Digital sovereignty for nonprofits: non‑US tech alternatives
Where your data lives determines who can access it. This free guide helps Canadian and international nonprofits understand their options and make informed decisions about the tools they depend on.
Where your data lives determines who can access it.
If your nonprofit runs on Google Workspace, Microsoft 365, Zoom, or Slack, you’re in good company. Most organizations do. These tools are familiar, powerful, and genuinely useful. So why are more nonprofits starting to ask whether they should look elsewhere?
Because where your data lives determines who can access it. And right now, that question feels more urgent than it has in years.
The changing landscape of US tech
In 2025 and 2026, several things converged to make organizations reconsider their dependence on US-based technology. The US political environment shifted in ways that created real uncertainty about data access, regulatory oversight, and the independence of major tech companies from government influence.
A law called the CLOUD Act, passed in 2018 and still in full effect, allows US law enforcement to demand that American tech companies hand over data stored anywhere in the world, including data belonging to Canadian and international users. This isn’t a hypothetical: it’s a legal reality that applies to Google, Microsoft, Amazon, Zoom, and virtually every major US platform your organization might use.
None of this means US tech tools are inherently harmful or that you need to abandon them immediately. It means that understanding the risks is now a basic part of responsible technology stewardship for nonprofits.
What makes a tool “US tech”?
A tool is essentially “US tech” when three things are true: the company that owns it is incorporated in the United States, your data is stored on servers in the United States, and US law applies to how that data can be accessed and shared.
Think about the information that flows through your organization every day: donor names and contact details, client records, grant applications, internal advocacy strategies, board meeting minutes, staff personal information, beneficiary data. This is sensitive material. For organizations working in legal aid, health, housing, or human rights, a data breach or unauthorized government access could have direct consequences for the people you serve.
Why Canada and the EU are worth looking at
Both Canada and the European Union have built robust frameworks specifically designed to limit what companies and governments can do with your data.
In Canada, federal privacy law (PIPEDA) sets out what organizations can collect, how they must protect it, and what rights individuals have over their own information. In the EU, the GDPR is widely regarded as the world’s strongest consumer data protection law.
Switzerland and Norway aren’t EU members, but both have privacy laws that match or exceed EU standards, and both sit outside US jurisdiction. That’s why you’ll see Swiss-based tools like Proton, Infomaniak, and Tresorit appear prominently in this guide.
The software’s underlying code is publicly available for anyone to inspect, audit, and improve. Security researchers can verify it does what it claims: no hidden backdoors, no secret data collection. Even if the company behind it goes away, the code lives on.
Open source doesn’t mean amateur or underpowered. The software that runs most of the world’s web servers, universities, hospitals, and governments is open source. Nextcloud is used by the German federal government.
Instead of renting a storage locker in someone else’s building and agreeing to their rules, you get your own filing cabinet on your own premises. Self-hosting means your organization runs the software on a server you control. Your data never passes through the original company’s infrastructure at all.
Self-hosting isn’t all-or-nothing. Many tools in this guide are available as both a self-hosted option and a managed service. You can choose the level of control that matches your team’s technical capacity and your budget.
Moving your organization’s digital infrastructure is a real project. Most organizations begin with one or two areas (often email or file storage) and expand from there as they build confidence.
Every step you take toward tools in trustworthy jurisdictions is a step in the right direction.
Immigration, Refugees and Citizenship Canada explicitly prohibits storing client data on US-based cloud platforms like Dropbox and Google Drive. If your organization receives IRCC funding, data residency isn’t optional: it’s a contractual requirement.
Read our IRCC data compliance guide →Five criteria. Applied to every tool.
Every tool in this guide was evaluated against the same five criteria. Here's what we looked at, and why it matters for nonprofits specifically.
Country of origin
We prefer Canadian-based services first, followed by EU member states and countries with strong independent privacy laws (Switzerland, Norway). We excluded tools headquartered in jurisdictions with mass-surveillance frameworks or weak data protection legislation.
Free tier suitability
We noted whether a free plan exists that is genuinely usable by a small team (typically 5–25 people), with reasonable storage and no artificial feature walls that make it impractical for real work.
Open source / self-hostable
Tools that are open-source and can be self-hosted give your organization full control over where your data lives. We flagged every tool where this option exists and noted the difficulty level.
Nonprofit pricing
Many of these providers offer discounts or entirely free plans for registered charities and nonprofits. We've called these out prominently so you know exactly who to ask.
Feature parity
We only recommend tools that can realistically replace the US incumbent for the tasks nonprofits actually do, not workarounds that require significant compromises to daily workflows.
Seven categories. Dozens of alternatives.
Each category is collapsed by default to keep the page manageable. Open the ones relevant to your organization.
Start here. We'll make it simple.
The comparison tables above cover your options in full. If you'd rather start with a direct recommendation, here's our shortlist, organized by what matters most to your organization.
mailbox.org
If you have a small team (say, 10 people or fewer) and you want to stop using Google or Microsoft without taking on a big IT project, mailbox.org is our top recommendation.
At €3 per user per month, the Standard plan gives you everything in one place: email with your own domain, a calendar, contacts, 5 GB of cloud file storage, a built-in office suite for editing documents, and video conferencing. It's all on one website, managed from one account, with no apps to install and nothing to self-host. Each account supports 50 email aliases, so addresses like info@ or hello@ can route straight to the right person without needing a separate account for each one.
