Do we then need a service provider to hold the e2e decryption keys?