Compliance and certifications

We value transparency. This page sets out how Genomic Vault fits into Swiss and international regulatory frameworks and shares our roadmap for exceeding the minimum requirements.

TLDR: Genomic Vault is designed as a secure custody and sharing platform for genomic data. Its regulation falls under the Federal Act on Data Protection (FADP). It is not a medical device under MedDO unless explicitly marketed as such. If positioned for medical use in the future, self-certification and registration would apply.

Legal definition

Under Swiss law, Genomic Vault stores patient data on behalf of customers and enables them to request sharing with third parties. Its primary role is custody and transfer of data, not diagnosis, monitoring, or treatment.

For this reason, Genomic Vault is not automatically considered a medical device under the Therapeutic Products Act (HMG) or the Medical Devices Ordinance (MedDO). Instead, it is regulated as a data custody and processing service under the Federal Act on Data Protection (FADP, 2023). [Ref: Fedlex FADP SR 235.1] [Ref: Fedlex HMG SR 812.21] [Ref: MedDO SR 812.213]

Genomic Vault is a custodian and processor of sensitive personal data, specifically health and genetic data, as defined in Art. 5 lit. c FADP. It provides infrastructure for storage and controlled third-party transfer, but is not itself a medical device under MedDO.

Legal requirements

FADP creates clear obligations for anyone processing sensitive personal data:

  • Processing must have a lawful basis (consent or contract). [Note: lawful bases include overriding private or public interest where applicable under FADP, not only consent or contract] [Ref: FADP Arts. 6, 31]
  • Data Processing Agreements (DPAs) must be in place with customers and partners when acting as processor. [Ref: FADP Art. 9]
  • Technical and organisational measures such as encryption, access logging, and auditability must be applied. [Ref: FADP Art. 8]
  • Records of processing activities must be maintained. [Ref: FADP Art. 12]
  • Breach notification procedures must be established. [Ref: FADP Art. 24]
  • Cross-border transfers require an adequacy decision or appropriate safeguards, or an applicable exception. Consent is one possible basis. [Revise wording from “require explicit consent and safeguards”] [Ref: FADP Arts. 16–18]

By default, custody and transfer of patient data do not amount to a medical purpose. No MedDO certification or swissdamed entry is required unless we actively choose to market Genomic Vault as a medical device. [Ref: MedDO scope] [Ref: swissdamed]

Routes for registration

1. Non-device infrastructure (default)

  • Regulatory framework: FADP in Switzerland, with GDPR applying if EU data subjects are served. [Ref: GDPR Art. 3 territorial scope]
  • No MedDO self-certification required. [Under review with counsel if any sectoral rules apply in specific deployments]
  • No swissdamed registration required. [Ref: swissdamed actor and UDI modules]
  • Compliance demonstrated by DPAs, safeguards, and records of processing. A data protection officer is optional under FADP and may be required under GDPR in specific cases. [Ref: FADP Art. 10] [Ref: GDPR Arts. 37–39]
  • Voluntary alignment with MDR and MedDO principles may be pursued as a quality signal. [Note: voluntary alignment is not equivalent to device conformity]

2. Medical device classification (if marketed with a medical purpose)

  • Regulatory path in Switzerland shifts to MedDO for medical devices, or IvDO for in vitro diagnostic devices. In the EU it shifts to MDR or IVDR. [Note: “MedDO or IvDO in CH, MDR or IVDR in EU”] [Ref: IvDO SR 812.219] [Ref: MDR 2017/745] [Ref: IVDR 2017/746]
  • Classification depends on intended use and applicable classification rules for software. It is not necessarily Class I. [Ref: MDR Annex VIII rules incl. Rule 11]
  • For devices requiring self-declaration, requirements include a Technical File, risk management per ISO 14971, and a Declaration of Conformity. [Note: specific annex references under Swiss MedDO and EU MDR] [Ref: ISO 14971] [Ref: MDR Annex II and III]
  • swissdamed registration is required for actors and device entries. CHRN is assigned to economic operators, not to devices. Fees and process to be verified. [Note: “see current FOAG fee table”] [Ref: swissdamed CHRN guidance] [Ref: swissmedic fees]

Voluntary self-certification

While Genomic Vault remains a non-device infrastructure, Switzerland Omics may pursue voluntary self-certification activities. This is not legally required but can demonstrate that the platform meets recognised quality and risk management standards.

Summary

  • Default case: Genomic Vault is regulated under FADP as a data custody platform, not a medical device. Obligations relate to data protection, not device certification. [Ref: FADP overview on Fedlex]
  • Medical device path: If positioned with a medical purpose, the applicable framework becomes MedDO or IvDO in Switzerland, MDR or IVDR in the EU. Classification depends on intended use and software rules. [Ref: MDR Rule 11]
  • Middle ground: Voluntary certifications and documented alignment can be pursued as a confidence signal while retaining non-device status. [Ref: ISO 27001 series if applicable]

Our positioning aims to remain transparent and compliant, while allowing for future changes in intended use or market strategy.