Compliance & Legal Frameworks

Swiss ZertES

ZertES — formally the Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signatur (SR 943.03) — is the Swiss federal law that governs qualified and advanced electronic signatures. Under ZertES Art. 2, a qualified electronic signature issued by an accredited certification service provider carries the same legal effect as a handwritten signature. For organisations operating under Swiss law, this is the gold standard for document authenticity.

Swiss Trust Layer's signing infrastructure is powered by Swisscom Trust Services, one of Switzerland's three ZertES-accredited certificate authorities (alongside SwissSign and QuoVadis). This means every organisational seal issued through the platform is qualified at the highest level Swiss law recognises — no additional hardware token, no third-party certification, and no manual submission to a government office.

For Swiss businesses, intellectual property professionals, and legal practitioners, ZertES compliance is critical because it is the framework Swiss courts use when evaluating the authenticity of electronically signed or sealed documents. A ZertES-qualified seal reverses the burden of proof: the opposing party must demonstrate the seal is invalid, rather than the creator having to prove it is valid.

EU eIDAS

Regulation (EU) No 910/2014 — known as eIDAS — establishes the legal framework for electronic identification, authentication, and trust services across all 27 EU member states. Article 41 of eIDAS grants qualified electronic timestamps the legal presumption of the accuracy of the date and time they indicate and the integrity of the data to which they are bound. This presumption is enforced in every EU jurisdiction without further formality.

Because Swisscom Trust Services operates as a QTSP recognised under eIDAS, documents sealed via Swiss Trust Layer carry this EU legal presumption automatically. For companies doing business across EU borders — contracts, creative works, technical specifications, or IP disclosures — a Swiss Trust Layer seal is immediately admissible evidence without requiring separate notarisation or legalisation in the destination country.

The eIDAS framework is also the technical standard that underpins the EU's digital single market. As businesses increasingly submit documents to EU regulatory bodies, procurement portals, and cross-border courts, eIDAS compliance is shifting from a differentiator to a baseline requirement. Swiss Trust Layer satisfies this requirement by virtue of its QTSP chain, not through a market-presence registration.

UAE Pass

UAE Pass is the United Arab Emirates' national digital identity platform, operating under Federal Decree-Law No. 46 of 2021 on Electronic Transactions and Trust Services. The law grants electronic transactions authenticated through UAE Pass the same legal weight as equivalent paper-based transactions under UAE federal law, making UAE Pass-authenticated signatures court-admissible across Dubai, Abu Dhabi, and all other emirates.

Swiss Trust Layer integrates UAE Pass via OAuth, allowing UAE-domiciled users to authenticate with their national digital identity before sealing a document. This means the resulting seal is anchored to both the Swisscom cryptographic chain and the user's UAE legal identity — giving it dual jurisdiction standing that is relevant for businesses operating across the Switzerland-UAE corridor, GCC free zone companies, and ADGM-registered entities.

Berne Convention — 181 Countries

The Berne Convention for the Protection of Literary and Artistic Works is the primary international treaty governing copyright. With 181 member states as of 2025, it covers virtually every country with a functioning IP legal system. Under Article 5, copyright protection is automatic — no registration is required. Authors enjoy in every member country the same rights that the local law grants to its own nationals.

Switzerland and the UAE are both Berne signatories. A document sealed via Swiss Trust Layer in either jurisdiction therefore carries copyright protection recognised in all 181 member countries without any further registration, submission, or legalisation. This is the mechanism that makes the “180+ countries” claim accurate: the seal is Swiss or UAE-origin, and the Berne Convention does the rest.

Swiss Trust Layer stores all sealed documents and associated metadata in Microsoft Azure's Switzerland North region. Data never leaves Swiss or EU borders during normal operations. This architecture is designed to satisfy the requirements of two data protection regimes simultaneously.

The EU General Data Protection Regulation (GDPR) applies to any processing of personal data involving EU data subjects. By hosting in Switzerland — which the European Commission has recognised as providing an adequate level of data protection — Swiss Trust Layer avoids the complexity of Standard Contractual Clauses for core storage operations.

Switzerland's own Federal Act on Data Protection (nFADP), which entered into force on 1 September 2023, imposes obligations broadly equivalent to GDPR, including data minimisation, purpose limitation, and mandatory breach notification. Swiss Trust Layer's architecture — minimal personal data collection, encrypted storage, and audit-trail transparency — is designed with nFADP compliance as a default, not an afterthought.

Every signature issued through Swiss Trust Layer uses PAdES (PDF Advanced Electronic Signatures) or CMS (Cryptographic Message Syntax) grade signing, the formats specified in the eIDAS Implementing Decisions as the baseline for qualified electronic signatures on documents. These formats embed the cryptographic proof directly inside the document file, meaning the seal survives file format changes, email transmission, and printing — unlike metadata-only approaches.

Private keys used in the signing process are managed by Swisscom Trust Services and never exposed to Swiss Trust Layer's application layer. The signing workflow follows a Hardware Security Module (HSM) architecture, ensuring that key material meets the requirements of both ZertES and eIDAS for qualified signatures — specifically that the private key is generated and used within a certified secure signature creation device (SSCD).

Azure Key Vault is used for application-level secrets management. All inter-service communication within the Swiss Trust Layer Kubernetes cluster runs over encrypted channels. The platform undergoes continuous dependency auditing and follows a zero-trust network model for all microservice-to-microservice calls.