Document Retention & Security
Policy Generator

1. About This Tool

Document retention and data security exposure are issues that take down nonprofits — not just large ones. Lost donor data, missed records, or improperly destroyed documents can cost a small org its reputation, its 501(c)(3) status, or both. Most nonprofit-software solutions to this problem are built for organizations with budgets and IT departments. This generator is built for everyone else.

The Document Retention & Security Policy Generator walks your nonprofit through a five-step org profile, then produces five customized policies — Document Retention, Email Use, Acceptable Use, Data Breach Response, and Privacy Notice — plus two supplementary templates (a Data Processing Inventory and a Vendor DPA). All tailored to your state, your activities, and your applicability under HIPAA, PCI DSS, COPPA, FERPA, and state privacy laws like CCPA.

↑ Back to top

2. Getting Started

The app is a one-time purchase. After your first sign-in, you'll go through a brief org profile wizard, then arrive at the dashboard with four policy cards waiting to be generated.

Suggested order

1. Complete the org profile (5 minutes) — name, state, applicability questions
2. Document Retention Policy (10 minutes) — the foundation
3. Email Use Policy (5 minutes) — most common breach vector
4. Acceptable Use Policy (5 minutes) — covers all tech use
5. Data Breach Response Plan (10 minutes) — what to do when something goes wrong
6. Privacy Notice & Data Privacy (10 minutes) — public-facing privacy notice + Data Processing Inventory + Vendor DPA templates
7. Work the implementation checklist (30–60 days) — actually roll the policies out
8. Review everything with your attorney before your board adopts it

Account types

• Create Account — your standard user account. Username + password, save your progress, return anytime.
• Administrator Access — password-only access to the admin panel (manage user accounts, reset all data). See section on Administrator Access below.

↑ Back to top

3. Onboarding Wizard

The wizard captures your organization's basics and a few applicability questions. Your answers directly customize what each generated policy says — some sections include or exclude entire clauses based on your inputs.

Step 1 — Organization details

Legal name, EIN (optional), state of incorporation, principal office address, year founded. The generator weaves these into every policy as the org identifier.

Step 2 — HIPAA applicability

HIPAA does not apply to every nonprofit. It applies to "covered entities" (health plans, healthcare clearinghouses, healthcare providers billing electronically) and their "business associates." Pick honestly:

• No — HIPAA doesn't apply — applies to the vast majority of small nonprofits.
• Yes — covered entity — free clinics billing insurance, nonprofit hospices billing Medicare, etc.
• Business associate — you handle PHI on behalf of a covered entity under a signed BAA.

Step 3 — Other applicability questions

Quick yes/no on four items that trigger specific policy sections:

• Accept credit cards? Triggers PCI DSS section.
• Collect data from children under 13? Triggers COPPA section.
• Educational institution receiving federal funding? Triggers FERPA section.
• Currently have cyber liability insurance? Customizes Breach Response.

Step 4 — Other states with operations

Beyond your state of incorporation, list states where you have employees, donors, or beneficiaries. State data-breach laws may apply.

Step 5 — Confirmation

You can return to edit the profile anytime via the "Edit Profile" button on the dashboard banner. Changes apply to all subsequent policy previews and exports.

↑ Back to top

4. Policy Generators

Each generator presents a form (left) with state changes appearing live in the preview pane (right). Every keystroke saves to local storage — close the browser and come back tomorrow, your work is still there.

Document Retention Policy

The longest of the four, and the foundation. Customize: policy owner, paper destruction method (in-house shredder vs. certified vendor), electronic destruction method, litigation hold authority, review frequency. The generator automatically adds or removes sections based on your HIPAA, PCI, COPPA, and FERPA profile answers.

Email Use Policy

Customize: business records retention period, transitory email retention, personal use rules, encryption method, phishing training cadence, IT/security contact. Result is a board-ready policy that addresses retention, acceptable use, security, departure procedures, and monitoring disclosure.

Acceptable Use Policy

Customize: password manager tool, minimum password length, BYOD policy (allowed / restricted / prohibited), social media policy, IT reporting contact. Result covers all technology use: passwords, MFA, prohibited activities, BYOD, social media, software updates, lost devices.

