Confidential data at stake after Zivver acquisition

The acquisition of Dutch security company Zivver by U.S.-based Kiteworks has sparked anger and concern among cybersecurity experts, government organizations and privacy advocates. What does this mean for the security of highly sensitive communications, and how reliable will the protection remain if such a service ends up in foreign hands?

At ALTA-ICT, we know: confidentiality, AVG/NEN/NEN7510 compliance and protection against unwanted access are not a luxury, but rock-solid requirements. In this article, we explore what exactly is involved with Zivver, what the risks are, what Dutch organizations should do and what a strategic approach looks like.

Email deliverability – Prevent spam problems with SPF, DKIM and DMARC

What’s going on?

Zivver, founded in 2015 in Amsterdam, provides services for encrypted communications (email, chat, documents) used by government agencies, hospitals, courts, etc.
With the acquisition by Kiteworks, Zivver has become part of an American company.
The management of Kiteworks consists of several individuals with a history in Israel’s elite intelligence unit (Unit 8200).
According to Zivver, all customer data remains encrypted, servers remain in Europe, and they themselves would not have access to the encryption keys.

But:

Follow the Money and outside cybersecurity experts examined examples where messages and attachments are sent in “plain,” readable form to Zivver’s servers before encryption takes place.
That means that at that stage Zivver could technically see the content, even though Zivver claims it does not.
Because the parent company is in the U.S., the data is subject to U.S. law. That carries risks, especially at a time of geopolitical tension.

Risks to Dutch organizations

Legal framework shifts
Because Kiteworks is domiciled in the United States, U.S. government agencies may require access or monitoring under U.S. laws. Even if data is stored in Europe, U.S. law may sometimes carry more weight.
Uncertainty over ‘zero-knowledge’ claims
Zivver claims that it does not manage keys to encryption, so that only the customer has access. However, research shows that in some use cases data arrives at Zivver in readable form, before encryption. That means: possible access by Zivver itself, or theoretically third parties within the organization.
Geopolitical and security risks
The IDF background of leaders within Kiteworks (formerly Accellion) raises questions about possible intelligence interests or pressures. In times of international tension, such connections are sensitive.
Lack of prior oversight or review
According to the article, the acquisition was not reviewed under the Security Review of Investments, Mergers and Acquisitions Act (Vifo), as Zivver is not considered vital infrastructure. As a result, there is no formal assessment of the risks involved in this acquisition.

What can Dutch organizations do?

As an organization (government, hospital, legal profession, vital sector, etc.), consider the following steps to strengthen your data security:

Audit current security: Have independent investigation of data flow, especially before encryption. Is there time when data arrives on servers in readable form?
Contractual assurances: Ask for explicit service level agreements (SLAs) and contractual assurances about encryption, management keys, location of servers and who has access to what data.
Legal Test: Consult legal advice on how U.S. and European laws and regulations apply to your services. Consider AVG, Schrems II, CLOUD Act, etc.
Consider Alternatives: Are there fully European providers that comply with NEN7510, ISO 27001, and have no foreign ownership with intelligence involvement?
Regulation & Policy: Encourage regulation designating encryption services as critical infrastructure so that acquisitions and foreign investment in such sectors are tested. Also consider transparency requirements.

How does ALTA-ICT look at this (our approach)

At ALTA-ICT, we believe that trust must be earned, but verified. Our approach includes:

ISO 27001/NEN 7510 certified work to strictly regulate data management, encryption and access.
Technical audits and penetration tests, including “pre-encryption” scenarios, to see where any leaks are.
Transparent documentation of who controls the keys, where the data is stored, who has access to it & under what circumstances.
Scenario simulations and risk management: what if foreign laws are invoked? How do we then protect data effectively?
Strategies to reduce reliance on foreign suppliers when security risks are unacceptable.

Conclusion

Kiteworks’ acquisition of Zivver raises important questions about trust, legal framework and technical realities of data security. For Dutch organizations, being notified is being half protected. You must not just rely on claims, but actively monitor, protect and, if necessary, deploy alternatives.

Would you like to explore with ALTA-ICT how your organization stands in this area and what improvements are possible? Feel free to contact us for a free audit call.

📞 Schedule a free audit: alta-ict.co.uk/free-consultation
📧 info@alta-ict.nl