Comparison · Verified July 2026 · Every claim links to its source

ASTIS Mail vs Zivver

Zivver secures delivery through its platform and portal. ASTIS Mail seals content on your device. And since June 2025, Zivver’s owner is a California company — their own press release below.

TL;DR. Zivver is mature and widely deployed — 10,000+ organizations, strongest in Dutch and UK healthcare and government — with a genuinely useful pre-send DLP layer and a portal that lets unprepared recipients read secure mail with an SMS or access code, no account needed. Its “zero-access encryption” is a server-side platform claim you verify through audits; ASTIS Mail’s zero-knowledge is client-side architecture you verify in code. Two 2025–2026 facts changed the calculus: Zivver was acquired by Kiteworks (California, US) in June 2025 — announced in their own press release — and EU procurement under NIS2/DORA increasingly asks who has jurisdiction over the vendor. Both realities are linked below; check them yourself.

At a glance

The icon next to a claim opens its primary source — the vendor’s own page for their claims, our verifiable docs for ours. Security platforms shouldn’t ask to be believed.

ASTIS MailZivver
Model
Client-side E2EE; ciphertext in your own mailbox
Plugin + secure delivery via Zivver platform/portal
Encryption claim
Zero-knowledge by construction — open SDK, verifiable
“Zero-access” — server-side claim, verified via audits
Vendor ownership
ASTIS — EU entity, independent
Kiteworks (California, US) since June 2025
External recipient (no product)
One-time key invite (browser client)
Portal + SMS / access code / email verification — no account
Pre-send DLP / error prevention
Not an ASTIS Mail feature
Content & recipient checks before send — a real strength
Subject lines encrypted
Sealed client-side
Portal-delivered; depends on flow
Where mail lives
Your Gmail/M365 mailbox (as ciphertext)
Secure messages via Zivver’s platform store
Certifications issued today
SOC 2 Type II in progress · signed builds
ISO 27001 · SOC 2 · NTA 7516 workflow support
Published pricing
$15–20/seat/mo · self-serve
Tiered; quote-driven at 50+ users (~€9–20/user/mo reported)
Track record
New product, no public review base
~10 yrs · 10,000+ orgs · NHS trusts, Dutch municipalities

Where is the trust boundary?

Every product on this market draws a line: everything left of it cannot read your content; everything right of it you have to trust. The only question that matters is where the line sits.

Your device

Keys generated and used client-side. No service can produce plaintext.

ASTIS Mail
Vendor key service

Content encrypted, but a vendor-run key server authorizes every decryption.

Vendor platform

Encryption and access control live in the vendor’s server-side platform.

Zivver
Transport only

TLS in transit; content readable at rest by providers and gateways.

Zivver’s encryption and access control run in its server-side platform — the company states it never holds decryption keys, and audits back the claim. The boundary still sits at a vendor platform you trust, now owned by a US parent.

Where your data lives

ASTIS Mail deliberately does not host message content: decrypted mail exists only on your devices, ciphertext rides your own mailbox. Compare where each product puts plaintext.

ASTIS Mail
Zivver
Decrypted (plaintext) data
Only on your devices — decrypted locally, stored in local browser storage
External recipients read plaintext rendered in Zivver’s web portal session
Encrypted message store
In your own mailbox at your provider (Gmail / M365), as ciphertext
Secure messages stored on Zivver’s platform, parallel to your mailbox
What vendor servers hold
Wrapped key capsules (keyed by address hashes), encrypted key blobs, and the WKD public-key directory — never message content
The secure-message store + verification flows (their claim: no usable decryption keys)

Who holds the keys?

ASTIS Mail’s model

Encryption happens in the client before anything leaves your device: body, subject, attachments, filenames sealed per message; keys wrapped per recipient; ASTIS servers store encrypted capsules keyed by address hashes — and no message content.

No server-side component could decrypt — and this is inspectable: open SDK, GPG-signed releases. “Zero-knowledge should be architecture, not a promise.”

