Encryption is only half of data sovereignty. The other half is who owns the company, where the infrastructure sits, and which courts can compel disclosure. Paramant is built for the second half too.
The United States CLOUD Act, passed in 2018, allows US authorities to compel US-based companies to hand over data regardless of where that data is physically stored. It applies to any company incorporated in the US, or owned by a US parent company.
FISA Section 702 authorizes US intelligence agencies to collect communications of non-US persons outside the US without a warrant, when that data flows through US-controlled infrastructure or companies.
Both apply to subsidiaries. If a European company is acquired by a US parent, CLOUD Act and FISA 702 begin to apply to the acquired company's data handling practices, even if servers stay in Europe.
Zivver, a Dutch secure email and file transfer provider, was acquired by Kiteworks (San Mateo, California) in June 2025. Kiteworks is a US company with $610M in growth capital raised, primarily from US investors Insight Partners and Sixth Street.
Sources: Kiteworks press release June 18 2025; PitchBook company profile
| Layer | Location | Jurisdiction |
|---|---|---|
| Company registration | Harderwijk, Netherlands | Dutch law, EU jurisdiction |
| Ownership | 100% founder-owned | No US subsidiaries, no US parent |
| Funding source | Self-funded, no VC | No US investor influence |
| Server infrastructure | Hetzner Nuremberg, Germany | German law, EU jurisdiction |
| Data location | RAM only, destroyed on first read | Nothing persistent to subpoena |
| Encryption keys | Client-side only, never on server | Architecturally unreadable |
| Source code | BUSL-1.1, source available | Auditable by any third party |
Comparing public ownership structures and infrastructure locations for major encrypted file transfer providers:
| Provider | Company jurisdiction | Owner | CLOUD Act exposure |
|---|---|---|---|
| Paramant | Netherlands | Founder-owned, NL | None |
| Zivver | Netherlands (HQ) | Kiteworks, San Mateo CA (since June 2025) | Yes, via parent |
| WeTransfer | Netherlands | Bending Spoons, Italy (since 2024) | None via ownership |
| Tresorit | Switzerland + Hungary | Swiss Post (state-owned, CH) | None |
| Proton | Switzerland | Proton AG, Swiss Federation | None |
| Dropbox, Box, Google Drive | United States | US public companies | Full CLOUD Act |
Sources: company press releases, SEC filings (US public), PitchBook company profiles, Swiss Post corporate communications. Ownership structures verified April 2026.
NEN 7510 requires healthcare providers to demonstrate that patient data cannot be accessed by non-authorized parties. A file transfer provider owned by a US parent creates a disclosure obligation under CLOUD Act that is in tension with NEN 7510's strict access requirements. EU-owned, EU-infrastructure providers have no such tension.
Dutch and German legal codes protect attorney-client privilege against disclosure. A US parent company can be compelled to produce even privileged data under CLOUD Act without notification. Jurisdiction matters not just for compliance but for professional obligations.
Article 21 of NIS2 (EU 2022/2555) requires supply chain security for essential and important entities. Infrastructure providers whose ownership changes jurisdiction mid-contract become supply chain risks. Jurisdictional stability is itself a NIS2 compliance requirement.
For companies working on pre-patent research or confidential commercial negotiations, foreign government access to transfer metadata can reveal strategic intent. The US has a documented history of economic intelligence collection.
If your file transfer provider can be legally compelled to disclose data, the strength of their encryption is not the constraint. Their legal structure is.
Paramant's answer to jurisdictional risk is two-layered: cryptographic architecture that makes disclosure technically useless, combined with ownership structure that makes disclosure legally inapplicable.
If Paramant receives a legal demand for user data, the technical answer is: there is no persistent data to hand over. The ciphertext that existed during transit has been destroyed. The keys never existed on our servers.
If US authorities want data that happened to pass through Paramant, they would need to engage a Dutch court via mutual legal assistance treaty, which requires Dutch law compliance for the request itself.
Data sovereignty will matter more over time, not less. Quantum computing will eventually break today's classical encryption. Geopolitical tension will make jurisdiction a more important question. Regulatory frameworks will tighten around supply chain accountability.
Paramant is built to still make sense in five and ten years. That means post-quantum cryptography today, EU jurisdiction permanently, and architecture that makes jurisdictional questions mostly moot because there is simply no data to ask about.