Ithildin
Trust · 01 Sovereignty posture · Q2 2026

Built in Switzerland.
Hosted in Switzerland.
Cleared in Switzerland.

The trust posture below is the page Armasuisse, FINMA, and federal procurement teams come to first. Each item is a stated commitment, traceable to a control, a contract clause, or a Swiss law. Items marked as roadmap are dated.

i.
Swiss Data Sovereignty

Customer data never leaves Swiss jurisdiction. No CLOUD Act exposure. No FISA 702. No US-domiciled subprocessors. Where customer operations require it, deployments are entirely on customer premises with no outbound connectivity.

  • FADP / revDSG-native
  • No US subprocessors
  • On-prem option · default
  • Customer DPA on file
ii.
Swiss Personnel

Founders, engineers, and Forward Deployed Engineers are Swiss citizens. Personensicherheitsprüfung (PSP) screening is conducted at the level the engagement requires — INTERN, VERTRAULICH, or GEHEIM. No subcontracting outside Switzerland.

  • PSP at engagement level
  • Swiss-citizen FDEs
  • No offshore engineering
  • Background re-screen · annual
iii.
Swiss Hosting

Customer-managed on-prem, or Swiss-jurisdiction infrastructure. Never US hyperscalers for regulated workloads. Hosting partners are selected for Swiss legal domicile, Swiss operations, and Swiss-citizen access controls.

  • Infomaniak · Swiss-domiciled
  • Exoscale · Swiss-domiciled
  • Customer datacenter
  • Air-gapped on-prem
iv.
Classification Handling

Native support for Swiss ISchV classifications. Markings propagate through the ontology — objects, properties, links, and actions all carry classification metadata. Purpose-based access controls enforce need-to-know.

  • INTERN · routine
  • VERTRAULICH · sensitive
  • GEHEIM · classified
  • Purpose-bound access
v.
Certifications Roadmap

The path to formal certification is dated. Where a target is open, Ithildin states it is open. We do not claim certifications we do not hold.

  • ISO/IEC 27001 · target Q4 2026
  • IEC 62443 (OT) · target Q2 2027
  • FINMA Circular 2018/3 · aligned
  • SOC 2 Type II · commercial
vi.
Air-gap Deployment

Ithildin runs inside fully disconnected Swiss bunkers. Updates are signed, packaged, and delivered over a one-way data diode by Ithildin Deploy. The bunker is never reachable from outside; the outside is never reachable from inside.

Ithildin Deploy · Hub
Build, sign, and package release artefacts. Public-key distribution managed by customer.
Outside · CH-cloud
One-way
Data diode
Customer · Bunker
Air-gapped Ithildin instance. Verifies signatures, applies releases, never speaks back.
Inside · no egress
vii.
Audit & Provenance

Every read, every write, every model invocation is logged immutably. Audit trails support customer compliance reviews, Federal Audit Office inquiries, and internal investigations without engineering intervention.

  • Append-only audit log
  • Per-object lineage
  • Per-action attribution
  • Tamper-evident chain
viii.
Supply Chain

Software bill of materials published per release. No banned foreign components. No firmware from sanctioned jurisdictions. Customer-controlled signing keys for deployments.

  • SBOM · per release
  • Sanctions screening
  • Customer-controlled keys
  • No third-party telemetry

Note · Ithildin uses no third-party cookies, no third-party analytics, and no embedded third-party trackers. There is no consent banner because there is nothing to consent to.

Procurement-ready answers to the questions you have not yet asked.

We can produce a full DPA, threat model, and ISchV mapping inside two working days. Briefings on request.