Zivver’s model

Mail flagged as sensitive is delivered via Zivver’s platform: the recipient proves identity (SMS code, pre-agreed access code, or email verification) and reads in a secure web portal. “Zero-access encryption” is their stated design — a serious claim from a serious company, verified by trusting their audits, because the key handling lives server-side.

That server-side position is also what enables their best features: the friction-free external portal and pre-send DLP checks.

“Not even Zivver, as the service provider, can decrypt your data.” — their claim, their words; the architecture that enforces it runs on their platform.zivver.com — zero-access encryption

Ownership and recipients — the honest section

The ownership question, stated plainly

In June 2025 Zivver was acquired by Kiteworks, a California company backed by US growth equity — announced in their own press release, linked below. Nothing improper about it. But if “European vendor, European jurisdiction” was part of why you chose Zivver, that premise changed; NIS2/DORA vendor reviews should re-open that line.

ASTIS is an EU entity with no US hyperscalers anywhere in the stack — data sits with French and German operators (OVH; Contabo) in DE + UK under adequacy. Same standard applied to ourselves: Contabo’s operator is German, its majority investor since 2022 is US-based KKR — disclosed here, because a vendor-jurisdiction review should get the whole picture from us, not discover it.

Where Zivver is genuinely stronger today

Zero-setup external delivery: emailing a patient or citizen who will never install anything — Zivver’s portal + SMS flow handles it. This is the single biggest functional gap between the products.

Error-prevention DLP before send, mature admin tooling, NHS-scale references, and issued ISO 27001/SOC 2 today. Their reviews’ recurring friction: 30-day session expiry, SMS-code hassle for recipients, content-check false positives.

Pricing

ASTIS Mail

  • Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo
  • Self-serve, 30-day trial, no services engagement
  • 25-seat firm: ≈ $4,500–6,000/year

Zivver

  • Start / Professional / Ultimate tiers; buy-online under 50 users, quote above
  • ~€9–20/user/month per third-party reports (dated) — no static prices on their page
  • Add-ons (threat protection, DMARC, training) are contact-sales

Two honest shortlists

Pick Zivver if

  • Dutch/UK healthcare, government, legal mailing unprepared citizens and patients
  • DLP nudges against misaddressed mail matter as much as encryption
  • Issued ISO 27001 / SOC 2 required on day one
  • NTA 7516-aligned workflows for Dutch healthcare

Pick ASTIS Mail if

  • EU firms whose vendor-risk review now flags US ownership
  • Repeat correspondents — one-time key invite beats per-message SMS codes
  • Threat model requires that no vendor platform could ever produce plaintext
  • Mail must stay in your own mailbox, not a parallel vendor store

FAQ

Is Zivver end-to-end encrypted?

Zivver markets “zero-access encryption” and states it never holds decryption keys. Its architecture is a server-side platform with client plugins; verification of the claim rests on audits. ASTIS Mail’s encryption runs entirely client-side and is inspectable in the open SDK.

Is Zivver still a European company?

Zivver operates from Amsterdam but has been owned by Kiteworks (California, US) since June 2025 — per Kiteworks’ own press release.

Did Zivver lose its NTA 7516 certification?

In May 2022 the Dutch standards body NEN withdrew NTA 7516 supplier certificates from all vendors due to flawed testing criteria — not a Zivver-specific failure. Zivver now positions its product as enabling customer compliance with NTA 7516.

Can ASTIS Mail send to someone with no key?

Not encrypted — the sender is warned and must choose. External recipients go through a one-time key invite first (browser-based, no install). If your daily flow is one-off mail to strangers, Zivver’s portal fits better today.

Sources — retrieved July 2026

All trademarks belong to their owners. Prices and features change — verify before deciding. Found an inaccuracy? [email protected] — we fix verified inaccuracies within one business day.

Don’t trust either vendor — verify.

Read the security documentation, then run the 30-day trial on your existing Gmail or Microsoft 365 mailbox. Keep the provider. Protect the content.