One important setup note: for teams of 10 or fewer, use individual Standard private accounts and the Family Account feature to group them together. This avoids the business plan pricing, which adds a €25–250/month service fee on top of per-user costs. Cascadia South has hands-on experience setting this up and can walk you through it.
Infomaniak kSuite
If your organization currently runs on Google Workspace or Microsoft 365 and you want a single replacement that covers everything, without self-hosting, without juggling multiple providers, and without answering to US law, Infomaniak kSuite is our pick.
Infomaniak is a Swiss company that builds and operates its entire stack on its own infrastructure, with no Amazon, Google, or Microsoft involved at any layer. kSuite covers every major category: email (kMail), file storage (kDrive, 15 GB free), document editing (OnlyOffice built directly into kDrive), video conferencing (kMeet, unlimited duration, no account required for guests), and team chat (kChat). Calendar and contacts are included too.
The one thing to know about pricing: the free tier uses a generic domain. To use your own domain name, you either purchase it through Infomaniak, in which case kSuite Standard is free, or pay a modest monthly fee if your domain is registered elsewhere. Either way, the cost is well below Google Workspace.
Nextcloud + Mattermost + OpenProject + BigBlueButton
For organizations with the technical capacity to manage their own infrastructure, or the budget to hire someone to do it, self-hosting gives you the highest possible level of data sovereignty. You choose the server, you choose the country, and your data never passes through anyone else's systems.
Our recommended stack, deployable on a Canadian VPS: Nextcloud Hub is the foundation, handling files, calendar, contacts, and document editing (via ONLYOFFICE or Collabora) in a single open-source platform. The German federal government runs Nextcloud. Mattermost (Community or NPO license) handles team messaging. OpenProject (Community Edition, free) covers project management with Gantt charts, Kanban, and task tracking. BigBlueButton or Jitsi Meet handles video conferencing.
For email, even in a self-hosted stack we recommend outsourcing to a trusted provider. Running your own mail server correctly is genuinely difficult and error-prone. mailbox.org or Proton Mail are the right choices here. The main cost of this stack is a VPS (typically $20–60/month). For Canadian data sovereignty, we recommend hosting on a Canadian provider such as FullHost, LunaNode, or KeepSec. After setup, the software itself is free.
Sync.com + BigBlueButton + Mattermost
There is no single Canadian provider that covers everything on this list the way Google or Microsoft does. That's a gap the Canadian tech sector hasn't yet filled. But you can build a meaningfully Canadian stack by combining the strongest Canadian-headquartered tools available.
Sync.com (Toronto) handles your file storage under PIPEDA, with zero-knowledge encryption. BigBlueButton (Ottawa) handles video conferencing for meetings, workshops, and webinars. For team messaging and project management, Mattermost self-hosted on a Canadian VPS (providers like FullHost, LunaNode, or Web Hosting Canada keep your server in-country) runs on a software license that costs $250 for three years for up to 1,000 nonprofit users.
The honest gap is email. No Canadian email host currently meets our criteria of custom domain + strong nonprofit pricing + meaningful privacy features. For email, our recommendation is to pair this stack with mailbox.org (German, GDPR) or Proton Mail (Swiss). Neither is Canadian, but both are in jurisdictions with strong privacy protections and neither answers to US law.
For nonprofits handling particularly sensitive data (legal aid, human rights, health services, immigration, or domestic violence services) we recommend prioritizing end-to-end encryption above all else.
Proton Mail for email: Swiss jurisdiction, end-to-end encrypted, zero-access at rest, NPO discount available. CryptPad for document collaboration: end-to-end encrypted documents, spreadsheets, and forms. The server literally cannot read your files. It's run by a French nonprofit and is free to use. The UN uses CryptPad. Tresorit for file storage: Swiss Post subsidiary, zero-knowledge encryption, an explicit nonprofit program, and compliance with HIPAA, GDPR, and ISO 27001.
For team communications, Wire (Swiss, end-to-end encrypted, built for regulated industries) or Element/Matrix (self-hosted, federated, E2E encrypted) are the strongest choices. Both require more setup than a standard messaging tool, but the protection they offer for sensitive conversations is substantially greater.
Tuta
If all you need to change right now is your email, and you want something that's genuinely private and potentially free, Tuta is our pick.
Tuta is a German company that encrypts your emails end-to-end, meaning not even Tuta can read them. For qualifying nonprofits, they offer a free Business plan (through TechSoup or Stifter-helfen) that covers 10 to 50 users, includes your own domain, and gives you 100 email aliases. It's as close to a no-cost replacement for Google or Microsoft email as you'll find anywhere that still takes privacy seriously.
If your organization doesn't qualify for the donation program, Tuta's paid plans are among the most affordable available, and a 50% discount for nonprofits still applies. German law and GDPR protection come as standard.
This guide is free. Hands-on support is available.
Use this guide however it’s useful to you. Share it freely. If you’d like support moving beyond the reading and into the doing, we’re here for that too.
We'll map your current tools and identify which ones pose the greatest risk to your data sovereignty.
We'll build a step-by-step transition plan matched to your team's technical capacity and budget.
We'll help you set up and configure your new tools, migrate your data, and train your team.
We'll stay available as your tech landscape evolves.
Ready to reduce your dependence on US tech?
We've helped nonprofits navigate exactly this. Start with a conversation.