As a Business customer, I performed a technical and legal audit of Proton AG’s current infrastructure. The results show a systemic disconnect between their "100% Swiss" marketing and their actual operational routing and legal framework.
1. The Technical Leak: Routing via AS13335 (Cloudflare) A simple traceroute to mail.protonmail.ch reveals a critical interception at Hop 5. - Node: cloudflare.belgiumix.net (185.1.127.13) - Owner: Cloudflare, Inc. (US Entity) - Jurisdiction: US CLOUD Act
By routing business traffic through US-owned CDNs before it even touches Swiss soil, Proton effectively places user metadata and transit traffic under the jurisdiction of the Patriot Act and CLOUD Act. The "Swiss Jurisdiction" promise is nullified the moment a packet hits a Cloudflare node.
2. The Legal Dol: Section 13 and the FAA Proton’s Terms of Service (Section 13) explicitly mention the Federal Arbitration Act (FAA). How can a company sell "Swiss Privacy" while binding European Business users to US Federal Arbitration laws? This is a textbook case of contractual inconsistency. You cannot market immunity from US overreach while embedding US legal mechanisms in your core contract.
3. The Transparency Gap: 89%+ Compliance Rate Proton’s own 2023-2025 transparency reports show they complied with over 24,000 legal orders. - 2024: 94% compliance (10,368 orders honored). - Mechanism: Swiss BÜPF (Art. 26) forces active collaboration. The "No-Log" policy is a marketing layer that disappears the moment Europol pings the Swiss MPC. The recent French climate activist case and the Paris Court of Cassation ruling on IPTV filtering prove that Proton is now a de facto arm of EU/US law enforcement.
4. The Diversion: Justice Theater vs. Technical Sovereignty Recently, Proton sued Apple over App Store fees. This is "Privacy Washing." While they fight Apple for 30% commissions, they fail to defend the technical sovereignty of their network routing. They prioritize "Justice Theater" over the basic engineering requirement of a private service: avoiding US-controlled transit nodes.
Conclusion: Contractual Nullity for Dol For a Business user, this is not a matter of "refund policy," but a matter of Nullity for Dol (Art. 1116 Civil Code / Art. 28 Swiss CO). The consent was obtained through fraudulent claims regarding the real nature of the data routing and legal protection.
If you are a security professional, stop looking at the "CERN" labels and start looking at the Hop 5. Proton has traded its Swiss bunker for a US-hosted storefront.