Non-Profit & NGO Case Management Forms

Few sectors collect data with higher real-world stakes than non-profits and NGOs. The intake form a small organisation hands to a domestic-violence survivor, the registration form a humanitarian agency uses for a refugee in transit, the safeguarding report a children's charity collects from a partner school, the donor-anonymity election an HNW philanthropist ticks at the end of a giving form — every one of those records can change a beneficiary's life if it leaks, and sometimes endanger it. Yet the typical intake channel for non-profits is whatever was free or cheapest: a Google Form, a generic SurveyMonkey-style platform, an email attachment, or a self-built spreadsheet that any partner organisation might one day open.

Schweizerform is built for that exact mismatch between sensitivity and tooling. Every submission — a beneficiary intake, a gender-based-violence (GBV) report, an asylum-seeker registration, a child-safeguarding disclosure, a donor confidentiality election, a partner-organisation field report — is encrypted in the submitter's browser before it reaches our servers. We physically cannot read it. For Swiss-headquartered international NGOs (the Geneva humanitarian hub), national associations, foundations, and small grassroots organisations, that property — combined with Swiss hosting and a posture aligned to the ICRC data-protection handbook, OCHA's Data Responsibility framework, the nFADP, and the GDPR — turns the intake channel from a beneficiary-protection liability into a defensible technical control.

Why Generic Form Tools Fail Beneficiary Casework and Donor Confidentiality

Most online form tools — Google Forms, Typeform, generic SurveyMonkey-style platforms, even some "non-profit edition" SaaS products — operate on a conventional model: the submitter's browser sends plain-text data over HTTPS, and the provider's server stores it. That server can read everything. So can the provider's staff, their integration partners, anyone who compromises their infrastructure, and any authority that serves a lawful order on the provider — including authorities in jurisdictions hostile to the population the NGO is trying to protect.

For low-sensitivity submissions — newsletter sign-ups, event RSVPs — that model is fine. For an NGO collecting beneficiary data or processing a confidential donor giving, it creates problems with very specific, sometimes life-or-death consequences:

• A domestic-violence shelter intake captures the survivor's name, address, photographs of injuries, the perpetrator's name, and a children's safety plan; the form vendor's database contains a readable file before the case worker has opened it
• A refugee or asylum-seeker registration captures country of origin, route taken, family members still abroad, persecution narrative, and identity documents; that profile sits on a third-party server, often hosted in a jurisdiction whose government has its own interest in the same data
• An anti-trafficking intake captures detailed disclosures about traffickers, transit routes, and current location; the provider's logs and analytics indexed every line
• A child-safeguarding report captures allegations against a named adult (a teacher, a coach, a relative); the report sits on a generic vendor's infrastructure that is not cleared for child-protection data
• A donor giving form includes a 'request anonymity' checkbox; the donor's full name and amount nevertheless live in plain text on the form vendor's database, indexed by their analytics, retrievable by a partner CRM integration, and producible under any legal order against the vendor
• A field report from a partner organisation in a conflict zone names local volunteers and contact people; that document is auto-scanned by the vendor's antivirus, cached by a CDN, and replicated to backup regions outside the country of operation

How Schweizerform Preserves Beneficiary Confidentiality

Schweizerform is a zero-knowledge end-to-end encrypted form platform. The encryption happens in the submitter's browser, before any data leaves their device. Only holders of the form's Access Code can decrypt submissions. We — the provider — cannot.

Concrete Programme & Operational Forms

Beneficiary intake and case opening

Whether the intake is a women's shelter walk-in, a homeless-services first assessment, a migration legal-aid appointment, or a humanitarian distribution registration, the moment a beneficiary discloses their identity and circumstances is the moment the organisation takes on a duty of care. A Schweizerform intake replaces a paper form or a Google Form with an encrypted channel, available in the beneficiary's language, that the case team can open from any browser without the form vendor ever holding a readable copy.