Data Breach Response Plan

Customize: primary response contact, cyber insurance carrier hotline, legal counsel, IT/forensics partner, board notification window, tabletop exercise frequency. Result is a step-by-step playbook for the first 30 days after a breach — identify, contain, contact, assess, notify, recover.

Privacy Notice & Data Privacy 3 documents

The Privacy Notice is the public-facing legal text you publish on your website telling visitors what you collect, how you use it, and what rights they have. Customize: your website domain, privacy contact email, effective date, cookie/tracking use, analytics tool, email marketing approach, international data transfer practices, and how you notify users of policy changes. The generator automatically adds CCPA-specific rights if California is in your profile, HIPAA Notice of Privacy Practices references if you're HIPAA-covered, and COPPA provisions if you collect data from children under 13.

This generator also produces two supplementary documents from the same form:

• Data Processing Inventory — a Word template with example rows for the main categories of data nonprofits typically handle (donors, employees, volunteers, beneficiaries, analytics, email lists). Customize and add your own rows to create a complete data map for breach response and compliance.
• Vendor DPA (Data Processing Addendum) — a contract addendum your vendors should sign when they handle your data. Required by CCPA/CPRA, best practice for HIPAA business associates, and increasingly expected by funders and insurance carriers. 15 sections covering scope, security, sub-processors, breach notification, audit rights, and termination.

↑ Back to top

5. Exporting Policies

Each policy can be exported four ways:

• Download as Word (.docx) — recommended. Opens in Microsoft Word, LibreOffice, Google Docs, or Pages. Fully editable.
• Download as HTML — standalone HTML file. Print to PDF from your browser.
• Copy to Clipboard — pastes the policy as plain text. Useful for email or other documents.
• Mark Complete — flags the policy as finished. Tracked on the dashboard.

What to do with the exported file

1. Review with your attorney before adopting.
2. Customize anything bracketed (e.g., "[Board adoption date]") with actual values.
3. Present to the board for formal adoption (board resolution recommended).
4. Distribute to staff and require signed acknowledgment.
5. Store the adopted policy as a permanent record (in your governance file).

↑ Back to top

6. Implementation Checklist

Generating policies is the easy part. Actually implementing them — getting board adoption, configuring technical controls, training staff, signing vendor agreements, buying cyber insurance — is the work. The checklist breaks this into 7 phases:

Each phase's items are individually checkboxable. Progress saves automatically and you can export the checklist to Word at any time for sharing with your board or compliance team.

↑ Back to top

7. Federal Frameworks

HIPAA — what actually applies

HIPAA applies to covered entities and business associates only. Most small nonprofits are not covered entities even if they work with vulnerable populations.

Covered entities

• Health plans
• Healthcare clearinghouses
• Healthcare providers who electronically transmit health information for billing/claims (e.g., nonprofit free clinic billing Medicare, nonprofit hospice)

NOT covered entities

• A nonprofit advocacy group that helps people apply for health insurance
• A nonprofit shelter that helps clients access mental health services (but doesn't provide them)
• A nonprofit that runs health-education workshops

If HIPAA applies to you

• Annual HIPAA risk assessment
• Administrative, physical, and technical safeguards
• Training for all staff/volunteers handling PHI
• Notice of Privacy Practices
• Signed Business Associate Agreements with vendors
• Designated Privacy Officer and Security Officer
• Breach notification within 60 days

PII — broader than HIPAA, less well-defined

Personally Identifiable Information has no single federal law — it's a patchwork of FTC, GLBA, FCRA, plus state laws. Common PII: name + identifying info, SSN, driver's license, passport, financial account numbers, credit/debit card numbers, DOB, biometric data, medical history.

Sensitive PII (extra protection required): SSNs, financial account info, health information, criminal background, children's data.

Federal retention requirements (quick reference)

↑ Back to top

8. State-Specific Considerations

All 50 states + DC + Puerto Rico have data breach notification laws. They share a basic structure but vary on what constitutes a breach, notification timeline, who must be notified, content of notice, and penalties.

