At CyberStreams, our mission is to protect non-profits from evolving cyber threats, and in 2025, one of the most talked-about developments in this space is Microsoft Recall.

Originally introduced in May 2024 and officially rolled out in April 2025 on Copilot+ PCs, Microsoft Recall takes screenshots every few seconds, creating a searchable timeline of your activity. While this may sound helpful, it initially caused an uproar due to serious privacy and security issues: unencrypted storage of screenshots raised major red flags, especially for organizations that manage sensitive donor or financial data.

After public backlash, Microsoft revised Recall. It is now an opt-in feature with enhanced security measures, including encryption and Windows Hello biometric authentication. Still, concerns remain. As recently as 2025, 30% of Recall users reported that sensitive data was unintentionally captured (Ars Technica, 2025).

A Real-World Example: A Non-Profit’s Close Call

One non-profit we work with had deployed Copilot+ PCs without fully understanding Recall’s implications. Much like my kids bolting across the street on the way to church when we're running late, the staff didn't recognize the danger in their hurry to adopt new tech. We quickly stepped in to disable Recall, train their team on phishing risks, and implement stronger system protections.

This scenario is far from unique. Non-profits are the target of 85% of phishing attacks aimed at acquiring sensitive data (IBM X-Force, 2025). While Recall’s local storage approach may reduce cloud-related risks, it opens up new vulnerabilities: malware infections or shared PCs can expose sensitive screenshots. For organizations bound by HIPAA or GDPR, this is a serious compliance concern. And despite Microsoft’s filtering features, they aren't foolproof.

That’s where CyberStreams comes in, helping non-profits embrace new tools while ensuring data stays safe.

Three Takeaways for Non-Profits

1. Disable Recall by Default
   If your organization uses Copilot+ PCs, turn off Recall unless absolutely necessary. You can also configure it to avoid saving specific types of information.

2. Train Staff on Risks
   Human error is still the #1 cybersecurity threat. Run simulated phishing tests and follow up with short, effective micro-trainings to build awareness and resilience.

3. Monitor for Compliance
   Whether you're governed by HIPAA, GDPR, or local data privacy laws, regular assessments are vital. Our Cyber Fit Assessment is a great way to start.

Conclusion

Microsoft Recall offers convenience, but it comes with significant security and privacy trade-offs, especially for non-profits handling sensitive information. Despite improvements, the risks of accidental exposure, compliance violations, or malware exploitation remain real.

At CyberStreams, we help non-profits stay proactive, not reactive. As new tools like Recall become more integrated into everyday workflows, having the right strategy in place is essential. Disable what you don't need, educate your team, and always keep compliance in sight.

Your mission is too important to risk. We’ll help you protect it.