Free IT tools for business owners — try them now, no sign-up
Nonprofit IT • 6 min read

Nonprofit Donor Data Security: How to Protect the Information Donors Trust You With

A breach of donor data isn't just a security incident — it's a breach of the trust relationship that sustains your organization. Here's how to protect it.

Quick Answer

Nonprofit donor data security requires: PCI DSS compliance for any organization processing credit card donations directly, role-based access so only development staff can view donor financial information, encryption of donor databases at rest and in transit, MFA on CRM systems, a written data security policy, and a breach response procedure. Donor data is particularly valuable to identity thieves because donors are typically higher-income individuals — making nonprofits a target.

What Donor Data Actually Contains

A well-maintained donor database contains a significant amount of sensitive information:

  • Full names, addresses, email addresses, phone numbers
  • Giving history and amounts (reveals financial capacity)
  • Payment method information (credit card last four digits, bank account references)
  • Personal notes from conversations (relationship details, family information, employment)
  • Wealth screening data (estimated net worth, real estate holdings)
  • Foundation and grant relationships
  • Political affiliations (in some databases)

This combination — financial capacity data, personal contact information, and relationship detail — makes donor records significantly more valuable to identity thieves and social engineers than basic contact lists. Major donors who give $10,000+ per year are particularly attractive targets.

PCI DSS: If You Process Cards Directly

If your organization processes credit card donations directly (not through a third-party platform like Stripe, PayPal, or Classy), you have PCI DSS compliance obligations. PCI DSS (Payment Card Industry Data Security Standard) requirements include:

  • Never store full card numbers, CVVs, or PINs after authorization
  • Encrypt card data in transit using TLS 1.2 or higher
  • Maintain a firewall between your payment systems and the internet
  • Restrict access to cardholder data on a need-to-know basis
  • Complete annual PCI DSS self-assessment questionnaire
  • Use only PCI-approved payment processing software and hardware

Most small nonprofits should avoid processing cards directly. Using a PCI-compliant payment processor (Stripe, PayPal, Square, Classy, DonorPerfect Payments) transfers the most onerous compliance requirements to the processor. Your obligation becomes a simpler "SAQ A" (the lowest-complexity PCI assessment) rather than the full SAQ D.

Donor CRM Security Requirements

Whether you use Bloomerang, DonorPerfect, Little Green Light, Salesforce NPSP, Raiser's Edge, or another platform, the security configuration requirements are similar:

  • MFA for all users: Every person who can access the donor database should use MFA. This is the single most effective control against credential theft.
  • Role-based access: Not everyone on staff needs to see donor financial history or giving capacity. Restrict access to development staff who have a legitimate need. Program staff, volunteers, and board members should have appropriately limited access.
  • Audit logging: Your CRM should log who accessed what donor records and when. Review these logs periodically for unusual patterns — a staff member downloading the entire donor database before leaving is a real risk.
  • Secure offboarding: When a development staff member leaves, immediately revoke their CRM access. Development staff departures sometimes involve downloading donor lists — this is a major nonprofit data theft vector.
  • Vendor security review: Verify your CRM vendor is SOC 2 Type II certified and has a written data processing agreement. Most major nonprofit CRM vendors qualify, but verify before assuming.

Email Security for Donor Communications

Development teams communicate with donors via email — and those emails often contain giving history, pledge details, and personal financial information. Email security requirements:

  • Use organization email (not personal Gmail) for all donor communications — this keeps donor information within your organization's controlled environment
  • Avoid sending sensitive giving information in plain email attachments — use your donor portal or CRM's built-in communication features instead
  • Enable email archiving — donor gift acknowledgment letters, pledge agreements, and major gift correspondence should be retained
  • Train development staff to recognize phishing attempts specifically targeting donor relationships ("I'm a major donor and need your help with an urgent wire transfer")

State Data Breach Notification Laws

All 50 states have data breach notification laws. If your nonprofit experiences a breach of donor personal information, you typically must:

  • Notify affected individuals (donors whose data was exposed)
  • Notify the state attorney general in many states
  • Provide specific notification within 30–90 days depending on the state (some states require 30 days; California requires "expedient" notification without specifying a maximum)

Notification costs — letters, call center setup, credit monitoring offers — average $175 per affected individual. A breach of 500 donor records could cost $87,500 in notification alone. Cyber liability insurance for nonprofits, typically $1,000–$5,000/year, covers these costs.

Volunteer and Board Member Access Controls

Board members and volunteers often receive access to organizational systems without the same security controls applied to staff. This creates gaps:

  • Board members using personal email for board business create records outside organizational control
  • Volunteer access to donor data should be limited to what their role requires — a volunteer gift processor doesn't need to see wealth screening data
  • Board members with access to financial systems should be subject to the same MFA requirements as staff
  • When board members term out or volunteers complete their engagement, revoke access promptly

Frequently Asked Questions

Can nonprofits use free cloud storage (Google Drive, Dropbox free) for donor data?

Free tiers of consumer cloud storage services lack the security controls, audit logging, and data processing agreements required for protecting donor PII. Nonprofits should use Google Workspace for Nonprofits (free for eligible organizations) or Microsoft 365 for Nonprofits ($5/user/month) — both provide appropriate security controls and data processing agreements.

Are we required to tell donors if their data is breached?

Yes, under most state data breach notification laws. The specific requirements vary by state but generally require notification to affected individuals and often to the state attorney general. Some donors may also have expectations from your privacy policy — review what you've promised donors about data protection and ensure your incident response procedure fulfills those commitments.

How long should we retain donor records?

Donor records should be retained for at least 7 years for tax acknowledgment purposes (donors may need gift records for tax audits). Major gift records, bequest documentation, and planned giving records should be retained permanently. Your CRM should support retention policies, and older records should be archived to low-cost storage rather than deleted.

Is Your Donor Database Properly Protected?

Get a free IT assessment from an MSP that understands the unique security needs of nonprofit donor data.

Get Nonprofit IT Quote