GENERIC STATEMENT

The proposed acquisition of Solvinity by Kyndryl has sparked a debate in the Netherlands.  In response, Daniëlle Schuur, CEO Solvinity, underlines the company’s commitment to continued service to the Dutch market. “Solvinity delivers secure managed cloud services and we will continue to do so.  We believe that the intended acquisition by Kyndryl Nederland B.V. will enable our company to continue to secure its mission critical services, enable it to scale and innovate at a faster pace to the benefit of our clients and clients. Solvinity delivers and operates the platform on which clients can securely deploy their applications and data.”

Introduction

We recently announced the intended acquisition of Solvinity B.V. by Kyndryl Nederland B.V. We deliver secure managed cloud services, and we will continue to do so. This new chapter in the story of Solvinity will have no impact on securing our mission critical services, enable us to scale and innovate at a faster pace and allow us to deliver an enhanced set of modernization, security and resiliency services to our clients. The acquisition is subject to regulatory clearance.

We have seen enthusiastic reactions, however, we have also seen concerns about the alleged consequences of the intended acquisition. The raised concerns are about the sovereignty of our services. The sovereignty discussion is a complex one. It is a mixture of legal and technical measures we will have in place in order to deliver our services as our clients are used to. We would like to provide clarity about why our shareholders are pursuing this acquisition, why it will improve our services towards our clients, and the positive impact it would have on well-known services.

Answers to most of questions asked in recent weeks can be found below.

What does Solvinity do? Is it a cloud provider?

Solvinity delivers secure managed cloud services. Solvinity designs, builds and maintains services by making use of standard hardware and software and third-party services. At the request of our customer, we can deliver public and/or private cloud solutions.

If desired by our clients, the services can be fully controlled by the client according to the highest available quality and security standards. That means that we help organizations to store their data in a way that works best for them.

With our private cloud solutions, data is stored solely at data centers in the Netherlands. Our engineers are highly passionate about executing our customer obligations and delivering secure managed cloud services services. The customer controls the application and the data.

What kind of company is Kyndryl?

Kyndryl is a publicly traded company with its headquarters in New York. It is traded at the New York Stock Exchange and has existed since 2021, when it was spun off from IBM. It is not a ‘hyperscale cloud provider’ like Microsoft, Amazon or Google, but is an IT services provider and integrator that helps its clients build and retain secure and mission-critical digital services.

Kyndryl’s robust security practices adhere to industry security standards and frameworks, such as National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) and Kyndryl maintains industry best practice security and privacy certifications, attestations and audit reports.

Kyndryl and its predecessors have been active in the Netherlands for decades, including Dutch clients and personnel. At the moment, Kyndryl Nederland B.V. has hundreds of employees in the Netherlands and has been working for various government clients, as well as clients in highly regulated markets like the financial sector.

Kyndryl Nederland B.V. is ABDO-authorized (General Security Requirements for Defense Contracts) by the Ministry of Defense. Kyndryl has welcomed its recent designation as a Critical Third-Party Service Provider under the Digital Operational Resilience Act (DORA), thereby placing Kyndryl under the supervision of the European Supervisory Authorities.

Currently, Kyndryl Nederland B.V. operates with a two-tiered Board system:

Distinct Managing Board (“consisting of a single (Dutch nationality) managing director”) and a local management team of Dutch nationals
External independent Dutch Supervisory Board (Raad van Commissarissen, RvC) composed of non-Kyndryl employees, Dutch nationals, with local expertise and knowledge. The Supervisory Board’s primary role is to monitor and advise the Managing Board, such that Kyndryl Nederland B.V. is managed in the interests of the company and its stakeholders, including shareholders, employees, creditors and the public interest.

Key features include:

The approval of the Supervisory Board is required for important management decisions.
The Supervisory Board can advise on major business decisions that have significant impact on the interests of the company and the business it operates.

What will this acquisition mean for Solvinity?

Solvinity provides premium technology services in the Netherlands, particularly in the areas of security, digital transformation, and innovation with emerging technologies. These services are delivered to clients across government, banking and other sectors. As digital technology and digital threats develop rapidly, strategic investment and responsible innovation are essential. One of Solvinity’s biggest challenges is continuously scaling up its high-quality services. Kyndryl’s mission-critical expertise, scale and deep base of engineering talent provide Solvinity with the strength needed to do so. Kyndryl is thus a strategic partner that knows what is required to remain a leader in quality, security, and privacy at the highest level. Additionally, Solvinity delivers sovereign secure managed cloud services, which will be an addition to the Kyndryl services in the Netherlands.

What services does Solvinity provide for the government and DigiD?

