In July 2022, Stroom Capital co-led Zivver's Series A round. The investment thesis can be stated plainly: most regulated-industry organisations communicate sensitive information over channels that are architecturally incompatible with the security requirements of those industries, and no amount of policy enforcement after the fact will change this. A Dutch healthcare organisation sending patient discharge summaries by email to a GP practice is not being negligent — it is using the communication infrastructure that exists. The negligence lies in having built communication infrastructure for regulated industries on top of SMTP, a protocol designed in 1982 for reliable message delivery, not for confidentiality, integrity assurance, or verifiable delivery confirmation.
The regulatory backdrop had been building pressure for years before our Zivver investment. GDPR's Article 32 requires controllers and processors to implement technical and organisational measures to ensure a level of security appropriate to the risk — which, for healthcare organisations handling special category data under Article 9, means encryption in transit and at rest is not optional. The Dutch DPA (Autoriteit Persoonsgegevens) had already issued enforcement actions against healthcare providers for sending patient data over unencrypted email. NEN 7510 — the Dutch healthcare information security standard based on ISO/IEC 27001 — explicitly requires that organisations assess and mitigate risks in information exchange. Despite all of this regulatory pressure, the dominant communication tool in Dutch healthcare, legal, and local government in 2022 remained standard email. Not because security teams did not know it was a problem, but because secure alternatives had historically been unusable enough that adoption collapsed at the individual sender level.
What Zivver addressed was a usability problem masquerading as a security problem. Previous attempts at secure email for regulated industries had taken a cryptography-first approach: force users to manage S/MIME certificates, install plugins, enrol recipients in complex key exchange ceremonies. The result was predictable — adoption rates low enough that the "secure" channel was used for edge cases while normal email continued for the majority of sensitive communications. Zivver's architecture inverted this: optimise the sender experience to the point that sending securely is not meaningfully harder than sending normally, and use automated data classification to intervene at the moment of composition when sensitive content is detected. The security is in the platform infrastructure, not in the user workflow.
The specific mechanism worth understanding is how Zivver handles recipient access in a way that does not require the recipient to hold credentials or manage cryptographic material. When a sender in a Zivver-enabled organisation sends a sensitive message to an external recipient — say, a GP practice that has no Zivver deployment — the recipient receives an email notification with a link. The link resolves through Zivver's access layer, which can authenticate the recipient through multiple methods: a one-time code sent to a registered mobile number, a DigiD authentication for Dutch citizens, or an organisation-specific identity assertion. This allows end-to-end confidentiality for messages involving external parties who have no prior relationship with the sending organisation's security infrastructure. We are not claiming this is a perfect cryptographic solution equivalent to mutual TLS with certificate-pinned endpoints — it relies on the security of Zivver's access control infrastructure. We are saying it is an enormous practical improvement over standard email for the workflows that regulated organisations actually run.
The investment thesis implication for Fund III is that regulated-industry communication security remains substantially underpenetrated in Europe. Healthcare, legal, and public sector organisations in Germany, France, and the Benelux are operating under essentially the same regulatory pressure as Dutch organisations but often lag in tooling adoption. The market geometry — many organisations with genuine compliance obligations, an established product that has demonstrated adoption within a specific vertical, regulatory enforcement that is accelerating under NIS2's expanded scope — is the kind of compound tailwind we look for when evaluating category leaders at the growth stage.