Loading the catalogue…
Loading the catalogue…
Independently-owned Swiss provider; OpenAI-compatible open models hosted entirely in Switzerland. Non-EU but GDPR-adequate.
Compliance posture
Routed through Stav's upstream relationship with this operator.
Stav's assessment · serving-side
Infomaniak Network SA is a Swiss-incorporated, majority employee-owned operator serving AI inference exclusively from its own Tier III+ data centres in Geneva, with zero US corporate parentage and no hyperscaler sub-processing in the serving path. The composite lands at 82 (conditional) reflecting a strong overall sovereignty posture held back primarily by Switzerland's non-EEA status: EU customers rely on the EU–Switzerland adequacy decision rather than SCCs or EEA-native hosting, which regulated-sector customers in banking or healthcare must document explicitly in their GDPR transfer records. Legal exposure is the strongest dimension (88), underpinned by explicit CLOUD Act / FISA 702 immunity and clean Swiss incorporation; contractual posture (78) is the weakest, owing to the absence of a named AI-pipeline sub-processor list and limited public detail on audit rights. Stav's operational verdict: sovereign serving is available via the Swiss adequacy-decision transfer mechanism — no derogation is required for standard GDPR data, but regulated-sector operators should verify their internal transfer policies accept adequacy-decision reliance and should request a named sub-processor list under the DPA before onboarding sensitive workloads.
Inference runs exclusively on Infomaniak-owned hardware in Geneva, Switzerland, with no hyperscaler dependency, but Switzerland is not an EEA member state — data stays in-country but outside the EEA perimeter, placing this in the EEA-adjacent rather than EEA-native band.
Infomaniak Network SA is incorporated in Geneva under Swiss law with no US parent, no US investor base, and explicit zero CLOUD Act / FISA 702 exposure; the sole residual hook is adequacy-decision reliance for EU transfers rather than SCCs, which is a mechanism risk rather than a direct legal-access risk.
Infomaniak explicitly commits that API queries are neither recorded nor used for training, and the Euria ephemeral mode stores nothing server-side; a minor ambiguity remains around the retention period for API-tier access logs and billing metadata.
Risk assessment
Switzerland is not an EEA member state. While the European Commission has granted Switzerland an adequacy decision under GDPR (and Switzerland's revDSG aligns with GDPR), EU regulated customers in sectors such as healthcare or finance must verify that their internal data-transfer policies accept the adequacy-decision mechanism rather than requiring SCCs or EEA-only hosting. The operator does not offer an EU-region alternative to its Swiss-only infrastructure. source ↗
DATA_RESIDENCYInfomaniak states that AI inference runs with 'no dependence on foreign players' and that all processing and hosting takes place exclusively in Infomaniak's own Swiss data centres with no external service providers. However, a granular, named sub-processor list specific to the AI serving pipeline (analogous to what AWS or Azure publish) is not publicly accessible on the provider's website. This limits customer ability to independently audit the downstream processing chain. source ↗
SUBPROCESSINGThe status page history for the last 60 days shows several resolved incidents, including a 2-day VPS network disruption (06/05/2026), a 3-day FTP/SSH outage for shared Node.js hosting (04/05/2026), a 10-day intermittent VPS network instability (17/04/2026), and multiple 1-hour general service availability events. These incidents are on shared hosting and VPS tiers rather than AI-specific GPU infrastructure, but they indicate the platform is not immune to multi-day incidents.
Safeguards
AI inference runs end-to-end in Infomaniak's own data centres in Geneva, Switzerland, on owned hardware (NVIDIA L4, A100, H100 GPUs). No foreign hyperscaler dependency. Prompts and data do not leave Switzerland. source ↗
Infomaniak designs, builds, and fully manages its own data-centre infrastructure, eliminating third-party cloud sub-processing of compute. All staff are based in Geneva and Winterthur. source ↗
Explicit no-training, no-logging commitment for AI API queries: 'Your queries are neither recorded nor used to train models or improve our services.' Consistent across AI Services and Euria product lines. source ↗
Ephemeral mode on Euria ensures exchanges are never stored and cannot be retrieved even by Infomaniak — strongest available retention posture for sensitive use cases. source ↗
A published Data Processing Agreement (DPA) is available covering GDPR and Swiss FADP obligations, establishing Infomaniak as a data processor for customer data. SCCs are not required for CH transfers given the EU adequacy decision but the DPA covers the contractual processor relationship.
