Summary
- CONVOTIS Swiss Cloud AG is not a newly formed vehicle created to fit a marketable name. Public company records connect it to a Zurich company registered in 2000, while the company says aspectra AG adopted the present name in March 2025.
- The strongest independent operating clue is AS9100. RIPE records connect the network organisation to the same Swiss company number and Zurich address, and a July 2026 RIPEstat snapshot showed 29 announced IPv4 and IPv6 prefixes.
- The public record demonstrates a credible hosting and managed-service footprint, but it does not by itself establish a customer's uptime, recovery objective, incident response or data-location commitment. Those assurances still belong in a named contract with a clearly identified operating entity.
The name is the start of the inquiry, not its conclusion
Cloud procurement is unusually vulnerable to reassuring nouns. "Swiss" can imply local control, "cloud" can imply scale, and a group brand can imply access to a deep bench. None of those implications is worthless. None is a substitute for identifying the company that signs, operates, answers and carries liability when a service fails.
CONVOTIS Swiss Cloud AG is a good case study because its public record contains more substance than the name alone, but also enough seams between company, group and network history to reward careful reading. The present name is recent. In a March 2025 rebranding announcement, CONVOTIS said that aspectra AG would operate as CONVOTIS Swiss Cloud AG from March 24, 2025. It described the change as the final step in aspectra's integration into the CONVOTIS Switzerland Group while preserving the company's legal independence.
That distinction matters. A rename can preserve contracts, staff, systems and accreditations when the underlying legal person remains the same. A group integration can broaden sales and technical capacity. But "part of CONVOTIS" and "CONVOTIS Swiss Cloud AG" are not interchangeable answers to a liability question. Buyers should be able to identify which entity provides the service, which entity employs the operators, which entity controls the infrastructure, and whether any group company guarantees the obligation.
The public identity trail is unusually coherent on its basic coordinates. The CONVOTIS legal notice lists CONVOTIS Swiss Cloud AG at Weberstrasse 4, 8004 Zurich, with Swiss business identifier CHE-105.612.642. It lists the company separately from CONVOTIS Schweiz AG and other members of the group. Moneyhouse's company page, drawing on Swiss commercial-register notices, reports an active stock corporation with register number CH-020.3.023.486-0, an original registration date of July 26, 2000, and an activity classification covering data processing and hosting services. It recorded a latest register notification on April 8, 2026.
Those records support continuity of legal identity. They do not show that every service described on a group website is delivered by this company. That narrower attribution has to be proved service by service.
The old network name is evidence of continuity
The most informative public technical record is AS9100, an Autonomous System number used to announce routes on the internet. The record still carries the AS name "Aspectra". At first glance, a legacy network label beneath a new company name might look like neglected housekeeping. Here it is more useful as a historical marker.
The RIPEstat WHOIS response for AS9100 says the number was created on July 3, 2002, identifies the location as Zurich, and points to organisation handle ORG-AA918-RIPE. Its routing policy names connections involving AS6772, AS174 and AS6939. The underlying RIPE organisation record supplies the current bridge: the organisation name is CONVOTIS Swiss Cloud AG, its registration number is CHE-105.612.642, and its address is Weberstrasse 4 in Zurich. The same record classifies the organisation as a Local Internet Registry and provides an abuse-contact handle.
This is stronger evidence than a logo on a product page. The legal identifier and address align with the company identity, while the old AS name aligns with the aspectra history disclosed in the rebranding announcement. Together, they indicate that the rebrand sits over an established network operation rather than an invented cloud label with no visible resource history.
The resource footprint is also observable. A RIPEstat announced-prefixes snapshot for AS9100, queried on July 15, 2026, returned 29 IPv4 and IPv6 route announcements observed over the preceding two weeks. They included IPv4 ranges such as 128.127.50.0/24, 185.27.184.0/24, 193.247.208.0/23 and 194.247.8.0/24, alongside several IPv6 routes under 2a02:e0c0.
This should be read precisely. Announced prefixes establish that AS9100 has a live, externally visible routing footprint. They do not establish who owns the servers behind every address, where every workload sits, how much capacity is available, whether a customer's service uses those ranges, or how resilient the path is. A route table is evidence of operation, not a substitute for an architecture diagram, asset schedule or availability report.
The distinction is particularly important for sovereignty claims. IP-registration country, route origin and data location can coincide, but they are not the same fact. A Swiss-registered network can carry traffic for workloads located elsewhere; a workload in a Swiss facility can depend on foreign software, support access or control planes. Location therefore has to be stated at the workload, backup, management and support layers, not inferred from the company name or an ASN.
Service pages describe a broad control surface
CONVOTIS's Swiss cloud-solutions page describes a portfolio spanning managed private and sovereign cloud, hybrid and multi-cloud environments, managed AWS and Azure, OpenShift clusters, development environments, automation and orchestration, managed Kubernetes, cost optimisation and cloud workplaces. That breadth is commercially plausible for a managed-service provider whose predecessor described itself as covering design, implementation, operations and support.
The more detailed sovereign and private cloud page makes the control model more concrete. It describes tenant-separated virtualisation, role-based and federated identity, monitoring of access and data flows, backup and recovery, change audit trails, encryption and key management, hybrid connections, and hosting in certified Swiss data centres. It also names Terraform, Bicep and Open Policy Agent in its governance approach.
These are useful disclosures because they expose the surfaces on which an assurance conversation can occur. A buyer can ask who controls the identity layer, whether the customer's administrators can inspect the audit trail, where keys are generated and held, how policy changes are approved, and which recovery tests are evidenced. "Sovereign cloud" becomes more meaningful when decomposed into specific controls.
