Digital Security Exchange

About the DSX

The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats.

We do this by pairing civil society and social sector organizations with credible and trustworthy digital security experts and trainers who can help them keep their data and networks safe from exposure, exploitation, and attack. We are committed to working with community-based organizations, legal and journalistic organizations, civil rights advocates, local and national organizers, and public and high-profile figures who are working to advance social, racial, political, and economic justice in our communities and our world.

We will not work with, and reserve the right to refuse service to, anyone who espouses an agenda of hatred or division or who is not otherwise committed to the values set forth above.

We believe we are responsible to ourselves, the people and the organizations we interact with, and the communities in which we live and work. As such, we hold ourselves not only to the credo of “Do no harm” but to respect the background, experiences, and truths of the individuals with whom we connect. Our mutual respect and code of conduct extends to the organizations and providers with whom we work. We have a no tolerance policy for any forms of harassment, racism, sexism, or any other form of discrimination, and reserve the right to end or refuse partnerships.

Our approach scroll to top

We are advocates for organizations in need of digital security assistance. As such, we will work with those organizations to identify resources to enable them to conduct this work with participating providers. We provide support for building awareness, capacity, and skills to those who wish to jumpstart or accelerate their digital security work. Our intake and evaluation process ensures organizations are matched with participating digital security experts who best serve their contexts, needs, and goals.

Our staff works closely with the organizations and digital security providers we connect to ensure the highest quality service delivery.

When engagements are complete, we request voluntary feedback and incorporate findings into our services, processes, and platforms, in order to continually improve our work.

Whenever possible, we refer organizations to providers within their communities as a first response. We believe that the digital security providers who are already working within their own communities and are best equipped to meet the needs of those communities. We are here as a technical assistance and knowledge source, for those seeking additional support.

We seek out, listen to, and partner with digital security providers from across many different contexts in order to inform and shape our work. We prioritize working with those who have worked with or within civil society and the social sector, and who understand the needs, environment, and culture of these groups. Providers must opt-in to the DSX in order to be connected to organizations in need of assistance; we will not make connections to anyone who has not explicitly given their permission to take part in the Exchange.

We equally balance the human and technology aspects of digital security management and provide frameworks to support change. Each organization we work with has different needs. We place high attention to clearly defining what is most important to accomplish and making connections that directly address those goals, be they culture, process, or technology-based.

Our methodology and materials build upon expertise developed by providers in the field. They are free and open for use by anyone.

Privacy, security, transparency, and accuracy scroll to top

We retain as little data as possible about our interactions with organizations and providers, and we prioritize keeping the information we do have safe, secure, anonymous, and free from attack. In some cases we will develop simple and secure records of organizations and providers in order to ensure the highest quality of service. In other cases, we will will retain no data at all. Organizations and providers can request that we retain zero data about our interactions, and we are developing secure and anonymous forms of intake and communications. More information about DSX’s privacy policy and approach to user security can be found here.

We will be transparent about how we develop, fund, and maintain DSX’s processes, systems, services.

How we vet providers scroll to top

We will only match organizations with providers we trust and who have been vetted to work collaboratively within relevant communities; whose values align with our own; have worked previously with our staff, Advisory Committee members, and/or other DSX providers; and who have demonstrated expertise in customized approaches to digital security. In addition, we require that providers have harmonious data retention policies to those of DSX and agree to provide a minimum level of committed action and to participate in learning and feedback sessions with DSX.

Technology scroll to top

We believe in using technology that is free software/open source, because we can never fully verify the integrity of proprietary code – if malware exists in open source software, we can find it. In addition, we believe in the participatory philosophy of free software projects, including our own, which we encourage others to contribute to, to audit, and to use.

The DSX website is built using Jekyll, the static website engine. This increases security and helps us maintain a simple site. All of our assets (except the DSX theme) are licensed under free software licenses and are freely available for use by similar projects. You can find our codebase on GitHub.

Our matchmaking platform is CiviCDR, an open-source database and incident response system originally developed by our partners at CiviCDR (this system will be implemented in April 2018). The Digital Security Exchange, in partnership with Guardian Project, is a maintainer of the CDR platform and is actively developing new features and making them freely available to like-minded projects around the world. If you are interested in setting up your own DSX-like project, please contact us at [email protected].

You can read more about methods we employ to secure user data here.

Our origins scroll to top

The Digital Security Exchange concept was first developed by Josh Levy after the U.S. presidential election in November 2016. It was a response to the increased demand for digital security capacity from U.S. activist groups, journalists, and social service organizations – all of whom knew they needed to increase their security levels but didn’t know who to turn to for help.

In March 2017, after pulling together an initial working group and socializing and evolving the DSX concept, the project received a generous donation from an anonymous donor, providing crucial startup support. Soon after, the Internet Systems Consortium agreed to be be the project’s fiscal sponsor.

