Cordaid strengthens data sovereignty with Passbolt

Cordaid is a humanitarian NGO headquartered in The Hague. It is part of the Caritas and ACT Alliance networks and operates across fragile and conflict affected contexts in Africa, the Middle East, and Asia. The organization employs more than 1200 people worldwide and runs a central office in the Netherlands.

Cordaid needed to raise credential hygiene without slowing down people who work under pressure in sensitive locations. Some collaborators operate in dangerous environments where attackers rely on creativity and cleverness rather than brute force.

The organization previously used LastPass and confidence in that choice had declined after public incidents and day to day frustrations. Ad hoc sharing still existed, sticky notes appeared on laptops, some preferred local keychains that did not support secure sharing or auditability.

The IT team wanted an open source platform that they could self host, that aligned with data sovereignty goals, and that could be rolled out from the top down to the five hundred people who handle the most sensitive information.

Cordaid selected Passbolt and deployed the self hosted edition on a hardened Linux VPS with Docker.

Microsoft 365 single sign on made adoption easier because sign in felt familiar to users. The rollout started with IT and Facilities and extended to leadership and other roles with elevated access.

The team imported items from the previous tool and standardized on the browser extension for capture, generation, and auto fill of strong passwords. Shared items include supplier information, server credentials, network and Wi Fi access, site logins, laptop passwords, and other operational secrets. Permissions are scoped so teams can delegate access without exposing unrelated data.

The team is also planning to connect directory based provisioning so identity follows a single source of truth and to restrict access over VPN for additional layers of protection.

The phased rollout delivered immediate operational gains. Passbolt replaces ad hoc practices with least privilege sharing that is auditable and under the organization’s control.

Users keep a familiar sign in flow and stop relying on unmanaged personal stores for organizational secrets. Random and complex passwords generated by Passbolt reduce exposure to social engineering because people do not actually know the passwords they use. For staff working in fragile contexts, this brings peace of mind when sharing sensitive data.

The IT team can monitor access scopes and password hygiene while reassuring users that personal entries remain private. Unshared items are end to end encrypted and cannot be decrypted by administrators.

For an NGO operating in sensitive environments, this reduces avoidable exposure while keeping teams productive.