
- Breach notification SLA (24h to controller)
Contact dpa@siati.ai (or open ticket from dashboard) to receive the DPA PDF.
Data residency in practice
| What | Where | Encrypted at rest |
|---|---|---|
| Account database (Postgres) | Lugano | yes (LUKS) |
| Vector embeddings (Qdrant) | Lugano | yes |
| Uploaded RAG documents | Lugano (Proxmox NFS, soon Ceph/LinStor cluster) | yes |
| Inference logs (opt-in) | Lugano | yes |
| Model weights | Lugano (NVMe per host) | n/a (public weights) |
| Backups | Lugano (different physical rack) | yes |
| Off-site backup (optional) | Geneva (Swiss soil, encrypted) | yes |
How to verify
We give enterprise customers:
- The full subprocessor list with annual review
- The MOM (model of measure) for our facility
- Access to network capture during a customer-witnessed inference (no PCAPs leave our network during the test)
- Customer-supplied auditor visits scheduled twice per year
The whole premise is verify, don't trust. We provide the artefacts.