But the pages are portfolio descriptions, not a public service schedule. They do not, in the material reviewed here, publish a generally applicable uptime percentage, recovery time objective, recovery point objective, service-credit formula, incident-notification deadline or named list of facilities. Nor do they explain which claims apply specifically to CONVOTIS Swiss Cloud AG rather than the wider Swiss or international group. That is not proof that such commitments are absent from customer contracts. It means the public website should not be used as if it were the contract.
The March 2025 announcement adds another layer. It said aspectra employed about 60 professionals, had operated for 25 years, and held ISO 27001:2022 and ISAE 3000 certifications while complying with FINMA and PCI DSS requirements. These are relevant indicators, especially for regulated customers. In the frozen public evidence reviewed for this article, however, those statements appear in the company's own press release rather than in the certificates, audit reports or certification-body register entries themselves.
A diligent buyer should request the current certificate, scope statement, issuing body, covered sites, exclusions and expiry date. "Certified provider" is less informative than "this service, operated by this entity at these sites, falls inside this current certificate scope."
Customer stories provide proof of performance, with limits
Product catalogues show what a supplier wants to sell. Named customer accounts show what it says it has done. CONVOTIS publishes several accounts that move the evidence beyond generic cloud language.
Its Health Info Net case study says that HIN's platform was migrated over six months into georedundant Swiss data centres and moved to a private and sovereign cloud. It describes complete platform operation, 24-hour monitoring, a dedicated site manager and work on a service used for sensitive healthcare communication. The page includes a named comment from HIN chief information officer Lucas Schult about availability, stability and the handling of problems.
The Ascory Bank account describes a wider outsourcing mandate covering workplace, network and server infrastructure, security, continuous monitoring and three-level 24-hour support. It is relevant because it identifies the operating mechanism, not merely a migration destination: an IT Operations Center, escalation levels, monitoring and support responsibilities.
Both pages are supplier-published marketing materials, so they should be treated as attributed service evidence rather than independent performance audits. Their value lies in specificity: named customers, described workloads and operating responsibilities. Their limitation is attribution. The pages use the CONVOTIS brand, but do not visibly identify CONVOTIS Swiss Cloud AG as the contracting entity for each case. They also do not publish incident histories, measured availability or customer-verifiable recovery results.
For a buyer, the next question is straightforward: which parts of these operating models are standard, which are optional, and which can be written into the proposed service schedule? If 24-hour monitoring and a dedicated site manager matter, they should appear as priced obligations with escalation contacts and response targets, not remain borrowed credibility from another customer's story.
Public support is reachable, but contract support needs definition
Accountability begins with the ability to reach someone. The public CONVOTIS support page provides a Swiss telephone number, [email protected] and remote-support downloads. It publishes ordinary service-desk hours of 08:00 to 12:00 and 13:30 to 17:30, Monday to Friday. It also says that most issues can be handled remotely and that on-site support is available across German-speaking Switzerland.
That is a useful baseline: there is a visible published contact points and stated labour window. It also exposes a distinction that cloud buyers should not overlook. The public service desk is not presented as a universal 24-hour incident channel, while customer stories describe round-the-clock monitoring or support for particular engagements. The reasonable inference is that service coverage varies by contract. It would be unsafe to infer 24-hour response for every cloud customer from a case study, just as it would be unsafe to infer that a contracted critical-service desk closes at the hours shown on the general support page.
Support accountability needs four names in writing: the legal provider, the service owner, the incident contact and the escalation authority. It also needs clocks. What starts the response timer? Does an automated alert count, or only a customer ticket? Which severity definitions apply? Is on-call labour in Switzerland, elsewhere in the group, or subcontracted? Who may access production data during an incident? When must the customer be told about a suspected breach? The public record makes these questions possible; it does not answer them for a specific service.
What the evidence supports, and what it does not
The public evidence supports a credible operating proposition. CONVOTIS Swiss Cloud AG has an identifiable Swiss legal form, address and business number. Its history reaches back through aspectra rather than beginning with the 2025 name. The company is tied in RIPE records to a long-lived ASN and current route announcements. The wider CONVOTIS site presents technically specific managed-cloud controls, reachable support and named examples of regulated or sensitive operations.
The evidence does not justify treating the three words in the company name as a blanket warranty. "CONVOTIS" does not define which group company owes the service. "Swiss" does not specify every location, administrator or legal dependency. "Cloud" does not state availability, recovery or incident obligations. Those are contract and architecture facts.
Before relying on the name as operating assurance, a customer should ask for a short, joined-up evidence pack:
- The full legal name and business identifier of the contracting provider, plus any operating subcontractors and group guarantees.
- A service architecture showing production, backup, disaster-recovery, management and logging locations, with the network resources actually used by the customer.
- Current certificates and audit reports with scope, sites and legal entities clearly identified.
- Measured availability and recovery-test evidence for the proposed platform, not only portfolio-level claims.
- A support schedule that defines hours, severity levels, response and restoration targets, escalation owners, incident notification and service credits.
- The division of control over identity, encryption keys, administrative access, change approval, monitoring data and exit procedures.
CONVOTIS Swiss Cloud AG's public record clears an important first hurdle: there is visible continuity and operating infrastructure behind the new name. The next hurdle is deliberately less glamorous. A buyer must connect the legal company, the routed network, the stated controls and the people who answer incidents to the exact service being purchased. That connection, rather than the brand alone, is where assurance begins.