The project has since received support from the Mozilla Foundation, Omidyar Network Fund, and Small Media Foundation. We are also grateful to Stanford’s Digital Civil Society Lab, which provided crucial early support.

Who we are scroll to top


Josh Levy, Founder and Director

Josh is a digital strategist, technologist, and rights advocate. For more than a decade - including as advocacy director at Access Now and campaign director at Free Press - he’s helped lead global efforts to protect free expression online, fight for privacy and the right to encryption, secure strong open internet rules, reign in overreaching government surveillance, and otherwise protect the rights of at-risk internet users. He’s also co-founder of the Center for Digital Resilience and a non-resident fellow at Stanford’s Digital Civil Society Lab.

[email protected]

PGP key

Advisory committee:

Nathan Freitas leads the Guardian Project, an open-source mobile security software project, and directs technology strategy and training at the Tibet Action Institute.

Sara Haghdoosti founded, an organization focused on supporting Iranian changemakers. She is also a campaigns expert that has worked with groups such as Mozilla,, GetUp and others.

Matt Holland, co-founder of Tech advisor to international NGO’s, previously CTO at

Harlo Holmes, Director of Newsroom Digital Security at Freedom of the Press Foundation. Harlo is a media scholar, software programmer, and activist and contributes regularly to the open source mobile security collective The Guardian Project.

Holly Kilroy is Communities Director of Center for Digital Resilience and is co-founder of Security First. She has spent the past ten years building projects that leverage technology and civil society coordination to address issues of human rights and conflict.

Danny O’Brien, International Director at EFF. Previously, Danny headed the Internet Program at the Committee to Protect Journalists.

Bruce Schneier, internationally renowned security technologist, fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; an Advisory Board Member of the Electronic Privacy Information Center and; and a special advisor to IBM Security and the Chief Technology Officer at IBM Resilient.

Jamie Tomasello, Senior Manager, Security Operations at Duo Security. Previously, Jamie has been the Technology Director for Access Now and Head of Policy and Investigation at Cloudflare, and is a Certified Information Privacy Professional (CIPP) and Certified Information Privacy Technologist (CIPT).

Ethan Zuckerman, director of the Center for Civic Media at MIT, and an Associate Professor of the Practice at the MIT Media Lab.

FAQ scroll to top

Why should I be worried about digital security if I’m not working with the government, providing any online services, etc.?

Most civil society organizations, non-profits, journalistic organizations, etc. have a wealth of sensitive information about their donors and served populations that is accessed from a variety of devices and locations by their staff, board, and volunteers. These days most hacks happen due to opportunity, not necessarily a targeted malicious attack. We work under the premise that every organization will have their digital security tested for vulnerabilities and it is less costly to address these vulnerabilities before a serious threat.

How do I know what level of access or interaction with DSX and its providers I need?

DSX will assess your initial communication with us and follow-up with further assessment to evaluate your current situation and mutually determine what your needs and resources are to make the appropriate match with a provider.

What if I don’t like/agree with the approach proposed by the provider?

Your provider will propose a plan to you before you start actively working together. You are encouraged to ask questions, consult with other external and internal partners, and finalize an approach that works for all parties.

What if the recommended approach doesn’t work? Or I implemented the recommended approach but we still got hacked/lost data, etc.

We trust that our providers are experts in the field and with your particular context and have recommended the best plan to mitigate risks and threats. Should the recommended approach fail to mitigate risks we would evaluate the plan, execution, and the resulting action for the best path forward.

There may also be the situation that the recommended approach as provided and executed was the correct one for your organization and worked but that there were new threats that arose in the interim that could not be predicted.

What if our organization has a conflict with the provider? We strive to make the best match between your organization and the provider. If there is a conflict that arises that you are unable to resolve, please reach out to us and we will work with you to make it better.

How do we know we need better security? Good question and we’re glad you’re asking it. We have this survey you can take to look at how your organization works and what you already have in place to minimize risk.

How much money and commitment will this take? We can’t quote a price or timeframe as every organization has a different security and risk profile. However, there are various factors that will determine cost and time, such as your imminent risk, how much importance you place on securing your networks, involvement by your board, etc.

I notice you provide your PGP fingerprint and a Signal number. What are they and why do you use them? PGP stands for “Pretty Good Privacy” and is an encryption protocol that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions and to increase the security of email communications. We use it to conduct private and secure conversations over email and to encrypt data submitted through our organizational and provider intake forms.

Signal is an encrypted communications application for iOS, Android, Mac, Windows, and Linux. It uses mobile phone numbers as identifiers, and uses its trusted protocol to enable end-to-end encryption for communications with other Signal users.

We encourage you to contact us via encrypted email or Signal, but we don’t require it. No matter how you contact us, your identity will remain private and we won’t store any data we don’t need to help us assist you. For me information on our data security and retention policies, go here.