Update (05-02-2026): IND stops using Zivver
The Immigration and Naturalization Service (IND) decided to look for an alternative to Zivver. The IND is concerned about data security after the takeover of the Dutch Zivver by the American company Kitworks. As a result, the IND cannot rule out the possibility of data falling into the hands of the United States.
An IND spokesperson says at Follow the Money that the immigration service is therefore looking for an alternative. Until a “good working alternative” is found, the IND will continue to use Zivver.
Government organizations must decide for themselves whether to continue using Zivver. In addition to the IND, other government agencies, such as the UWV, are still using Zivver. It is unclear whether more agencies will stop using the service.
Research from Follow the Money about the acquisition of communications software Zivver, caused a stir among government organizations and cybersecurity experts. Zivver provides communications software and is best known in healthcare, government agencies and municipalities for its secure mail application. What does this mean for the security of sensitive communications and how reliable will Zivver remain if this service falls into U.S. hands?
In this article, we will tell you exactly what is involved with Zivver, what the risks are and what you should do.
In brief:
Founded in 2005 in the Netherlands, Zivver provides services for encrypted communications such as e-mail, chat and documents. Zivver is especially widely used by government agencies, hospitals, courts and municipalities.
In June, Zivver announced that Kiteworks would acquire the company. With the acquisition, Zivver became part of an American company, from which the management consists of several individuals with a history with Israel's elite intelligence unit, Unit 8200.
What does this mean?
Research by Follow the money, along with outside cybersecurity experts, shows examples where messages and attachments are sent to Zivver's servers in ‘plain,’ readable form, before encryption takes place. This means that Zivver may technically be able to see the content, even though Zivver claims it does not.
Because the parent company is in the U.S., the data is not subject to European law, but rather U.S. law. Because of the CLOUD act, this means that the U.S. government can appropriate data if it wishes, regardless of where the data is stored. Zivver does claim that security will only improve thanks to the Americans. But because of such U.S. legislation, this does not seem to be the case.
Zivver claims that all customer data remains encrypted, that Zivver itself has no access to the encryption keys and that data is stored exclusively on European servers.
What should your organization do?
To ensure the continuity and integrity of sensitive communications, there are several actions you can take:
- Update risk assessments: What risks does this change entail for your organization. Take into account changed legislation and international rules (European and American).
- Check the contract: Make sure processor agreements and standard clauses clearly protect against foreign claims.
- Demand for transparency: Have regular audit reports delivered, such as ISO 27001, to ensure that European regulations are being followed.
- Consider alternatives: Are there European providers that comply with NEN 7510, ISO 27001 with comparable functionality as well as European control? This reduces your risks in terms of digital sovereignty.
Part of a trend
The acquisition of European technology companies to companies from abroad is becoming increasingly common. These acquisitions underscore the importance of proactive governance, keen review of contracts and an open mind. This is the only way to maintain control as an organization.
Want to know what this development means for your organization or think together about a alternative? Contact us for a free consultation and find out how to keep control of your data.
Sources:
IND wants to stop secure emailing service after U.S. takeover - NU.co.uk by Tweaker - Feb. 4, 2026