A few months ago, we got a call from an NGO in distress. Their website was down. Their vendor had gone silent. And when they tried to log in — they realized they had never been given the password in the first place.

They had paid for the website. They had approved the design. They had shared photos, content, annual reports. But the website? It belonged, in every practical sense, to the vendor.

This is not an unusual story. We hear versions of it often.

What "owning your website" actually means

When we say a website, we're really talking about three separate things — and you need access to all three.

Your domain name is your address on the internet — something like yourngoname.org. It needs to be renewed every year (or every few years), and only the person with the login can do that. If your vendor registered it in their name or their email, and they disappear or fall out with you, your address could vanish.

Your hosting is where your website actually lives — the server space that stores all your files, images, and pages. Without access to this, you can't take a backup of your own site or move it to a new provider if things go wrong.

Your CMS login (CMS stands for Content Management System — WordPress is the most common one) is how you update your website: change a phone number, add a new team member, post a blog. Many vendors set this up and never hand over the admin password, which means every small update goes through them — and through their invoice.

Why this happens

It's rarely malicious. More often, it's just how things get set up when no one on the NGO's side knows to ask. Vendors take shortcuts. Accounts get registered on personal emails. Passwords never get documented. And then months or years later, when the relationship sours or the vendor simply moves on — you're stuck.

Three questions to ask right now

Whether you're about to hire someone to build your website, or you already have one — these are worth checking:

1. Who registered the domain, and whose email is on that account?
If it's the vendor's personal email, that's a problem. Ask them to transfer the domain to a registrar account you control, with your organization's email.

2. Do you have the hosting login?
Not just the vendor's word that it's "taken care of" — the actual login details, in your hands, saved somewhere safe.

3. Can you log into your website's backend right now?
Go ahead and try. If you can't, or if you don't know where to go, that's worth fixing before you need to in an emergency.

Before you sign with any vendor

One simple ask can save a lot of pain: put it in the contract that all logins — domain, hosting, CMS admin — will be handed over to you within a week of the site going live. Not "available on request." Handed over.

Also worth doing: create a generic organizational email like website@yourngoname.org for registrations like these, rather than using anyone's personal email. People leave. Email addresses change. The website shouldn't depend on either.

Not sure where you stand?

If you're not certain whether you have full control of your website, we can find out in 15 minutes. Drop us a line at hello@digisarathi.com — we've helped a number of NGOs recover access, and we're happy to take a look.

Your website represents your work, your credibility, and your community's trust. It should be yours — completely.