DigiD is an application that allows the government to verify the identity of citizens, and allows access to governmental services. DigiD is owned by Logius, which falls under the Ministry of Interior Affairs.

The DigiD application is installed on top of a platform that is designed and operated by Solvinity. Solvinity’s role is limited to delivering and managing the platform on which the DigiD software runs: the servers, the storage, and the security devices. Only a subset of approved employees of Solvinity can carry out this work. DigiD is hosted in a dual secure government data center (ODC) in the Netherlands. Solvinity’s security controls are subject to third-party certifications, audit reports, including SOC 1 & 2 and ISO 27001.

Solvinity’s work on DigiD is regularly audited at the request of the Ministry of the Interior and Kingdom Relations, as is common practice with such clients.

What does this mean for DigiD and similar government services?

Post closing, Kyndryl will not relocate Dutch customer data currently on private clouds within the Netherlands outside of the country and will continue to only utilize employees in the Netherlands and in the EU to provide services. In other words, Kyndryl has no plans to change Solvinity’s approach to data sovereignty and will only enhance the quality of Solvinity’s business security with Kyndryl’s advanced infrastructure, security and technology services.

For DigiD specifically, the DigiD platform will continue to be hosted in the Netherlands, and our role in the project will remain the same. To be crisp and clear: nothing will change in how we deliver our services to clients.

Can the U.S. government request data or shut down services like DigiD after the takeover of Solvinity?

One concern that was voiced in the previous weeks was that the U.S. government might compel Kyndryl to share Dutch citizen data and/or ‘shut down’ DigiD or other services. We understand the concerns and would like to address the issue.

The scenarios under which the US government might request data are extremely unlikely; and in any of those instances, Kyndryl’s policy – as noted on their Trust Center, which includes Transparency Reports – is to protect customer privacy, to never share customer data unless legally required to do so. Kyndryl states that they would review the request to ensure it complies with applicable laws and will challenge, through judicial or other means, any request that is unlawful, unclear, or overly broad.

What will this acquisition mean for the security of the data that Solvinity manages?

Both organizations will maintain their commitment to the highest standards of data governance as paramount to their business – critical to maintain the trust of their clients, which will always be their top priority. As such, Solvinity and Kyndryl will continue to comply with all Dutch, EU, and other relevant laws and regulations that are applicable for the services that they provide.

Additionally, Solvinity has robust security measures in place to minimize and mitigate risk of interference in their customer’s IT estate, is regularly audited by third parties and is SOC I and II certified. The same is true for Kyndryl.

As security technologies and regulations continue to evolve, Kyndryl brings a wealth of additional experience and technology to augment applicable protections. Kyndryl actively incorporates global best practices to improve their offerings for every customer. They identify opportunities for improvement and implement them across their worldwide operations, to enable clients to benefit from the latest enhancements, regardless of where those innovations originated.

At the direction of its clients, Solvinity provides the following private cloud features that Kyndryl intends to maintain:

Data Localization: When deploying and managing private cloud instances across the EU, all customer data and backups remain within local data centers. Currently, Solvinity’s private clouds host all data in facilities located in the Netherlands. Solvinity will not change this unless it is directed to do so by its clients.
Operational Sovereignty: At customer request for EU private cloud instances, access will continue to be restricted to EU-based personnel of Kyndryl and Solvinity. Each of Solvinity and Kyndryl currently offers operational sovereignty capabilities.
Access Controls: Solvinity deploys strong access controls – such as zero-trust, privileged access pathways, customer-controlled identity plane – so that only individuals with a need to know and prior customer authorization may access the data. Solvinity has implemented certain access restrictions requiring its clients to consent to any access request and Kyndryl intends to maintain this practice unless the customer requests otherwise.
Encryption Controls: Solvinity utilizes strong encryption at rest, in transit, and, depending on customer requirements, with EU restricted keys. Solvinity currently has contractual restrictions with some of its clients requiring their consent to any request for disclosure of data, and Kyndryl’s deeply rooted process and procedures require the same level of rigor for its clients.
Sovereign Logging Controls: At customer request, Solvinity’s private cloud solutions employ sovereign logging such that logs – including security logs, system logs, audit trails, access and authentication logs, metadata, or telemetry – remain within the EU and are not accessible from outside of the EU. Kyndryl follows the same approach to meet these requirements.

GENERIC STATEMENT

Introduction

About Solvinity

Managed IT Solutions

Sign up for the
Solvinity Newsletter

GENERIC STATEMENT

Introduction

Sign up for the Solvinity Newsletter

Sign up for the
Solvinity Newsletter