Standout state laws

California (CCPA / CPRA) — Applies broadly even to small nonprofits if they hit certain thresholds (handling 100K+ California residents' data, or 50%+ revenue from selling personal info). Rights to know, delete, opt-out of sale. Privacy notice + annual training required.

New York SHIELD Act — Applies to any business holding NY residents' private info. Requires reasonable security: administrative, technical, physical safeguards.

Massachusetts (201 CMR 17.00) — Requires Written Information Security Program. Encryption required for portable devices and data in transit.

Illinois BIPA — Aggressive biometric data law. Consent required before collecting biometric data. Statutory damages per violation.

Texas Identity Theft Enforcement & Protection Act — Reasonable safeguards + breach notification.

Other states with comprehensive privacy laws as of 2026: WA, VA, CO, UT, CT, IA, IN, TN, MT, OR, DE, NJ. Many more pending.

↑ Back to top

9. Document Retention Schedule

Use this as a starting template. Adjust based on your state's requirements and your insurance carrier's recommendations.

Corporate & governance

Tax & financial

Employment

Donor & development

Program & client

↑ Back to top

10. Security Best Practices

Password management

• Use a password manager (1Password, Bitwarden, LastPass) — nonprofit pricing usually available.
• Strong unique passwords for every account; never reuse.
• MFA on every account that supports it.
• Disable accounts immediately when staff/volunteers leave.

Encryption

• At rest: all laptops (BitLocker/FileVault), mobile devices, USB drives.
• In transit: email with PII encrypted or via secure portal; HTTPS on website.
• Encrypt backups, including cloud backups.

Backups

• Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 off-site.
• Test restores quarterly.
• Encrypt backup data.
• Keep backups for the same retention period as the original.

Access controls

• Principle of least privilege: access only to what's needed.
• Quarterly access reviews.
• Audit logs of who accessed what.
• Never share credentials.

Network security

• Wi-Fi: use WPA3 (or WPA2 minimum) with a strong unique password. Change default router admin credentials immediately upon installation.
• Separate guest network for visitors and volunteers' personal devices — keep them off the same network as your nonprofit data.
• VPN for remote workers accessing internal systems. Free options like Cloudflare WARP work for basic use; paid solutions like Tailscale or NordLayer for more advanced setups.
• Avoid public Wi-Fi for nonprofit work without a VPN. Coffee-shop networks are routinely surveilled.
• Keep router firmware updated (most allow auto-updates — enable it).

Endpoint protection

• Built-in antivirus on all computers — Microsoft Defender on Windows is free and excellent. macOS has built-in XProtect.
• Keep operating systems and applications patched — enable automatic updates everywhere possible.
• For more sensitive operations, consider a managed endpoint detection and response (EDR) tool (Bitdefender, SentinelOne, CrowdStrike) — free or low-cost nonprofit pricing usually available via TechSoup.
• Disable unused browser extensions — they're a common attack vector.

Mobile device management (MDM)

If your nonprofit has 3+ staff devices, an MDM platform centralizes security: enforce passcodes, encryption, remote wipe, app installation policies, and lost-device tracking from one console.

• Microsoft Intune — included in many Microsoft 365 Business plans
• Google Workspace endpoint management — included in most Workspace tiers
• Jamf — Apple-focused, free tier for small orgs
• Hexnode, Kandji, JumpCloud — small-org-friendly alternatives

Cloud security specifics

Cloud storage (Google Drive, Microsoft 365, Dropbox) is where most nonprofit data lives. Common mistakes:

• Overly permissive sharing — folders shared with "anyone with the link" become public via search and AI training. Audit sharing settings monthly.
• No MFA on cloud admin accounts — the admin account is the highest-value target.
• Shared accounts — multiple people logging in with one set of credentials. Use individual accounts always.
• External sharing enabled by default — disable unless you specifically need it; enable per-document instead.
• No audit log review — both Google Workspace and Microsoft 365 log access; review monthly.
• No data loss prevention (DLP) rules — most cloud platforms can be configured to flag or block sharing of files containing SSNs, credit cards, etc.

