Yes, the cloud service provider is only entitled to process the data in the same matter as the entity outsourcing the data processing (Article 10a of the Federal Act on Data Protection ("FADP") and Article 9 of the Revised Federal Act on Data Protection ("revFADP")). The cloud service provider must ensure appropriate data security (Article 7 of the FADP and Article 8 of the revFADP). Personal data must generally not be transferred or made available in jurisdictions that do not provide for an appropriate level of data protection from a Swiss law perspective without sufficient safeguards being put in place (Article 6 of the FADP and Articles 16 and 17 of the revFADP).