build 3.0.0 · aes-256-gcm / post-quantum · eu/de · ram only
jurisdiction

Where your files live is
who can read them.

Encryption is only half of data sovereignty. The other half is who owns the company, where the infrastructure sits, and which courts can compel disclosure. Paramant is built for the second half too.

01

The problem with encrypted tools that have US owners.

CLOUD Act
FISA 702

The United States CLOUD Act, passed in 2018, allows US authorities to compel US-based companies to hand over data regardless of where that data is physically stored. It applies to any company incorporated in the US, or owned by a US parent company.

FISA Section 702 authorizes US intelligence agencies to collect communications of non-US persons outside the US without a warrant, when that data flows through US-controlled infrastructure or companies.

Both apply to subsidiaries. If a European company is acquired by a US parent, CLOUD Act and FISA 702 begin to apply to the acquired company's data handling practices, even if servers stay in Europe.

what changed in 2025

Zivver, a Dutch secure email and file transfer provider, was acquired by Kiteworks (San Mateo, California) in June 2025. Kiteworks is a US company with $610M in growth capital raised, primarily from US investors Insight Partners and Sixth Street.

Sources: Kiteworks press release June 18 2025; PitchBook company profile

02

Paramant's ownership, top to bottom.

100% NL
no US exposure
Layer Location Jurisdiction
Company registration Harderwijk, Netherlands Dutch law, EU jurisdiction
Ownership 100% founder-owned No US subsidiaries, no US parent
Funding source Self-funded, no VC No US investor influence
Server infrastructure Hetzner Nuremberg, Germany German law, EU jurisdiction
Data location RAM only, destroyed on first read Nothing persistent to subpoena
Encryption keys Client-side only, never on server Architecturally unreadable
Source code BUSL-1.1, source available Auditable by any third party
03

Jurisdictional exposure by provider.

as of April 2026
publicly verifiable

Comparing public ownership structures and infrastructure locations for major encrypted file transfer providers:

Provider Company jurisdiction Owner CLOUD Act exposure
Paramant Netherlands Founder-owned, NL None
Zivver Netherlands (HQ) Kiteworks, San Mateo CA (since June 2025) Yes, via parent
WeTransfer Netherlands Bending Spoons, Italy (since 2024) None via ownership
Tresorit Switzerland + Hungary Swiss Post (state-owned, CH) None
Proton Switzerland Proton AG, Swiss Federation None
Dropbox, Box, Google Drive United States US public companies Full CLOUD Act

Sources: company press releases, SEC filings (US public), PitchBook company profiles, Swiss Post corporate communications. Ownership structures verified April 2026.

04

When jurisdiction matters in practice.

concrete scenarios
not hypotheticals

Dutch healthcare and NEN 7510

NEN 7510 requires healthcare providers to demonstrate that patient data cannot be accessed by non-authorized parties. A file transfer provider owned by a US parent creates a disclosure obligation under CLOUD Act that is in tension with NEN 7510's strict access requirements. EU-owned, EU-infrastructure providers have no such tension.

Legal practice and attorney-client privilege

Dutch and German legal codes protect attorney-client privilege against disclosure. A US parent company can be compelled to produce even privileged data under CLOUD Act without notification. Jurisdiction matters not just for compliance but for professional obligations.

Government and critical infrastructure under NIS2

Article 21 of NIS2 (EU 2022/2555) requires supply chain security for essential and important entities. Infrastructure providers whose ownership changes jurisdiction mid-contract become supply chain risks. Jurisdictional stability is itself a NIS2 compliance requirement.

R&D, intellectual property, and trade secrets

For companies working on pre-patent research or confidential commercial negotiations, foreign government access to transfer metadata can reveal strategic intent. The US has a documented history of economic intelligence collection.

Accountancy, audit files and tax data

Audit working papers and tax files combine financial detail with personal data, and Dutch professional rules oblige accountants to keep them under control for years. Sending a year-end file through a provider with a US parent creates a disclosure path that the client never agreed to in the engagement letter. Under Paramant the file burns after one read and the working papers never persist anywhere outside the firm.

Journalism and source protection

Dutch law protects journalistic sources, but that protection stops at the border of a foreign subpoena served on a provider's parent company. Even when content is encrypted, transfer metadata (who sent something to a newsroom, and when) can identify a source. A relay that stores nothing and is subject only to Dutch law removes both the content and the metadata trail.

