Concerns around data sovereignty and dependency on U.S.-based cloud providers are more pressing than ever. Organizations – especially in the public sector – rightly ask: how do we maintain control over our data in a world where technology, legislation, and geopolitics are increasingly intertwined?
Strengthening data sovereignty and control over sensitive communications was one of the key motivations behind the partnership between Zivver and Kiteworks. This whitepaper explains how that step not only preserves Zivver’s existing safeguards, but further reinforces them – by clearly outlining:
-
Which risks posed by U.S. cloud providers are real
-
The technical and legal realities behind these risks
-
How the partnership with Kiteworks enables Zivver to support organizations even more effectively in securing sovereignty and confidentiality
Two Risks That Are Often Conflated
In many discussions around U.S. cloud providers, different concerns are often lumped together. This leads to confusion – and sometimes to ineffective mitigation strategies. In reality, there are two fundamentally different risks, each with its own legal context and technical countermeasures.
By making this distinction explicit, it becomes clear why certain measures (such as encryption or using EU data centers) may mitigate one risk – but not the other.
-
Data Access Under the U.S. CLOUD Act
The CLOUD Act grants U.S. authorities the power to compel U.S. companies to hand over customer data – regardless of where that data is physically stored. This means that even data stored in European data centers may be subject to access, as long as the provider is under U.S. jurisdiction.
The risk lies not in where the data is located, but in who has authority over it.
What does work:
-
Encryption where only the customer has access to the encryption keys.
If the provider cannot access or deliver the keys, the data remains inaccessible – even in the event of a legal request. -
Self-managed environments (on-premise or private cloud).
When the software is run locally or within an organization’s own European cloud, and the provider has no access to infrastructure or keys, it simply cannot comply with data access requests – even if legally compelled.
-
-
Service Disruption Due to Geopolitically Driven Sanctions
The U.S. government can require technology companies to block access to their services for specific organizations or countries. Recent cases – such as Microsoft disabling accounts of the International Criminal Court at the request of the Trump administration – show that this risk is no longer hypothetical.
What does not work:
-
Encryption alone is insufficient.
Even if the data is well encrypted, services can still become unusable if access to the software itself is blocked. -
Storing data in EU-based data centers does not offer protection.
Service disruption occurs at the operational level (accounts, access rights), not based on physical data location.
What does work:
-
Avoid dependency on U.S.-controlled operational infrastructure.
This includes identity services, update mechanisms, licensing systems, and cloud platforms managed by U.S. entities. -
Use software that can function fully autonomously.
Only solutions that can run locally or in a European private cloud – without reliance on external authentication, licensing, or hosting services – remain usable under political pressure or sanctions.
-
How Zivver Addresses These Risks – Already for Data Access, and Soon for Service Continuity
Zivver is built on the principle that sensitive communications should be accessible only to the sender and recipient – regardless of where or by whom the solution is hosted.
✅ Zero-access Encryption
All messages sent or stored via Zivver are encrypted in such a way that:
-
Only the sender and recipient can access the content
-
Zivver cannot access message content
-
The encryption keys are solely managed by the customer
Even when Zivver uses infrastructure such as AWS, these environments are technically excluded from accessing keys or content. As a result, the risk of data access via the CLOUD Act is effectively mitigated in practice.
✅ Self-hosting as the Next Step: Private Cloud or On-premise
Zivver is currently developing a version of its solution that offers even more protection, enabling organizations to:
-
Run the full solution within their own data center or private cloud environment
-
Maintain full control over infrastructure, configuration, and encryption key management
-
Operate without any technical dependencies on U.S. or external service providers.
This means organizations will be protected not only against external access but also against potential service disruptions imposed by third parties.
How the Partnership with Kiteworks Enhances What Organizations Need
Kiteworks provides a platform for the secure sending, receiving, sharing, and editing of sensitive files and messages – including through email, MFT (Managed File Transfer), SFTP, and web forms. Like Zivver, Kiteworks is fully focused on protecting confidential communication, with a strong emphasis on compliance, data control, and auditability.
Kiteworks’ technology expands Zivver’s capabilities by enabling us to:
-
Support a broader set of use cases, including secure file sharing, MFT, SFTP, and forms
-
Offer this functionality as an on-premise or private cloud solution
-
Do so while maintaining the zero-access architecture principles that define Zivver.
Rather than compromising on sovereignty, this partnership allows us to deliver sovereign solutions at scale, with greater functionality – while remaining fully independent of U.S. cloud infrastructure.
Conclusion
Zivver – especially in partnership with Kiteworks – provides structural protection against the two main risks associated with U.S. cloud providers:
-
Access to data by third parties is prevented through zero-access encryption and customer-managed keys
-
Service disruption risks are mitigated by offering the ability to deploy Zivver as a self-hosted solution, free from external operational dependencies
The collaboration with Kiteworks enables Zivver to support organizations in their pursuit of true data sovereignty – without compromising on usability, compliance, or security.
