NGINX Sovereignty: Your Reverse Proxy Sees Everything
Your reverse proxy is the front door to every application. It terminates TLS, inspects headers, routes requests, and handles authentication tokens. Every HTTP request body, every cookie, every API key passes through it in plaintext after TLS termination. Sovereign traffic handling is not optional — it is the foundation of application-layer sovereignty.
Cloudflare (US), AWS CloudFront + ALB (Amazon, US), Azure Front Door (Microsoft, US), and Akamai (US) all process your traffic on US-owned infrastructure under US law. Even with European points of presence, the operating company is subject to the CLOUD Act — a US court order can compel access to traffic data, including decrypted request bodies, without Swiss judicial process.
NGINX is open source (BSD-2-Clause license). VSHN operates NGINX on Swiss infrastructure, keeping your traffic handling sovereign from edge to origin.
Why NGINX is a strong choice for sovereignty
NGINX powers over 30% of the world's web servers. Its open-source foundation provides:
- Full configuration transparency — every routing rule, header manipulation, and rate limit is defined in config files you own
- No traffic exfiltration — unlike CDN providers, NGINX does not route traffic through a vendor-owned global network
- BSD-2-Clause license — one of the most permissive open-source licenses, with no usage restrictions
- No vendor telemetry — NGINX does not phone home or share traffic metadata with third parties
- Portable configuration — move between any infrastructure provider without reconfiguration
F5 acquired NGINX Inc. in 2019, but the open-source NGINX project remains BSD-licensed and community-maintained. VSHN operates the open-source version, not F5's proprietary NGINX Plus.
NGINX sovereignty compared
| Dimension | Cloudflare (USA) | AWS CloudFront + ALB | Azure Front Door | Akamai (USA) | VSHN Managed NGINX |
|---|---|---|---|---|---|
| Ownership | Cloudflare (USA) | Amazon (USA) | Microsoft (USA) | Akamai (USA) | VSHN AG (Switzerland) |
| Governing law | US law | US law | US law | US law | Swiss law |
| CLOUD Act | Exposed | Exposed | Exposed | Exposed | Not exposed |
| Traffic inspection | Cloudflare terminates TLS globally | AWS terminates TLS | Microsoft terminates TLS | Akamai terminates TLS | TLS terminated on Swiss infrastructure only |
| Data path | Routes through US network backbone | AWS global edge | Microsoft global edge | Akamai global edge | Direct, Switzerland-only |
| Source code | Proprietary | Proprietary | Proprietary | Proprietary | Open source (BSD-2-Clause) |
| TLS termination | Cloudflare-controlled | AWS-controlled | Microsoft-controlled | Akamai-controlled | Customer-controlled |
| Operations team | USA | USA | USA | USA | Switzerland (Swiss-only option) |
The traffic visibility argument
When you use a US-operated CDN or load balancer, the operating entity can see:
- Every request and response — headers, cookies, POST bodies, API payloads in cleartext after TLS termination
- Authentication tokens — session cookies, JWTs, OAuth tokens flowing through the proxy
- Internal routing patterns — which backends exist, how traffic is distributed, what paths are active
- Client metadata — IP addresses, geolocation, device fingerprints, request frequency
This is not about data-at-rest in a database. This is live traffic — the real-time activity stream of every user interacting with your applications. Swiss law ensures this data stream stays under Swiss jurisdiction.
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a sovereignty assessment for your traffic infrastructure
Routing traffic through Cloudflare or AWS CloudFront? We assess your sovereignty profile against the EU framework and plan a migration to NGINX on Swiss infrastructure where TLS termination stays under Swiss law.