Physical security

• Locked storage for paper records containing personal information.
• Secure workspaces — position screens away from windows and public-facing areas; clean-desk policy for sensitive paperwork at end of day.
• Visitor logs for non-public office spaces; staff badges or sign-in.
• Secure disposal — shred paper containing personal info; destroy hard drives physically when retiring computers.
• After-hours alarm system for offices holding sensitive data.
• Key/badge tracking — collect and document upon staff departure.

Volunteer data access

Volunteers create unique data-access risk because they typically have less screening than employees, less training, and shorter tenure. Best practices:

• Background checks for volunteers with access to sensitive data, finances, or vulnerable populations.
• Minimum necessary access — most volunteers don't need access to donor data or financial systems. If they do, give them read-only access to the specific subset they need.
• Time-limited credentials — auto-expire access at the end of the volunteer commitment; manually renew if continuing.
• Same training as employees on phishing, privacy, and acceptable use.
• Signed volunteer agreement with confidentiality clause.
• Immediate offboarding when the volunteer ends their service — revoke all accounts within 24 hours.

Risk assessment as a practice

An annual risk assessment is the foundation of a mature security program. The basic walkthrough:

1. Inventory your data assets — what personal data you have, where it lives (use the Data Processing Inventory generated by this app).
2. Identify threats — what could go wrong? (phishing, ransomware, lost laptop, insider misuse, vendor breach, physical break-in)
3. Identify vulnerabilities — where are you exposed? (no MFA, weak passwords, unpatched software, untrained staff, shared accounts)
4. Assess impact — if this threat exploits this vulnerability, what happens? Financial loss? Legal exposure? Reputational damage?
5. Prioritize — rank risks by likelihood × impact; address the top 3-5 first.
6. Document and review — record the assessment, the decisions made, and re-do annually.

This doesn't require a consultant for small nonprofits — a board member, ED, or operations lead can lead it. CISA's free Cyber Hygiene Services can run automated vulnerability scans on your public-facing infrastructure (websites, etc.) at no cost.

Free government cybersecurity resources

These are aimed specifically at small organizations including nonprofits:

• CISA (Cybersecurity and Infrastructure Security Agency) — free Cyber Hygiene vulnerability scanning, free security assessments, free training, and best-practice guides at cisa.gov
• FBI IC3 (Internet Crime Complaint Center) — report cybercrime; also publishes regular threat reports useful for nonprofit awareness at ic3.gov
• FTC.gov/SmallBusiness — cybersecurity guidance, free training videos, breach response guidance
• StaySafeOnline (National Cybersecurity Alliance) — free posters, training materials, awareness campaigns
• StopRansomware.gov — federal interagency guide specifically for ransomware (CISA + FBI + NSA + others)
• NIST Cybersecurity Framework — the standard framework, free reference at nist.gov/cyberframework

↑ Back to top

11. Email Policies

Most nonprofit breaches happen via email — phishing, accidental sends, mailbox compromise. Email deserves its own policy section.

What your email policy should cover

1. Acceptable use — business use; limited personal use allowed/disallowed
2. Retention — transitory (30–90 days), business records (7 years), permanent records
3. Encryption — when required, how to send encrypted
4. Phishing awareness — training, reporting
5. Forwarding restrictions — no auto-forward to personal accounts
6. Departure procedures — what happens to email when staff leave
7. Monitoring disclosure — email may be monitored

Email security specifics

• MFA on every email account. Non-negotiable.
• SPF, DKIM, DMARC configured on your domain.
• Phishing filters in your email platform.
• Quarterly phishing simulations.
• Block automatic external forwarding.

Wire Fraud and Business Email Compromise (BEC)

BEC is when an attacker impersonates someone trusted (usually the Executive Director, board chair, or a vendor) and tricks staff into wiring money, changing bank details, or sharing sensitive data. Common patterns:

CEO Fraud (impersonating leadership)

An email appears to come from your ED (often using a spoofed display name and a similar-looking email address) asking the bookkeeper to urgently wire money to a "new vendor" or "confidential contract." The email usually creates urgency and discourages verification ("I'm in a meeting, just take care of this quickly, I'll explain later").