Privacy-policy issues
Sub-processor list not publicly named for AI pipeline. source ↗
While Infomaniak states all AI processing is performed in-house with no external service providers, no named, dated sub-processor list specific to the AI serving pipeline is publicly accessible, which limits contractual audit rights for enterprise DPA compliance.
API-tier metadata/log retention period not specified. source ↗
The public AI service documentation clearly states prompts are not recorded, but the retention period for API access logs, billing metadata, and error logs at the serving boundary is not explicitly stated in the published privacy policy or DPA.
Switzerland adequacy decision reliance (not EEA-native). source ↗
EU customers processing personal data via the API rely on the EU-Switzerland adequacy decision rather than SCCs; while the adequacy decision is currently in force, regulated-sector customers (banking, health) should document this transfer mechanism explicitly in their own GDPR records.
Certifications & legal documents
ISO/IEC 27001:2022 is held and sourced, data centres feature biometric access control, end-to-end encryption, and n+1 redundancy; the absence of SOC 2 Type II and a public bug-bounty / vulnerability-disclosure programme are minor gaps relative to top-tier postures.
A published DPA covering GDPR and Swiss FADP is available without requiring enterprise negotiation, and the adequacy decision covers the transfer mechanism; however, no named AI-pipeline sub-processor list is publicly disclosed and audit-rights specifics are not fully detailed in the public DPA.
Infomaniak is majority employee-owned with no US parent company or investor with CLOUD Act reach. However, as an SME-scale operator (staff based in Geneva and Winterthur), its financial depth and legal/compliance resource base is smaller than hyperscale providers. PCI-DSS certification is planned but not yet held, limiting suitability for payment-card data workloads. source ↗
GOVERNANCEInfomaniak publicly states queries are 'neither recorded nor used to train models or improve services.' The consumer Euria product offers an ephemeral mode where exchanges are never stored and leave no trace on servers. However, the precise technical retention period for API-tier metadata (e.g., access logs, billing counters) is not specified in the public-facing AI service documentation, which represents a minor ambiguity. source ↗
SERVING_RETENTIONGeneral Terms and Conditions and a Confidentiality Policy are published in English. Full FADP and GDPR dual-compliance is explicitly claimed and the provider is incorporated in Geneva under Swiss law. source ↗
ISO/IEC 27001:2022 (Information Security Management), ISO 9001:2015 (Quality), ISO 14001:2015 (Environmental), and ISO 50001:2018 (Energy) all held. Data centres are described as ISO 27001 certified with n+1 redundancy. source ↗
B Corp™ certification obtained in 2025, attesting to high social/environmental impact standards, governance, and transparency commitments. source ↗
Biometric (finger-vein) access control and surveillance cameras at data-centre facilities. All communications encrypted at all stages. Data centres feature n+1 power, cooling, generators, and UPS redundancy. source ↗
Network infrastructure uses 100G interconnections with Tier-1 transit providers (Swisscom, Level3, Arelion, Cogent) and peering at Swiss IXPs (SwissIX, CIXP), providing resilient, diverse connectivity. source ↗
SLA up to 99.99% monthly for cloud compute and Public Cloud instances/load balancers; Very High Availability cluster option guarantees 99.99% across multiple Geneva data centres. Public status page is transparent and operational. source ↗
Provider explicitly markets zero CLOUD Act / FISA 702 exposure: incorporated in Switzerland, no US parent company, no US investor base, no foreign cloud dependency for AI serving. This is directly contrasted with US providers in official marketing. source ↗
AI services are built exclusively on open-source models (Llama 3, Mixtral, Mistral, Whisper, SDXL/Flux), providing auditability of the model layer. Infomaniak publishes model details and token pricing documentation. source ↗