2. What Migration looks like: Getting the foundations right before joining trusted community platforms.
- Angeles

- Apr 6
- 8 min read

Second in a series on platform dependency for purpose-driven organisations. The first post named the problem: enshittification. This one covers the four foundations to consider before start migrating - hosting, email, website, and newsletter - and why where your data lives matters. The third post covers where to build your community next.
Most organisations think of their digital presence in terms of what they use, not where it lives. But every email, shared file, newsletter, and website you maintain sits somewhere physical and somewhere legal: on servers and under the jurisdiction of laws your organisation probably isn't bound by or agrees with.
The company that owns those servers decides what it can do with your data, and whether it is legally obliged to hand it over to a government when asked.
Where your data lives: understanding 3 legal frameworks that are affecting most UK and EU values-driven organisations.
Before covering the practical choices, it is worth being clear about the legal landscape. Particularly for the UK, there are three frameworks your organisation needs to understand. European organisations using US services would benefit from looking at the differences with EU laws.
The US CLOUD Act
In 2018, the US government passed the Clarifying Lawful Overseas Use of Data Act - the CLOUD Act. It allows US authorities to demand data from US companies regardless of where that data is physically stored. A US company hosting your organisation's data on servers in Ireland or Germany is still subject to US authority. European law applies to the storage location. US law applies to the company. This is the core problem with Microsoft 365, Google Workspace, and every other US-headquartered provider, regardless of where their servers are.
The UK Investigatory Powers Act
The UK has its own equivalent to the CLOUD Act - the Investigatory Powers Act 2016, significantly amended in 2024. It gives UK authorities the power to demand data from any service used by people in the UK, including services headquartered and hosted entirely in Europe.
In early 2025, the UK government used the IPA to issue a secret directive to Apple requiring access to encrypted iCloud data stored globally. Apple withdrew its most secure storage product from the UK rather than comply. The directive was secret - Apple was legally prohibited from even disclosing its existence without government permission. This is the legal environment in which UK organisations operate.
What this means: a UK organisation using a Swiss or German email provider is using a service governed by strong European privacy law. But the UK organisation itself can still be compelled to hand over data under the IPA. The provider is not subject to the IPA; your organisation is. European infrastructure significantly reduces your exposure. It does not eliminate it.
EU GDPR - and what it means for UK organisations
The EU's General Data Protection Regulation remains the strongest data protection framework currently in force for organisations and the people they serve. Since Brexit, the UK operates under a parallel framework - the UK GDPR - which was copied from the EU GDPR and remains substantially aligned, but is diverging.
The European Commission renewed its adequacy decision for the UK on 19 December 2025, valid until December 2031. This means data can flow freely between the EU and UK, and a UK organisation using an EU provider is using a service governed by GDPR-level data protection. The rights that GDPR gives to individuals - to access, correct, delete and port their data - apply when their data is handled by an EU-governed provider, regardless of whether the organisation is based in the UK or the EU.
1. Hosting: where your website lives
Your website is your organisation's permanent address: the place you control more than other online spaces. The hosting provider determines where your website's data lives and whose laws govern it.
UK providers
Krystal is the clearest UK recommendation. Founded in 2002, it is the UK's largest independently owned web hosting company. It is a B Corp - the world's first certified web host, confirmed in 2023 - runs entirely on 100% renewable energy, has pledged to plant one billion trees by 2030, and offers free hosting to UK-registered charities on its Amethyst plan. Its data centres are in London. Shared hosting plans start from around £7 per month.
Fasthosts is a UK-owned provider with ISO-certified data centres in Gloucester and Newport. Less oriented around ethical credentials than Krystal but solid infrastructure. A practical choice for organisations that need reliable UK-sovereign hosting without the B Corp credentials.
Civo is a more technical option for organisations with developer capacity. It offers genuinely UK-sovereign cloud hosting - no US parent company, no CLOUD Act exposure, data residency guaranteed by contract rather than by configuration. It is Kubernetes-native and best suited to organisations with technical resource.
European providers
OVHcloud (France) is Europe's largest cloud provider, with data centres across Europe and an explicit focus on data sovereignty. Hetzner (Germany) consistently leads price-to-performance comparisons: cloud servers from around four euros per month (note: prices rose approximately 30-37% from April 2026), data centres in Germany and Finland, fully GDPR-compliant. Both are better suited to organisations with technical capacity or a developer to assist.
Infomaniak (Switzerland) offers hosting, email, and cloud storage as an integrated suite, with data centres exclusively in Switzerland, B Corp certified, 100% renewable energy. One caveat: the company's founder made controversial public statements in 2021 opposing online anonymity. The data practices are well-regarded; the full picture is worth knowing before deciding.
2. Email: where your relationships live
For most UK charities and NGOs, the default email provider is Microsoft 365. Many organisations receive it free or at substantially reduced cost through Microsoft's non-profit programme.
This matters because Microsoft, a US company, is subject to the US CLOUD Act regardless of where the servers are located. The fact that it is free or subsidised through a non-profit programme does not change the jurisdiction.
For UK organisations, there is an additional layer: Microsoft's servers in the UK are also subject to UK IPA demands. You have both the CLOUD Act and the IPA to consider. For EU organisations using Microsoft, only the CLOUD Act applies - which is why the EU's push toward European providers has more regulatory teeth behind it.
European providers