Fake Invoice Scams

A real vendor's email account is compromised, and the attacker sends an invoice with new bank account details. Your AP staff pays the legitimate-looking invoice to the attacker's account. The real vendor never sees the money.

Payroll Diversion

An attacker impersonates an employee and emails HR asking to change their direct deposit account. The next paycheck goes to the attacker.

Grant Funder Spoofing

An attacker impersonates a foundation program officer and sends instructions about grant disbursement — often including a request to "confirm" banking info or wire details.

Controls that prevent BEC

• Verbal verification of all wire requests over a threshold (e.g., $1,000) using a known phone number — NEVER one in the suspicious email. The single most effective BEC control.
• Dual approval for wires over $X — two people, two different accounts, both sign off. Most banks support this natively.
• Written wire-transfer authorization policy adopted by the board specifying who can authorize wires, dollar thresholds requiring multiple approvers, and verification procedures.
• Bank account changes for vendors require independent verification — call the vendor at a known number to confirm before updating ACH info.
• Payroll change verification — direct deposit changes confirmed verbally with the employee using a known phone number.
• Pause on any "urgent" payment request — urgency itself is a red flag. Pause 15 minutes; the legitimate request will still be there.
• Email banner warning users when emails come from outside the organization ("[EXTERNAL]" tag in subject) — built into most modern email platforms.
• Targeted BEC awareness training for finance, HR, and ED office staff specifically — they're the targets.

If you get hit

• Within 24 hours: contact your bank's fraud department to attempt to recall the wire. Speed matters — wires can sometimes be recovered if reported within hours.
• File a report with FBI IC3 at ic3.gov — the FBI's Financial Fraud Kill Chain can sometimes recover funds wired internationally.
• Notify your cyber insurance carrier — BEC is often covered under "social engineering fraud" riders.
• Reset all email passwords + revoke session tokens — assume the attacker may still have access.
• Treat as a breach if any personal data was disclosed during the incident.

↑ Back to top

12. Breach Response Plan

When a breach happens (not if), you'll be glad you had this in writing.

What is a breach?

Generally: unauthorized acquisition, access, use, or disclosure of personal information that compromises the security or privacy of the information.

Examples that ARE breaches

• Lost laptop with unencrypted data
• Email with SSNs sent to wrong person
• Ransomware that exfiltrated data
• Employee accessing records they shouldn't
• Cloud storage misconfigured for public access

Examples that are NOT breaches (in most jurisdictions)

• Encrypted data accessed by unauthorized person (encryption intact)
• Internal access by authorized person for legitimate purposes
• Properly destroyed records

Response steps

Hour 0–24: Contain. Identify affected systems, disconnect if needed, preserve evidence, contact your IT partner or insurance breach hotline, document everything.

Day 1–3: Assess. What data was affected? How many individuals? Which states' residents? Engage legal counsel and forensic investigators.

Day 3–30: Notify. Comply with notification requirements — state laws, federal HIPAA if applicable, credit bureau notification, AG notification. All notifications must be reviewed by legal counsel.

Day 30+: Recover & learn. Remediate the vulnerability, document lessons, update policies, re-train staff.

Crisis communications during a breach

Beyond the legal notifications required by state law, you have to think about WHO you tell, WHEN, with what message, and through what channel. Nonprofits are particularly exposed here because donor relationships are built on trust — mishandling the communications can cause more lasting damage than the breach itself.

Audiences to plan for

• The board — typically notified within 24 hours of a confirmed breach. The board chair becomes a key decision-maker on broader response.
• Affected individuals — required by state law (usually 30–60 days). Tone matters: own the incident, explain what happened in plain language, explain what you're doing, offer any protective services (credit monitoring if SSNs were exposed).
• All donors — even unaffected ones often appreciate proactive transparency. Silence can look like a cover-up.
• Beneficiaries — if your beneficiary data was affected, dedicated outreach is essential (and may need to be in their language, may need to be sensitive to trauma).
• Staff and volunteers — internal alignment on the message BEFORE external communications. Whoever the press calls should be saying the same thing.
• Funders and grantors — many grant agreements require breach notification. Check terms; notify proactively if required.
• Partner organizations — if their data may also be affected.
• Press and public — required by HIPAA for breaches affecting 500+ residents of a state. May be voluntary for smaller breaches if local reporters pick up the story.

