Side question: If you and your co-workers (across multiple government agencies) had strong suspicion that the vendor had a backdoor to spying on your emails why wasn't the obvious choice contacting federal law enforcement? I'm not sure what it is like in the EU, but in the US I'm pretty sure that if something like this was discovered at a government agency that vendor would quickly find their office raided by FBI agents.