Municipalities, schools and Schrems II paperwork

Every Dutch municipality and school board that uses a US-owned transfer tool has to paper over the transfer risk with SCCs, transfer impact assessments and DPIA appendices, and defend that stack at every audit. An EU-owned, EU-hosted provider with client-side encryption removes the transfer question instead of documenting around it: there is no third-country transfer to assess.

M&A, notaries and price-sensitive information

Deal documents, cap tables and draft agreements are price-sensitive by definition, and leak damage is irreversible. Data rooms leave long-lived copies on third-party infrastructure. A burn-on-read transfer with a signed, offline-verifiable receipt gives both sides proof of delivery while guaranteeing that no copy outlives the transaction.

HR, works councils and employee files

Sick-leave correspondence, performance files and works-council documents are sensitive personal data under the GDPR with strict access limits. Routing them through a provider that can be compelled by a foreign authority sits badly with both the works council and the regulator. Client-side encryption plus EU-only jurisdiction keeps the employer in control of exactly who can ever read them.

the principle

If your file transfer provider can be legally compelled to disclose data, the strength of their encryption is not the constraint. Their legal structure is.

05

What Paramant does differently.

architecture
and ownership

Paramant's answer to jurisdictional risk is two-layered: cryptographic architecture that makes disclosure technically useless, combined with ownership structure that makes disclosure legally inapplicable.

Cryptographic layer

If Paramant receives a legal demand for user data, the technical answer is: there is no persistent data to hand over. The ciphertext that existed during transit has been destroyed. The keys never existed on our servers.

Ownership layer

If US authorities want data that happened to pass through Paramant, they would need to engage a Dutch court via mutual legal assistance treaty, which requires Dutch law compliance for the request itself.

06

Infrastructure dependencies: current state and roadmap.

honest about
the gaps

Paramant's core application infrastructure is EU-based and EU-owned:

Three dependencies currently sit outside this boundary, at the email, DNS, and CDN layers:

Transactional email: Resend (US, under SCC / Data Privacy Framework)

Outbound transactional email (account verification, signing invites, billing notices) is sent through Resend. Resend is operated by Plus Five Five, Inc., a US company based in San Francisco; its data processing addendum states that its primary processing takes place in the United States, governed by Standard Contractual Clauses and the EU-US Data Privacy Framework rather than EU data residency. It is therefore subject to US jurisdiction, including the CLOUD Act.

The practical impact is bounded: Resend receives only the recipient email address and the message we send (a verification link, an invite, or a billing notice). It never receives file contents, encryption keys, account passwords, or relay metadata. It is never used for marketing. This dependency is the same as disclosed in the privacy policy; an EU-resident email provider is on the roadmap.

DNS: Bunny.net (EU) — Cloudflare removed

paramant.app uses Bunny.net for DNS, a Slovenian company (EU jurisdiction, GDPR-native, not subject to the US CLOUD Act or FISA 702). The earlier dependency on Cloudflare (a US company) has been removed: the authoritative nameservers are now Bunny’s (kiki/coco.bunny.net).

There is no third-party CDN or reverse proxy in front of the site. TLS terminates directly on our own edge (Caddy) on Hetzner infrastructure in Germany, with post-quantum key exchange; your connection reaches our server and nowhere else. DNS resolution is handled by Bunny in the EU. No US provider sits in the request or resolution path.

The migration history, including rollback procedures, is documented in the repository (docs/migration-bunny.md).

why we document this

Claiming full EU sovereignty while running DNS on a US company is a contradiction. This section exists because transparency about current limitations is more useful than aspirational claims. The gap is bounded, the mitigation is architectural, and the migration is planned. That is an honest position.

This section was added following community feedback (GitHub Issue #20, raised by Stensel8).

07

The bet Paramant is making.

for the
long term

Data sovereignty will matter more over time, not less. Quantum computing will eventually break today's classical encryption. Geopolitical tension will make jurisdiction a more important question. Regulatory frameworks will tighten around supply chain accountability.

Paramant is built to still make sense in five and ten years. That means post-quantum cryptography today, EU jurisdiction permanently, and architecture that makes jurisdictional questions mostly moot because there is simply no data to ask about.

Open your dashboard Technical details Self-host on GitHub