build 2.4.5 · aes-256-gcm / ml-kem-768 · eu/de · ram only
ENTERPRISE · M&A · DATA SOVEREIGNTY

M&A due diligence, EU-sovereign.

Mergers and acquisitions generate thousands of sensitive documents: board minutes, IP registers, employment contracts. Your deal room cannot be a US-hosted SaaS subject to CLOUD Act production orders.

The problem

US-hosted deal rooms and the CLOUD Act.

The leading deal room platforms — Intralinks, Datasite, Merrill DatasiteOne, Firmex — are US entities. Under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018), US cloud providers must comply with US law enforcement production orders for data stored on their infrastructure, regardless of where the data physically resides. They are not required to notify the data subject.

For EU-to-EU M&A transactions, or any deal involving EU-regulated entities in banking, insurance, or healthcare, this creates a structural sovereignty gap. A bidder's advisors or a regulator gaining access to your board minutes, valuation models, or employee contracts through a US SaaS operator is not a hypothetical scenario. It is a risk that EU M&A advisors are increasingly being asked to address in legal opinions.

What Paramant adds

EU/DE hosting with no US corporate chain.

Paramant runs on Hetzner DE. The operating company is incorporated in the Netherlands. There is no US entity in the corporate chain that could receive a CLOUD Act order. Documents are encrypted with ML-KEM-768 + AES-256-GCM end-to-end. The relay holds only ciphertext and cannot read the documents it carries. Burn-on-read delivery for the most sensitive exchanges means the relay's copy is wiped after the recipient's first download.

ML-DSA-65 signed receipts confirm delivery for both sides of the transaction. The CLI allows bulk operations when document volumes are high. A pre-signed GDPR DPA is available for teams that need it.

Workflow

Document delivery for a deal room.

01
Deal team packages the document set (VDR export, dataroom zip, or individual files)
02
Upload via ParaShare web or CLI; documents encrypted before leaving the sender's machine
03
One-time links distributed to the other side's legal team or advisors
04
After download, documents are wiped from relay RAM — no persistent copy on the infrastructure
05
Signed receipts archived with deal documentation; both parties hold cryptographic proof of delivery
Sovereignty

Why EU hosting matters in M&A.

EU GDPR and the proposed EU Data Act require that personal data of EU nationals be processed under EU law. Board minutes from an EU company may contain personal data. Employment contract annexes do by definition. The moment those documents enter a US-hosted system, they are subject to a legal framework that EU data protection authorities consider inadequate for sensitive commercial transactions.

See also: full jurisdiction analysis and Data Processing Agreement.

Running a deal room with compliance requirements?

Enterprise plan includes dedicated support, custom DPA, and CLI for bulk operations. Contact us to discuss your deal room requirements.

Create free account → Contact for Enterprise →

ML-KEM-768 · EU/DE · No CLOUD Act · GDPR