CDN Sovereignty: What Your CDN Provider Can See
A CDN sees everything. Every HTTP request, every cached asset, every user's IP address and browsing pattern flows through the CDN layer. Organizations spend months evaluating cloud sovereignty for databases and applications, then route all their traffic through a US CDN without a second thought.
When you use Cloudflare, Akamai, AWS CloudFront, or Azure CDN, all that traffic data sits on US-controlled infrastructure, governed by US law, and accessible under the CLOUD Act without Swiss judicial process.
What a CDN operator can see
Consider the data your CDN processes:
- All traffic patterns — which users access what content, when, and how often
- TLS termination — the CDN decrypts and re-encrypts HTTPS traffic, seeing plaintext content
- Cached content — copies of your data stored on infrastructure you don't control
- API traffic — if your API sits behind the CDN, request and response bodies are visible
- WAF/DDoS data — security rules and attack patterns reveal your infrastructure
VSHN provides vendor-neutral CDN consulting from Switzerland. We help you evaluate CDN providers on sovereignty criteria, design architectures that meet data residency requirements, and configure geo-restrictions for Swiss compliance.
CDN sovereignty factors to evaluate
| Factor | What to ask | Why it matters |
|---|---|---|
| Company ownership | Who owns the CDN provider? US parent? | Determines CLOUD Act exposure |
| Edge node locations | Swiss PoPs available? Can you restrict to Swiss/EU nodes? | Data residency for cached content |
| TLS termination | Where is HTTPS decrypted? Can you bring your own keys? | Plaintext content visibility |
| Log storage | Where are access logs stored? Can you control retention? | Traffic metadata sovereignty |
| WAF/DDoS rules | Who can see your security configuration? | Infrastructure intelligence |
| Contract law | Which jurisdiction governs the contract? | Legal recourse and compliance |
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a CDN sovereignty assessment
Routing traffic through a US CDN? We evaluate your current CDN setup against sovereignty criteria and recommend architectures that meet your data residency and compliance requirements — vendor-neutral, from Switzerland.