Hmm, so no end-to-end encryption between the clients (me and my customer or supplier). It’s all about spying and control unfortunately. The problem is not if Peppol will be breached but when. And your whole business lays on the street and you will have a hard time to fight the trouble.
So I hope Peppyrus has implemented some functionality if they must store the data, they will do this offline and encrypted with a key they “lost” by accident.