Gender-based violence (GBV) and protection casework

GBV and protection cases require some of the most sensitive data any organisation handles: the survivor's identity, the perpetrator's identity, photographs of injuries, narratives of incidents, safety plans, child-custody concerns, and partner-organisation referrals. A zero-knowledge form keeps that bundle off generic SaaS storage and out of partner-CRM integrations that were never designed for protection data, while still allowing the case worker to open a structured submission inside their own browser.

Refugee, asylum, and migration intake

Migration and asylum intake collects data that, in the wrong hands, can endanger the beneficiary, their family in the country of origin, or both. Routing the intake form through a zero-knowledge channel keeps origin country, persecution narratives, and identity-document scans out of the form vendor's read scope and out of US-hosted cloud regions — particularly important when the country of origin is hostile to the same data the NGO is trying to collect ethically.

Child safeguarding and abuse disclosures

Children's charities, sports federations, faith-based organisations, and youth-work organisations need a credible internal channel for safeguarding disclosures. A Schweizerform safeguarding form lets a parent, a young person, a coach, or a colleague submit a confidential report that goes only to the designated safeguarding lead — and only the safeguarding lead can read it. The form vendor never holds the disclosure in a form it could be compelled to produce or could leak.

Anti-trafficking and modern-slavery intake

Anti-trafficking organisations collect detailed disclosures about traffickers, transit routes, current location, and ongoing risk. A zero-knowledge channel keeps the operational details that could put a survivor at further risk away from a generic SaaS vendor's analytics, support team, and content scanners.

Confidential donor giving and major-gifts pages

Many high-net-worth donors give under explicit anonymity conditions; some give under the protected-anonymity provisions of national charity law. A Schweizerform donor-giving form keeps name, amount, and giving-purpose narrative encrypted between the donor and the development team — useful for legacy giving, sensitive-cause giving (reproductive rights, dissident support, LGBT+ rights in restrictive jurisdictions), and donor-restricted instructions that should not flow into a generic CRM that anyone in the office can query.

Volunteer, fellow, and staff onboarding

Volunteer onboarding for sensitive programmes (visiting prisons, supporting GBV survivors, working with children) requires criminal-record checks, references, and confidentiality undertakings. Encrypting that intake form keeps prospective volunteer data out of generic SaaS storage and gives the volunteering coordinator a single, scoped channel.

Whistleblowing and safeguarding-against-staff channels

Sector-wide reform after PSEA (protection from sexual exploitation and abuse) findings now expects every aid organisation to provide a confidential channel for staff and beneficiaries to report misconduct by staff. A zero-knowledge form, scoped to a small designated panel, gives that channel an architectural confidentiality guarantee that a generic vendor cannot — and that internal IT cannot accidentally undermine.

Partner-organisation field reporting

Partner reporting from local NGOs in the field — narratives, beneficiary numbers, incident reports, financial summaries — flows into the Geneva or HQ office. A zero-knowledge form lets a small local partner submit a structured report without exposing the names of local staff and contact people to any third-party SaaS vendor.

What Beneficiaries, Donors, and Authorities See

Regulatory & Sector Context: nFADP, GDPR, ICRC Handbook, OCHA, IASC, PSEA

Swiss-headquartered NGOs operate under the new Federal Act on Data Protection (nFADP / nDSG, in force since 1 September 2023), which treats victim, health, religious, political, and social-assistance data as sensitive personal data and requires proportionate technical and organisational measures (Art. 8) plus tightened processor obligations (Art. 9). Cantonal social-services laws and the Swiss Anti-Money-Laundering Act layer additional obligations onto charitable activity in specific contexts.

EU operations bring the GDPR — including Art. 9 on special-category data and Art. 32 on technical safeguards — into scope. International humanitarian operations are increasingly governed by the ICRC Handbook on Data Protection in Humanitarian Action (3rd edition, 2024), OCHA's Data Responsibility Guidelines, the IASC Operational Guidance on Data Responsibility, and donor-imposed PSEA / safeguarding requirements. Across all of these, the theme is consistent: the organisation remains accountable for the data it collects, including data that flows through a third-party form vendor — and a vendor that cannot read the data is structurally easier to defend in any of those frames than one that can.

