- Baseline Risk
- Where is your digital footprint?
- Detailed provider questions
- Risk Management Plan – Examples
- Alternatives to US-based Organisations
As an organisation, you may be surprised by the amount you rely on digital infrastructure based in the USA. Below are some questions that can help you understand your level of risk.
Baseline Risk
What kind of content / data do you hold digitally?
Is it about “undesirable” topics (currently: diversity, equity, and inclusion; transgender people; HIV)?
Have large tech companies abandoned their policies relating to it? (e.g. diversity and inclusion)\
Have large tech companies spoken out against it?
Could you be perceived as an “undesirable” client? (Think about how sex workers are removed from Venmo and Paypal – could that be you?)
Who are you holding sensitive data on? Employees, volunteers, customers, partners? Are any of them at a higher level of risk?
Where is your digital footprint?
Do you know where your cloud data is being hosted?
Immediate action: most international cloud providers let you request that your data is hosted outside of the USA.
Do you have local backups of your data?
Immediate action: if you are not already taking local backups of all your cloud data, you can implement this on a quarterly or half-yearly cadence.
Who hosts your website? Where are they based?
Who did you buy your domain name from? Where are they based?
Who built your website? Where are they based?
For your tools (e.g. financial software, analytics and AI integrations, collaboration or messaging software) – where are the providers based? What data do they have? Where are they storing it?
Detailed provider questions
For each of your technical providers:
- How complex would it be to move away from this provider?
- What would the impact be of losing all data hosted by this provider?
- What third party providers (“subprocessors”) do they use?
- How reliant are they on government contracts? This will indicate how much they may proactively make changes to align with government guidance.
- What public statements have they made about policies that affect your business?
- Are you able to request that your data is hosted outside of the USA?
- Can you request a full download of data they hold on you? How long does this take?
- Review your contract! How much notice do you get for Terms of Service changes that could affect you? What protections or recourse do you have if your organisation is deplatformed?
Risk Management Plan – Examples
| Risk | Mitigation | Timeline |
| e.g. we have no back up of our cloud data but it’s impractical to get off AWS | Set up a monthly backup to VaultCloud: minimizes costs & build requirements while still increasing security. | Three months |
| e.g. we have information on the transgender status of people currently located in the USA | We do not require this information for our core business purposes. We can delete this information. | One week: assess and communicate with affected people. Two weeks: delete information. |
Alternatives to US-based Organisations
Moving away from the major organisations in the US can be overwhelming. This list is not intended to be exhaustive but rather provide a starting point to think about how to divest away from onshore hosters.
Even overseas providers could be impacted by US policy changes if they rely significantly on government contracts or their US market share. Research what works best for your risk appetite!
| Tech | US | Alternatives |
| Cloud providers | Microsoft AWS Cisco | Catalyst Cloud (NZ) VaultCloud (AU) |
| Google Microsoft (outlook) | Protonmail (Switzerland) Mailfence (Belgium) | |
| Web browsers | Google Microsoft | DuckDuckGo – hosted in US but does not store data Vivaldi (Norway) |
| Web Hosting | Ionos, A2, hostwinds (usually managed through another provider) | Orange (Iceland) IcyEvolution (Mauritius) |
| Domain Names | WordPress, Domain.com, Godaddy | iwantmyname (UK) |
| Website builders | Squarespace WordPress Notion | ?? |
| Collaboration software | Salesforce (Slack) Microsoft (Teams, Sharepoint) Google (Chat, Drive) Dropbox | NextCloud (Germany) IceWarp (Czech Republic) Atlassian (AU – but with large US offices) |
| Financial Services | MYOB (AU based but owned by a US investor) | Xero (NZ/AU – but with large US offices) |
| ERP | Oracle Workday | TechOne (AU) SAP (Germany – significant US market share) Sage (UK) |
| CRM | Salesforce NetSuite | Zoho (India) Tall Emu (AU) |
| Analytics tools | Microsoft (PowerBI) Salesforce (Tableau) Metabase (global remote – but registered in the US) | KNIME (Switzerland) A range of open-source distributed tools are also available. |
Digital Risk Assessment 