Compliance & Standards for Swiss Websites

Aiara Privacy Suite was built from the ground up for maximum legal compliance in Switzerland. All details on FADP 2023, GDPR, FDPIC guidelines V1.1, Google Consent Mode V2 and TCF v2.3.

Overview

What makes Aiara compliance-ready? Aiara is a cookie consent solution specifically developed for Switzerland that simultaneously meets the requirements of the Swiss Data Protection Act (nDSG) and the EU General Data Protection Regulation (GDPR). The platform implements the Layered Approach of the Federal Data Protection Commissioner (FDPIC), fully supports Google Consent Mode v2, and is technically prepared for IAB TCF v2.3 certification.

All cookies are automatically detected and categorized via Playwright scanner. Consents are archived with IP hashing (SHA-256) — audit-proof and GDPR-compliant. The domain locking system protects your configuration on three independent layers.

Schweiz

FADP Compliance

Compliance with the Swiss Federal Act on Data Protection (nFADP 2023]

The revised Swiss Data Protection Act (nDSG), in force since September 2023, sets higher requirements for consent, transparency and data subject rights. Aiara fully implements these requirements:

  • Consent before any data processing — no cookie is set before approval
  • Transparent information about all cookies and third-party services used
  • Revocable consent at any time — revocation as easy as giving consent
  • IP hashing (SHA-256) for consent archiving — no plain-text IP
  • Privacy policy automatically generated per FADP requirements
  • Imprint automatically created per Swiss law
EU

GDPR Compliance

EU General Data Protection Regulation — full implementation

The GDPR applies to all companies processing personal data of EU citizens — regardless of the company's location. Aiara implements all relevant articles:

  • Art. 6/7 GDPR: Consent as legal basis — voluntary, specific, informed, unambiguous
  • Art. 13/14 GDPR: Information obligation fully met through multilingual privacy policy
  • Art. 7(3) GDPR: Withdrawal of consent possible at any time, cookie preferences always changeable
  • Art. 25 GDPR: Privacy by Design — minimal data collection, IP hashing, no sharing
  • Art. 30 GDPR: Records of processing supported by automatic cookie documentation
  • Consent proof exportable for supervisory authorities at any time
EDÖB

FDPIC Layered Approach

Multi-layered information approach according to FDPIC Guide V1.1 (October 2025]

The Federal Data Protection Commissioner recommends a three-level approach to cookie information. Aiara fully implements this Layered Approach:

1

First Layer — Summary in Banner

The cookie banner itself shows a clear, understandable summary: Which cookie categories exist, what happens with consent/rejection, and how settings can be changed.

2

Second Layer — Detail View with Categories

In the extended settings dialog, users see all cookie categories with detailed descriptions, the purpose of processing and the option to enable or disable individual categories.

3

Third Layer — Complete Cookie List

Each cookie category can be expanded to show individual cookies with name, provider, purpose, retention period and category — complete and transparent.

Google

Google Consent Mode v2

Technical integration with Google services — fully implemented

Google Consent Mode v2 has been mandatory since March 2024 for all websites using Google advertising services. Aiara implements the complete integration:

  • Default Denied — all Google signals disabled by default before consent
  • Automatic gtag("consent", "update") on consent or rejection
  • Compatible with Google Analytics 4 (GA4) and conversion tracking
  • Compatible with Google Ads and Smart Bidding
  • Google Tag Manager integration — consent status forwarded to GTM
  • Both consent signal types: analytics_storage and ad_storage fully implemented
IAB

TCF v2.3 Readiness

Technically implemented — ready for IAB certification

The IAB Transparency and Consent Framework (TCF) v2.3 is the industry standard for programmatic advertising. Aiara has implemented all technical requirements:

  • __tcfapi() fully implemented — all methods and callbacks available
  • TC String Encoding — legally valid consent string per IAB specification
  • Global Vendor List (GVL) integration prepared
  • addEventListener for consent updates to iFrames and third parties
  • Ready for official IAB CMP registration once CMP ID is available

The official IAB certification requires a CMP ID from IAB. The technical prerequisites are fully met.

Scanner

Cookie Scanning

Automatic detection and classification with Playwright

Aiara automatically scans your website and detects all cookies — without manual effort. The scanning system is based on Playwright for full JavaScript support:

  • Automatic detection of all cookies with Playwright — full JavaScript support
  • Categorization against over 200 known cookies from the Aiara database
  • Detection of third-party services: Google, Meta, Microsoft, HubSpot and more
  • CMS detection: WordPress, Joomla, TYPO3, Shopify, Drupal automatically identified
  • Scan up to 300 pages per domain for complete coverage
  • Regular rescans when changes are made to the website
Audit-Trail

Consent Archiving

Immutable audit trail for compliance verification

The GDPR and the nDSG require that you can prove when and how consent was given. Aiara archives all consents in an audit-proof manner:

  • Each consent is stored with timestamp, consent ID and chosen categories
  • IP hashing with SHA-256 — no plain-text IP stored, GDPR-compliant
  • Consent version linked with proof — changes to the banner create a new version
  • Exportable as CSV for audits and authority requests
  • Immutable — subsequent changes are technically impossible
  • Revocation is also archived with timestamp
Sicherheit

Data Security

Three-layer architecture for maximum security

Aiara protects your configuration and data on multiple independent security layers — from the network layer to the client script:

Layer 1 — Server: Domain Validation

The VerifyDomain middleware checks Origin and Referer of every API request against the registered domain. Requests from unauthorized domains are rejected with HTTP 403.

Layer 2 — Network: CORS Validation

Dynamic Access-Control-Allow-Origin headers per domain — no wildcards. Each domain only gets access to its own configuration. Cross-domain access is technically impossible.

Layer 3 — Client: Script Token (UUID v4)

The banner script checks window.location.hostname against the configured domain. The script token (UUID v4) is unique per domain and cannot be transferred.

Rate Limiting

All API endpoints are protected with rate limiting. The public scanner is limited to 3 requests per minute to prevent abuse.

Ready for legally compliant privacy solutions?

Start today with Aiara and benefit from complete FADP and GDPR compliance — without compromises.

Get Started Questions? Get in touch