Features Relevant to Non-Profit & NGO Operations

• Zero-knowledge end-to-end encryption on every submission — no provider read access to beneficiary content, GBV / protection narratives, donor records, or safeguarding disclosures
• Encrypted document and image uploads — ID scans, photographs of injuries, court orders, partner referral letters, programme-evidence photos
• Multi-language forms (EN / DE / FR / IT) out of the box — essential for Swiss multi-cantonal social services, Geneva-based international NGOs, and beneficiaries from any of those language regions
• Per-form Access Codes — scope a form to a specific programme, a single safeguarding lead, or a specific country office
• Swiss hosting with nFADP-aligned data-processing posture — response payloads do not leave Switzerland
• Audit log of decryption events (who opened a submission, when) without exposing the underlying content
• Structured data export after decryption, ready to feed into a case-management system, a donor CRM, or a programme-monitoring tool
• Free tier so a small NGO or local partner can run an intake form with zero cost — no credit card, no infrastructure budget, no procurement cycle

Common Objections

"We use the non-profit edition of a major SaaS — surely that is enough."

Donated or discounted SaaS plans typically extend pricing, not architecture. The vendor's read access to submission content is identical to a paid plan. For low-sensitivity work that is fine; for beneficiary casework that includes GBV, asylum, child-safeguarding, or anti-trafficking content, the architectural property — vendor cannot read — is the relevant question, not the price tier.

"Our case-management system already encrypts data."

Most case-management systems encrypt at rest. That protects against someone stealing the disk. It does not protect against the vendor's own staff, the vendor's analytics, the vendor's sub-processors, or a lawful production order — because the vendor still holds the keys. End-to-end zero-knowledge changes that property at the boundary where data first enters the system.

"Our beneficiaries are not technical and may not have reliable devices."

There is no beneficiary-side install, and the form runs on any modern browser on any device. For walk-in intake, the case worker can open the form on a tablet inside the centre and complete it together with the beneficiary; the encryption still happens in the browser, before submission. The beneficiary experience is the same as any web form, in their preferred language.

"If we lose the Access Code, we lose the case files."

Correct, and deliberate. Recommended practice is documented key custody: a sealed Access Code held jointly by the programme manager and the safeguarding lead, escrowed with the executive director, or split between two designated trustees. The procedure avoids single-person failure while preserving the property that the vendor cannot be compelled to produce what it cannot read — exactly the property that matters most for high-risk beneficiary work.

"We work in a country whose government may target our beneficiaries."

That is precisely the threat model this architecture is designed for. Schweizerform stores ciphertext on Swiss-hosted servers; the form vendor cannot read it; access codes live with the NGO, not with the vendor. The architectural promise — vendor cannot read — survives both adversarial-state pressure on the vendor and adversarial-state pressure on the local in-country IT environment.

"We have almost no budget."

The free tier covers a single beneficiary-intake form, and the architectural confidentiality property is identical on free and paid tiers. Many small NGOs run their entire safeguarding-disclosure or beneficiary-intake channel on the free tier alone. Encryption is not a paid upgrade.

Rolling Out a Schweizerform Intake Channel

The Bottom Line

Non-profits and NGOs already promise their beneficiaries and their donors a very specific kind of confidentiality — sometimes implicit, sometimes statutory, almost always central to whether the next beneficiary will trust the next intake. A form vendor that can read every field of a GBV report, every line of an asylum-intake narrative, every confidential donor giving — however cheap or well-known its product — is an outsourcing dependency that boards, donors, regulators, and a future inquiry will scrutinise harder every year.

Schweizerform offers a direct answer: zero-knowledge end-to-end encryption on every form, Swiss hosting, and a posture aligned with the ICRC handbook, OCHA Data Responsibility, the nFADP, and the GDPR. No paid upgrade for security. No US-cloud dependency for beneficiary data. No third-party-readable copy of a survivor's intake or a donor's confidential giving on a server you do not control.