Building a safer website for domestic violence organizations: a practical guide

A domestic violence organization’s website carries a weight that most websites don’t. Someone might be visiting it from a shared device while their partner is in the next room. They might have thirty seconds on their phone before they need to put it away. They might be trying to figure out if they qualify for services, what the process looks like, whether it’s safe to reach out—all while managing a level of stress and fear that most website designers never think to account for.

That context should shape every decision you make about your site. Not just the content, not just the design, but the infrastructure, the performance, the data you collect, and the tools you use to run it. This post walks through the areas where DV organization websites most commonly fall short—and what to do about them.

Speed and performance are safety features

This one doesn’t get talked about enough in accessibility and safety conversations, but site performance is directly tied to who can actually use your site—and under what conditions.

Many DV organization websites, particularly those built on limited budgets, have performance problems: pages that are slow to load, images that haven’t been compressed, video files that are too large, or bloated code from years of accumulated plugins and tools. On a fast desktop connection, this is an inconvenience. On a mobile device with a limited data plan, in a moment when someone has a narrow window of time and privacy, it can mean the difference between getting information and giving up.

The people most likely to be in acute need of your services are often accessing your site in exactly those conditions—on their phone, quickly, without a reliable connection. A site that takes eight seconds to load on a slow mobile connection is not a functional resource for those people.

Some practical things to address:

Compress your images. Large image files are the most common cause of slow load times, and most website platforms have built-in tools to help with this. Images should be sized appropriately for how they’re displayed—a photo that appears as a 400-pixel-wide thumbnail doesn’t need to be a 4000-pixel file.

Minimize what’s loading. Every third-party script on your site—analytics tools, social pixels, embedded widgets—adds load time. Beyond the privacy implications we’ve covered elsewhere, each of those scripts is slowing your site down for someone on a weak connection.

Test your site on mobile, on a slow connection. Google’s PageSpeed Insights (pagespeed.web.dev) will give you a performance score and specific recommendations for both desktop and mobile. If your mobile score is below 50, that’s worth taking seriously.

The quick-exit button

If you don’t have one, add one. This is the most widely recognized safety feature for DV organization websites and for good reason.

A quick-exit button—typically positioned in a corner of every page—immediately redirects the visitor to a neutral site (usually Google or a weather page) and, ideally, clears the current page from the browser’s back button history. The purpose is to give someone a fast escape route if they’re discovered looking at your site.

Implementation details matter here. The button needs to be visible without being so prominent that it draws attention from someone looking over a visitor’s shoulder. It needs to work on mobile. And ideally, it clears session history rather than just redirecting—which requires a small amount of JavaScript but is worth implementing. Some DV organizations also add a keyboard shortcut (pressing Escape three times, for example) as an additional option.

If your site is on Squarespace, there are third-party scripts and embed options that can handle this. If you’re on WordPress, plugins exist for this specific purpose. If you’re working with a developer, it’s a relatively straightforward feature to build.

Safe browsing guidance—on the site itself

Your website can help visitors protect themselves, even before they contact you. A brief, plainly worded note about browsing safety—on your homepage or on a dedicated safety page—is a feature many DV organizations include and that visitors often don’t know to look for.

This might cover: how to clear browser history, how to use a private browsing window, what to do if they think their device is being monitored, and how to reach you safely if email or phone contact feels risky. It doesn’t need to be long or technical—a short paragraph with a link to more detailed resources is enough.

The National Domestic Violence Hotline has a well-regarded version of this on their site that’s worth looking at as a reference. The point is to give people the information they need to protect themselves, rather than assuming they already have it.

What your contact form is asking for

Intake and contact forms on DV organization websites require particular care. Someone filling out a contact form from an unsafe situation may be sharing information they can’t afford to have discovered—and your form is storing that information somewhere.

A few specific things to examine:

Does your form ask for a home address? Unless you need it for immediate service delivery, you probably don’t. A zip code or service area is enough to determine eligibility for most purposes.

Does your form ask for a full name? For initial contact, a first name is sufficient. Some organizations offer the option to use a pseudonym, which is worth considering explicitly.

Does your form have a privacy note that explains what happens to the submission? “Your inquiry is confidential and will only be seen by our intake coordinator” is the kind of reassurance that matters in this context.

Where does the form submission go, and who can see it? If form submissions are going to a shared email inbox with broad access, or being stored in a platform backend that hasn’t been reviewed recently, those are worth addressing.

Data minimization as a protection strategy

The less data you collect and store, the less data exists that could potentially be accessed by someone who shouldn’t have it—whether that’s an unauthorized party, someone inside the organization who shouldn’t have access, or an outside entity making a request.

This isn’t about assuming bad actors in your organization. It’s about recognizing that data you don’t have can’t be exposed. For DV organizations, that principle has particular weight.

Collect what you need for the specific purpose at hand and no more. Set clear retention periods and actually follow them—form submissions older than your defined retention window should be deleted on a schedule, not just left to accumulate. Review who has access to client data inside your organization and make sure that access is limited to people who need it for their role.

If you’re using a third-party case management system for client records, review its privacy and security practices. Not all tools built for social services have equally strong data protection, and it’s worth knowing what you’re working with.

Third-party tools and tracking

As we covered in the privacy audit post, third-party tools on your site can collect and share information about your visitors with outside parties—including advertising platforms, data brokers, and by extension anyone who purchases or requests that data.

For most organizations, this is a privacy concern. For DV organizations, it’s a safety concern.

Social media pixels—Facebook, Instagram, TikTok—should not be on a DV organization’s website. Full stop. These tools are designed to build advertising profiles based on who visits your site and what they do there. That’s an unacceptable data relationship for an organization serving people in unsafe situations.

Social sharing buttons that load third-party scripts carry the same problem. If you want visitors to be able to share your content, a plain text link will do the job without the tracking infrastructure.

Analytics tools deserve scrutiny too. If you’re using Google Analytics, make sure Google Signals is disabled and that your data retention is set conservatively. Better yet, consider switching to a privacy-focused alternative like Plausible or Fathom that doesn’t build behavioral profiles of your visitors at all.

SSL and basic security hygiene

Your site should be running on HTTPS—the padlock icon in the browser address bar—which encrypts the connection between your visitor’s browser and your server. If you’re on Squarespace or a similar hosted platform, this is included and automatic. If you’re on a self-managed WordPress installation, verify that your SSL certificate is current and configured correctly.

This matters for DV organizations not just as a general security practice, but because an unencrypted connection means the content someone is viewing could potentially be intercepted on a shared network—a library, a coffee shop, a shelter.

Beyond SSL, the most important security practice for DV organizations is keeping your platform and any associated tools up to date. Outdated software is the most common source of website vulnerabilities, and for organizations managing sensitive client information, a security breach carries consequences beyond embarrassment.

Putting it together

No organization gets all of this right immediately, and this post isn’t meant to be a checklist to complete in a week. It’s meant to give you a framework for thinking about your website not just as a communication tool but as infrastructure—infrastructure that either protects the people using it or creates risk for them, depending on the decisions you make.

The highest-impact places to start: site performance on mobile, a quick-exit button if you don’t have one, and a review of what third-party tools are running on your site. Those three things address the most common gaps and the most acute risks.

If you’d like help working through any of this—or want someone to look at your site with this specific lens—I work with organizations on exactly this kind of review. It doesn’t have to be a full redesign to make a meaningful difference.