![Procurios Logo](/ui/procurios-2019/img/header/logo.svg?v=2") }}){kind=logo}
The Hidden American Software in Your Organization
Many organizations don't know where all their member and donor data is stored. It's time for an honest inventory of your software landscape.
You Don't Know What You Don't Know
In an earlier article we wrote about why more and more organizations want to bring their data to the Netherlands. Geopolitical relations are shifting, GDPR offers more certainty than American legislation, and your donors and members trust you to handle their information carefully.
But before you can switch, you need to know where you stand. And that's often where things get tricky. Because how much American software do you actually use? The answer is almost always: more than you think.
The Obvious Suspects
Some tools are clearly American. Do you use Mailchimp for your newsletters? Then your mailing list is stored on servers belonging to Intuit, an American company headquartered in California. The same applies to Eventbrite (your event registrations), SurveyMonkey (your survey data), and Zoom (your online meetings).
These tools are popular because they're user-friendly and often free or inexpensive. But 'free' comes at a price: you pay with data, and that data falls under American jurisdiction.
Quick overview — American tools many associations use:
| Category | Commonly used American tools |
| Email marketing | Mailchimp, Constant Contact, Campaign Monitor |
| CRM | Salesforce, HubSpot |
| Event registration | Eventbrite, Splash |
| Surveys | SurveyMonkey, Typeform, Google Forms |
| Video calling | Zoom, Google Meet, Microsoft Teams |
| File storage | Google Drive, Dropbox, OneDrive |
| Collaboration | Slack, Notion |
| Social media / community | Facebook Groups, LinkedIn Groups, WhatsApp |
How Do You Inventory Your Own Situation?
A good inventory doesn't have to be complicated. Follow these steps:
Step 1: Make a list of all software your organization uses
Think broader than just the 'official' tools. Ask colleagues and volunteers which apps they use. Often software creeps in through individual preferences: a board member using Doodle to schedule meetings, a volunteer managing WhatsApp groups, an intern creating Canva designs.
Step 2: Categorize by data sensitivity
Not all data is equally sensitive. Prioritize based on risk:
| Priority | Type of data | Examples |
| High | Personal data of members/donors | CRM, member administration, mailing lists, payment information |
| Medium | Internal communication and documents | Email, chat, file storage |
| Low | Public content and planning | Social media, planning tools |
Step 3: Research where the data is stored for each tool
This sounds simpler than it is. Often you have to dig deep into the terms and conditions or privacy policy. Ask yourself (or your supplier) these questions:
- Waar staan de servers fysiek?
- Welke vestigingen, zuster- of moederbedrijven hebben jullie buiten Europa? Hoe werkt data-uitwisseling onderling?
- Wat gebeurt er bij een dataverzoek van een buitenlandse overheid?
- Wordt data versleuteld opgeslagen?
- Kun je kiezen voor uitsluitend Europese dataopslag?
Step 4: Assess the risk for each tool
A simple matrix helps:
| Data staat in Europa | Data stored (partly) in US | |
| Non-sensitive data | ✅ Low risk | ⚠️ Acceptable risk |
| Sensitive data | ✅ Good | 🔴 Action needed |
Red Flags in Supplier Responses
Watch for these signals when questioning suppliers:
- 'We comply with GDPR' — That says nothing about where the data is stored. American companies can be GDPR-compliant AND still fall under American legislation.
- 'We have a European data center' — Good, but is that an option or the default? And what if the parent company still has to hand over data under the CLOUD Act?
- 'We use Standard Contractual Clauses' — This is a legal construct to legitimize data transfers to the US. It's better than nothing, but offers no guarantee against American government access.
- 'That's in our terms and conditions' — Ask for a concrete answer. If a supplier can't clearly explain where your data is stored, that's a red flag.
What Now?
An inventory isn't an end in itself. It's the basis for a conscious choice. Perhaps you'll conclude that the risk is acceptable for your organization. Perhaps you'll decide that your member and donor data really needs to move to a European solution.
Whatever choice you make: you're making it consciously. And that's exactly what your donors and members have the right to expect from you.
Need help with the next step?
Want to know how to migrate your member and donor data to a European environment? Or are you curious how Procurios can help you with an integrated platform that runs entirely on Dutch servers. Contact us for a no-obligation conversation.
