There are lots of ways we keep our Amnesty websites secure and protected. Below, we have listed a few things that web content producers can keep in mind to improve security for Amnesty website users, ensure the content is secure and keep our colleagues safe too.

1. Check your links are https, not http

Http and https are the letters you usually find at the beginning of a link, or URL, e.g.:

Http stands for hypertext transfer protocol and https is hypertext transfer protocol secure – they are the primary protocol used to send data between a web browser (e.g. Chrome, Edge, Firefox) and a website.

Any website, especially those that handle user data, should use https.  

On we want to make sure that whenever we link it is always to secure websites.

  • Do check, whenever you are adding links to your content, that the site you are linking to is secure and uses https

2. Make sure embedded content is from approved providers

You may wish to embed content that is hosted on other websites in your web page or post. For example, embedding a YouTube video, a map, or some graphs and charts. Read our guidance on embedded content from third party systems.

  • Do not create and embed content that could be made with the available Gutenberg blocks in the WordPress editor
  • Do not embed content from third parties that was not created and published by Amnesty (e.g. YouTube videos should be embedded from Amnesty’s YouTube channel).

Amnesty International has an approved list of providers for embedded content:

  • YouTube
  • Vimeo
  • Facebook
  • Infogram
  • Flourish
  • MapMe
  • Knightlab
  • Arcgis
  • Carto
  • Datawrapper
  • Mapbox
  • Soundcloud
  • PRX
  • Engaging Networks
  • Holoscribe
  • Sutori

3. Staff names should not be visible on our websites or on public documents

staff names in links

Public documents that are uploaded to should use the AIDAN public documents system. Other Amnesty sites may use the WordPress media library to upload public documents.

OneDrive or OpenSend links can often contain staff members’ names and could put colleagues at risk should they be made public on our website.

  • Do not share links from OneDrive or OpenSend on our websites

Links within documents should also not contain any OneDrive or OpenSend links. Any document referenced within a public document should also be a public document.

  • Do check all links within a document before uploading it to AIDAN or to the WordPress library

Staff names in document metadata

Individual staff names should be removed from document metadata. Document Author should be listed as Amnesty International (see AIDAN User Guide for more info).  

  • Do list document Author as Amnesty International

4. No staff names or personal contact details on the website


Certain members of staff have consented to being a public spokesperson for Amnesty and will have their name listed on the website, for example when they are quoted in media outputs.

Unless they are an Amnesty spokesperson, Amnesty staff names shouldn’t be publicly visible on our website.

  • Do not include staff names in website content (unless they are a spokesperson e.g. Agnés Callamard)

Contact details: phone numbers and email addresses

Amnesty individual email addresses and individual phone numbers (i.e. for staff members’ work phones) should also not be written publicly on the website.

Instead, make use of generic inboxes such as [email protected] or [email protected] and public telephone numbers.

  • Do not use individual staff email addresses and telephone numbers in website content
  • Do make use of generic inboxes and public telephone numbers

5. Use approved systems to collect and handle user information

Whenever a user interacts with our website and gives over personal information about themselves, we need to make sure we are handling it securely and in accordance with the law.

This includes:

  • Adding their signature to a petition
  • Taking an online quiz
  • Making a donation
  • Filling out a survey

We use Engaging Networks as our approved system to handle all online forms.

  • Do not use non-approved systems to capture and manage user data (e.g. SurveyMonkey, MS forms)