Encryption is only half of data sovereignty. The other half is who owns the company, where the infrastructure sits, and which courts can compel disclosure. Paramant is built for the second half too.
The United States CLOUD Act, passed in 2018, allows US authorities to compel US-based companies to hand over data regardless of where that data is physically stored. It applies to any company incorporated in the US, or owned by a US parent company.
FISA Section 702 authorizes US intelligence agencies to collect communications of non-US persons outside the US without a warrant, when that data flows through US-controlled infrastructure or companies.
Both apply to subsidiaries. If a European company is acquired by a US parent, CLOUD Act and FISA 702 begin to apply to the acquired company's data handling practices, even if servers stay in Europe.
Zivver, a Dutch secure email and file transfer provider, was acquired by Kiteworks (San Mateo, California) in June 2025. Kiteworks is a US company with $610M in growth capital raised, primarily from US investors Insight Partners and Sixth Street.
Sources: Kiteworks press release June 18 2025; PitchBook company profile
| Layer | Location | Jurisdiction |
|---|---|---|
| Company registration | Harderwijk, Netherlands | Dutch law, EU jurisdiction |
| Ownership | 100% founder-owned | No US subsidiaries, no US parent |
| Funding source | Self-funded, no VC | No US investor influence |
| Server infrastructure | Hetzner Nuremberg, Germany | German law, EU jurisdiction |
| Data location | RAM only, destroyed on first read | Nothing persistent to subpoena |
| Encryption keys | Client-side only, never on server | Architecturally unreadable |
| Source code | BUSL-1.1, source available | Auditable by any third party |
Comparing public ownership structures and infrastructure locations for major encrypted file transfer providers:
| Provider | Company jurisdiction | Owner | CLOUD Act exposure |
|---|---|---|---|
| Paramant | Netherlands | Founder-owned, NL | None |
| Zivver | Netherlands (HQ) | Kiteworks, San Mateo CA (since June 2025) | Yes, via parent |
| WeTransfer | Netherlands | Bending Spoons, Italy (since 2024) | None via ownership |
| Tresorit | Switzerland + Hungary | Swiss Post (state-owned, CH) | None |
| Proton | Switzerland | Proton AG, Swiss Federation | None |
| Dropbox, Box, Google Drive | United States | US public companies | Full CLOUD Act |
Sources: company press releases, SEC filings (US public), PitchBook company profiles, Swiss Post corporate communications. Ownership structures verified April 2026.
NEN 7510 requires healthcare providers to demonstrate that patient data cannot be accessed by non-authorized parties. A file transfer provider owned by a US parent creates a disclosure obligation under CLOUD Act that is in tension with NEN 7510's strict access requirements. EU-owned, EU-infrastructure providers have no such tension.
Dutch and German legal codes protect attorney-client privilege against disclosure. A US parent company can be compelled to produce even privileged data under CLOUD Act without notification. Jurisdiction matters not just for compliance but for professional obligations.
Article 21 of NIS2 (EU 2022/2555) requires supply chain security for essential and important entities. Infrastructure providers whose ownership changes jurisdiction mid-contract become supply chain risks. Jurisdictional stability is itself a NIS2 compliance requirement.
For companies working on pre-patent research or confidential commercial negotiations, foreign government access to transfer metadata can reveal strategic intent. The US has a documented history of economic intelligence collection.
If your file transfer provider can be legally compelled to disclose data, the strength of their encryption is not the constraint. Their legal structure is.
Paramant's answer to jurisdictional risk is two-layered: cryptographic architecture that makes disclosure technically useless, combined with ownership structure that makes disclosure legally inapplicable.
If Paramant receives a legal demand for user data, the technical answer is: there is no persistent data to hand over. The ciphertext that existed during transit has been destroyed. The keys never existed on our servers.
If US authorities want data that happened to pass through Paramant, they would need to engage a Dutch court via mutual legal assistance treaty, which requires Dutch law compliance for the request itself.
Paramant's application infrastructure is fully EU-based and EU-owned:
Two dependencies at the DNS and CDN layer currently sit outside this boundary:
paramant.app currently uses Cloudflare for DNS hosting and static asset delivery. Cloudflare is a US company incorporated in Delaware, subject to US jurisdiction including the CLOUD Act and FISA 702.
The practical impact is bounded by architecture: all file content is encrypted client-side with ML-KEM-768 before any network transit. Cloudflare terminates TLS but receives only ciphertext, so it cannot read file contents, encryption keys, or recipient identities. What is theoretically observable at the Cloudflare edge: source IP addresses, request timing, request volume, and HTTP headers (not body content).
For most threat models this is acceptable. For high-sensitivity use cases (legal, government, healthcare under strict NEN 7510 interpretation) where even metadata exposure is a concern, this is a gap we are closing.
Paramant is migrating DNS and CDN infrastructure to Bunny.net, a Slovenian company (EU jurisdiction, GDPR-native, not subject to CLOUD Act) with 119 edge PoPs and comparable latency to Cloudflare.
The migration is phased to avoid downtime:
Full migration plan including rollback procedures is documented in the repository (docs/migration-bunny.md).
Claiming full EU sovereignty while running DNS on a US company is a contradiction. This section exists because transparency about current limitations is more useful than aspirational claims. The gap is bounded, the mitigation is architectural, and the migration is planned. That is an honest position.
This section was added following community feedback (GitHub Issue #20, raised by Stensel8).
Data sovereignty will matter more over time, not less. Quantum computing will eventually break today's classical encryption. Geopolitical tension will make jurisdiction a more important question. Regulatory frameworks will tighten around supply chain accountability.
Paramant is built to still make sense in five and ten years. That means post-quantum cryptography today, EU jurisdiction permanently, and architecture that makes jurisdictional questions mostly moot because there is simply no data to ask about.