Proton Mail (Switzerland) was founded in 2013 by researchers from CERN and MIT, now with over 100 million accounts. Operates under Swiss law, which predates and in several respects exceeds GDPR. Not even Proton itself can read your organisation's emails, because they are encrypted before they reach Proton's servers. There is a free plan, and a range of paid plans - see proton.me for current pricing.
Tuta (Germany) encrypts subject lines as well as message content - a meaningful technical distinction. Open source, renewable energy, no outside investors. For UK organisations: Tuta is subject to German law and GDPR, not the CLOUD Act. Your organisation is still subject to the UK IPA, but Tuta is not. Pricing is comparable to Proton - see tuta.com for current plans.
Mailbox.org (Germany) offers a practical business-oriented suite including email, calendar, cloud storage, and video conferencing. A Light plan from €1 per month for basic email; a Standard plan at €3 per month for the full suite. Popular with NGOs, schools, and public sector bodies.
A note on UK email providers
The UK has not yet produced a privacy-first encrypted email provider of comparable scale to Proton or Tuta. For UK organisations that want UK-sovereign email, the current options are either general-purpose UK hosting providers that include email (such as Krystal), or European specialist providers. The European providers offer the strongest privacy credentials. The UK-hosted options remove the CLOUD Act problem without matching the encryption standards of Proton or Tuta.
3. Website: your permanent address
The most robust long-term option is WordPress.org - the open-source version, not WordPress.com - hosted with an European or UK provider. WordPress powers over 40% of all websites globally, is infinitely portable, and carries no platform lock-in: your organisation owns the files and can move them to any host.
If your organisation is using a US website provider and it is working, the priority is to register your domain separately, with an independent registrar. That decision removes the most significant source of lock-in: your address becomes yours regardless of which provider you use.
For UK organisations: domains registered with a UK or EU registrar, pointing to a UK or EU host, give you the cleanest path to full sovereignty. For EU organisations the same logic applies, with EU registrars and EU hosts being the natural choice. For domain registration, Gandi (France) and INWX (Germany) are both ethical, transparent options.
4. Newsletter: your owned audience
Mailchimp is the most widely used newsletter platform for small and medium organisations. It is a US company. Since its acquisition by Intuit in 2021, its free plan has been progressively restricted and its pricing restructured in ways that penalise organisations as their lists grow.
European providers
Brevo (France) stores subscriber data on EU servers, charges based on emails sent rather than contacts held, and has a free plan of up to 300 emails per day with unlimited contacts. For UK organisations: using Brevo means your subscriber data sits under GDPR rather than US jurisdiction. For organisations building a list slowly, this pricing model is also more forgiving than Mailchimp's contact-based approach.
MailerLite (Lithuania) is the most accessible alternative for non-technical staff. The free plan covers 500 subscribers and 12,000 emails per month. Paid plans from $10 per month. Subscriber data hosted in Germany and the Netherlands - EU jurisdiction. Note: MailerLite was acquired by Vercom, a publicly listed Polish company, in 2022. It continues to operate from Vilnius under EU law, but it is no longer independently owned.
A UK provider worth knowing
EmailOctopus is a British company founded in 2014. Its free plan covers up to 2,500 subscribers and 10,000 emails per month - considerably more generous than MailerLite's current free tier. For UK organisations that want a home-grown alternative, EmailOctopus is the clearest option: British-owned, straightforward, and without the complexity of the larger platforms. It does not make the same explicit GDPR sovereignty claims as Brevo, but it operates under UK GDPR.
A practical framework for any provider decision
Before choosing any digital service or renewing an existing contract, four questions are worth asking as a matter of institutional policy.
Where is the company headquartered, and whose laws govern it - US, UK, or EU?
Where would your organisation's data be physically stored, and does the CLOUD Act or the UK IPA apply?
Can your organisation export everything it has built and take it elsewhere if you need to leave?
How does the company generate revenue, and does that business model require using your organisation's data or your communities' data to do so?
None of this requires replacing every tool. It requires making more deliberate choices when contracts come up for renewal, when new tools are adopted, and when your communications infrastructure is next reviewed. The shift happens decision by decision.
The next post in this series covers the platforms themselves: the alternatives to X, Meta, and TikTok that are free, European, and already trusted by governments, public healthcare systems, and institutions across the continent. Building the foundations covered in this post first means that when your community follows you to those platforms, there is somewhere solid for them to land.
Sources
Clarifying Lawful Overseas Use of Data Act (CLOUD Act). US Congress. 2018.
Investigatory Powers Act 2016 (amended 2024). UK Parliament. legislation.gov.uk
'The U.K.'s Decryption Order, the CLOUD Act, and Recommended Next Steps.' Lawfare. July 2025.
'European Commission Renews UK Data Adequacy Decisions.' Hunton Privacy Blog. December 2025.
'Receiving personal information from the EEA.' Information Commissioner's Office. January 2026. ico.org.uk
Digital Markets, Competition and Consumers Act 2024. UK Parliament.
EU Digital Markets Act. European Commission. digital-markets-act.ec.europa.eu
'Meta commits to give EU users choice on personalised ads under DMA.' European Commission. December 2025.
Proton Mail documentation and pricing. proton.me. 2026.
Tuta documentation and pricing. tuta.com. 2026.
Mailbox.org documentation and pricing. mailbox.org/en/prices. 2026.
'Krystal Hosting.' B Lab Global B Corp certification. bcorporation.net. 2026.
'Best European Sovereign Cloud Services by Country (2026).' Wise Business Plans. wisebusinessplans.com
'Vercom acquires marketing automation startup MailerLite for $90M.' TechCrunch. April 2022.
MailerLite GDPR Compliance. mailerlite.com/gdpr-compliance
Brevo EU data infrastructure. brevo.com. 2026.
EmailOctopus pricing and features. emailoctopus.com. 2026.
'OVH vs Hetzner 2026.' 1VPS. 1vps.com/ovh-vs-hetzner
'Breaking Free: Pathways to a Fair Technological Future.' Norwegian Consumer Council. 2026.




Comments