Methodology

How we decide what to recommend, and what bar a provider has to clear to make the list.

The core distinction: clearly malicious vs backdoor

Most "privacy" guides collapse two very different problems into one. We separate them:

Category	What it means	v1 stance
Clearly malicious	The provider's business model is your data. They sell behavioral profiles, ad targeting access, or the right to train models on your private content. The legal opt-outs they offer are theatre; the data harvesting continues structurally.	Disqualified. v1 of Sovereign Switch optimizes against this.
Backdoor	The provider's business model isn't adversarial, but they have structural opacity that could be exploited — closed source, jurisdiction with secret-court compulsion, hardware trust roots you can't audit. The provider isn't selling you out; the architecture might.	Acknowledged, deferred. Mentioned where relevant; deep treatment lives on Advanced.

This distinction matters because the right move differs. To escape "clearly malicious", you change provider. To escape "backdoor", you change provider and jurisdiction and often hardware — which is a much bigger ask, and the wrong first step for the audience this site is for.

The provider grading rubric

For a provider to make the list, it has to clear all of these:

1. Business model is not your data. They charge you for the service, or they're funded by grants / membership / B-corp model that doesn't depend on monetizing you. We trust subscriptions over "free."
2. Jurisdiction is one we'd actually trust. Switzerland, Germany, France, Iceland, Norway, the Netherlands, Estonia. Not the U.S. (CLOUD Act). Not jurisdictions known for hostile compelled-disclosure regimes.
3. Open source, or at minimum open clients. If a closed-source client handles your plaintext, encryption claims are unverifiable.
4. End-to-end encryption where the data type allows. Email-at-rest is easy; full E2EE email is harder — we note when a provider does the harder thing.
5. Daily-driver performance. If a recommendation tanks daily-driver experience (slow sync, broken integrations, unusable on mobile), it doesn't make v1. Friction is what kills migrations, not threats.
6. Honest tradeoffs. The provider doesn't pretend it's also a chat app, a VPN, a password manager, and a calendar — or if it does, we evaluate each surface separately.

What we explicitly accept

Some tradeoffs we accept on purpose, because the alternative is asking too much of the audience:

• Small data-loss risk for ease. A working personal-use stack you actually maintain beats a perfect enterprise-grade stack you abandon after three months. For most files, "1 in 10,000 files lost" is acceptable; for crown-jewel files (signing keys, identity documents, irreplaceable photos), much stricter.
• EU jurisdiction over fully sovereign hardware. Hardware management engines (Intel ME, AMD PSP) are real concerns; recommending only libreboot/coreboot machines would shrink the audience to near zero. We accept this tradeoff at v1. See Advanced for the full hardware story.
• Subscription cost over self-hosting for most readers. Self-hosting a mail server is a hobby, not a privacy strategy for non-techies. Pay 4€/month to a Swiss provider whose business model is your subscription, not your data.

Data tiers — what to put where

Not all your data deserves the same effort. A photo from yesterday's coffee and your private signing key are not the same thing. The honest framing is to tier your data by how much it would hurt if it leaked, then match each tier to hardware and software you trust enough — no more, no less.

The tiers are sticky: data that could be sensitive often starts as personal. Reclassify before you share, not after.

Tier	What goes here	Hardware & software	Counterparty risk — bridges all tiers
Public	Anything you'd be fine seeing on a billboard. Blog posts, public profiles, shipped code.	Any device. Any cloud. Any audience.	Whoever you share data with becomes the new floor of your security. Encryption protects your data until the moment a person, a service, or a piece of software with legitimate access opens it. Choose counterparties by what they could do with your data on their worst day, not their best. This applies across every tier — the chip backdoor, the cloud vendor, the journaling app, the friend with admin access, the AI you let read your email. Every tier below is also a counterparty-trust decision.
Personal	Daily-driver content: notes, photos, calendar, most chats. Loss is annoying, not catastrophic.	Regular EU-jurisdiction stack (Proton / Tuta / Infomaniak). Standard laptop. Encryption at rest + 2FA on accounts.
Private	Things you wouldn't want a former roommate to see. Drafts, financial details, health logs, certain conversations.	Best available chips (regular x86 / Apple Silicon / fast Pixel etc.), and you do everything possible at the OS and software level — full-disk encryption, sandboxing, end-to-end encrypted services, hardware-key 2FA. The accepted trade-off: chip-backdoor risk (Intel ME / AMD PSP / Secure Enclave opacity) stays in scope — you're betting performance and compatibility against firmware trust.
Semi-sensitive	Things that would change your life if they leaked. Long-form journals, partner-only material, source code under embargo.	Still digital, but you accept slower / subpar tech in exchange for auditable firmware. RISC-V workstations (or libreboot/coreboot x86) — today's RISC-V is fine for text, code, and email; not yet a fit for video editing or heavy GPU work. End-to-end encryption mandatory.
Sensitive	What would put someone at risk if disclosed. Identity documents under threat-model conditions, signing keys for high-value identities, testimony, source attribution.	No digital, full stop. Paper, ink, a safe, and in-person handover. The only tier where the answer is "don't put this on a computer at all." Most readers should never reach this tier; if you do, see Advanced for the targeted-individual resources we link out to.

The multiple-accounts pattern Coming soon: dynamic table

Sovereignty doesn't have to be all-or-nothing. The most pragmatic move for most readers is running multiple accounts on the same machine, each with a different trust posture — so you can experiment without compromising the rest of your life.

1. "Play" account. Essentially continue using your laptop the way you've done so far. Use it to explore products and the apps you don't yet trust with your data — Zoom, vendor onboarding flows, anything where the risk of not using it is bigger than the risk of using it.
2. "Comfortable" account. Run only what you actually understand and have set up yourself. The middle path — not paranoid, not casual. Where most of your daily life happens once you're past the first migration.
3. "Private" account. Open-source code only, sandboxed where possible. The destination once you're content with the trade-offs — this is where the Private and Semi-sensitive tiers live.

A dynamic comparison table for these three accounts — what to install, what to log into, where to back up, what hardware fits each — is coming soon. For now, treat the three above as a sketch.

What we don't recommend (and why)

• U.S.-jurisdiction "private" services. CLOUD Act exposure. Even E2EE doesn't fully fix this for metadata. (We disqualify Stripe-based payment providers at the infra layer for the same reason.)
• Free email re-routing services. If you're not paying, the math rarely works in your favor.
• Brand-name VPNs that advertise on YouTube. Mostly performative. Different threat model than the ones we address. If you need a VPN, you probably know why — Advanced covers Tor and mixnets.

Now read what we've decided to build with this rubric → Projects