These guildlines are geared towards US companies but it might be something that will give you some ideas of things you could do.

"Follows Industry-Wide Best Practices. This is a combined category that measures companies on three criteria (which were each listed separately in some earlier reports):

The company must have a public, published policy requiring the government to obtain a warrant from a judge before the company discloses the content of user communications.
The company must have published a transparency report since April 1, 2016, and the report should include useful data about how many times governments sought user data and how often the company provided user data to governments.
The company must have public, published law enforcement guides explaining how it responds to data demands from the government.

Companies must fulfill all three criteria in order to receive credit.

Tells Users About Government Data Requests. To earn a star in this category, technology companies must promise to tell users when the U.S. government seeks their data in advance of turning over any data unless prohibited by law, in very narrow and defined emergency situations,5 or unless doing so would be futile or ineffective.6 Notice gives users a chance to defend themselves against overreaching government demands for their data, and thus we do not credit companies that delay notice to a user based on any other justification from an agency—for instance, where the agency claims notice might jeopardize an investigation, delay a trial, or otherwise deserves confidentiality. We recognize that in emergency situations involving danger of death or serious physical injury to any person, prior notice may not be possible. However, companies must have public-facing policies in place to give the user notice when the gag expires or the emergency is over.

Promises Not to Sell Out Users. To earn credit, a technology company must have a public policy that ensures data is not flowing to the government outside of its law enforcement guidelines—for example, through voluntary contracts or via a third party vendor who sells data to the government. We look for two things: first, some indication that the law enforcement guidelines fully describe data disclosures to the government; and second, that third parties (such as vendors and contractors) must adhere to the disclosure standards set forth by the company policies. Statements that indicate a company does not disclose user data to third parties will also suffice for the second part of our standard. We review corporate policies to ensure that there are no unusual exceptions for certain types of vendors, contractors, or other third parties who would then not be bound by the corporate policies. We allow exceptions for companies and third parties that, to the extent allowed by law, voluntarily share data with law enforcement or intelligence agencies directly for emergency access, to report crimes where the company or its customers are themselves victims, or to share computer security threat indicators.

Stands Up to NSL Gag Orders. Secret government requests for user data are a significant problem made all the worse by the indefinite gag orders that accompany them. Since the passage of the USA FREEDOM Act in mid-2015, companies have a new way to push back against one type of indefinite gag order: those accompanying National Security Letters (NSLs). To earn a star in this category, companies must publicly commit to invoking the available statutory procedures to have a judge review every indefinite NSL gag order the company receives.

Pro-User Public Policy: Reform 702. This year, Congress will be reviewing the surveillance powers of the National Security Agency, specifically considering whether to reauthorize Section 702, as enacted under the FISA Amendments Act of 2008. This provision of law is the legal lynchpin for the NSA’s mass Internet surveillance that impacts the communications of countless Americans. We are awarding credit to companies that support reforming Section 702 in order to reduce the collection of information on innocent people. Public positions in support of allowing this provision of law to expire completely will also receive credit, as this would also have the effect of reducing the surveillance of innocent people. Commitments must be formal, in the company’s own name,7 and either in writing or part of Congressional testimony. Only statements after June 2, 2015 will qualify.8 Note that this category does not award credit for supporting reforms that do not reduce the collection of data on people (for example, reforms that increase transparency around surveillance practices), though we acknowledge that oversight and other reforms also serve an important role.

We expect this category to continue to evolve in the coming years, so that we can track industry players across a range of important privacy issues."

https://www.eff.org/who-has-your-back-2017#best-practices

A second one on privacy.

Is Mastodon Private and Secure? Let’s Take a Look

https://www.eff.org/deeplinks/2022/11/mastodon-private-and-secure-lets-take-look

“Essentially, Mastodon is about publishing your voice to your followers and allowing others to discover you and your posts. For basic security, instances will employ transport-layer encryption, keeping your connection to the server you’ve chosen private. This will keep your communications safe from local eavesdroppers using your same WiFi connection, but it does not protect your communications, including your direct messages, from the server or instance you’ve chosen—or, if you’re messaging someone from a different instance, the server they’ve chosen. This includes the moderators and administrators of those instances, as well. Just like Twitter or Instagram, your posts and direct messages are accessible by those running the services”