Principles for breach communications

• One designated spokesperson — usually the ED or board chair. All inquiries go to them; staff are instructed not to comment.
• Communicate early, even with incomplete info — "We're investigating and will share more as we learn it" is better than silence.
• Plain language — no jargon. Explain what happened, what data was involved, what you're doing, what they should do.
• Lead with what affected people need to do, not with apology. Apology comes near the top but action items first.
• Offer concrete protective steps — credit monitoring, password reset reminders, fraud alerts. Pay for credit monitoring (typically 12–24 months) if SSNs or financial data were exposed.
• Provide a way for people to ask questions — a dedicated email address or phone line, monitored daily.
• Coordinate with legal counsel on every public statement — words can become evidence.
• Document every communication — what was said, when, to whom, by whom.

Templates to prepare in advance

• Board notification email (initial + 24-hour update + weekly during active response)
• Affected individuals notification letter (compliant with state law)
• Holding statement for press (≤3 sentences for unexpected inquiries)
• Donor newsletter update (transparent but not alarmist)
• Internal staff briefing (talking points + what NOT to say)
• Q&A document for the dedicated breach inquiry line

Cyber insurance often includes PR firm support for breach response — use it. Specialized firms have templates and experience that you won't have in-house. Worth its weight in gold during the first 72 hours.

↑ Back to top

13. Insurance: Cyber Liability + Directors and Officers

Two insurance policies are essentially mandatory for any nonprofit that holds data or has a board of directors. They're often offered by the same carriers and can sometimes be bundled. Skipping either creates exposure that one bad day could turn fatal to the organization OR personally devastating to its leadership.

Cyber Liability Insurance

Every nonprofit should have cyber liability coverage. It's increasingly affordable ($500–2,000/year for typical small nonprofits) and pays for breach notification costs, legal counsel, forensic investigation, credit monitoring for affected individuals, public relations support, business interruption losses, and cyber extortion / ransomware payments.

What cyber insurers want to see

• Written security policies (which this generator helps you build)
• MFA enabled on email and admin accounts
• Backup and recovery procedures
• Staff security training
• Incident response plan
• Vendor management

Tips when shopping for cyber coverage

• Compare quotes from at least 3 carriers.
• Ask about nonprofit-specific carriers (NIA, Philadelphia, Hartford).
• Read exclusions carefully — some policies won't pay if you had no MFA, no backups, or no incident response plan.
• Increase your limit as your data holdings grow.

Directors and Officers (D&O) Insurance

D&O insurance protects individual board members and officers from personal financial liability for decisions made in their nonprofit roles. Without it, a board member sued in their personal capacity must pay their own legal defense costs — easily $50,000+ before the case even reaches trial. Many qualified people will refuse to serve on a nonprofit board that lacks D&O coverage, and rightly so.

What D&O typically covers

• Breach of fiduciary duty — allegations that a director failed to act in the org's best interest
• Mismanagement — decisions about programs, finances, or strategy that go badly
• Misrepresentation — claims based on financial statements or public disclosures
• Failure to comply with laws or regulations — including tax compliance, lobbying limits, and yes, data protection
• Conflicts of interest disputes
• Wrongful termination and employment practices — usually via an Employment Practices Liability Insurance (EPLI) rider
• Defense costs — often the largest expense even in cases that get dismissed

The Side A / B / C structure

D&O policies are usually structured in three "sides":

• Side A — protects individual directors and officers directly when the organization cannot indemnify them (e.g., the org is insolvent, or indemnification is legally prohibited)
• Side B — reimburses the organization when it indemnifies its directors and officers
• Side C — protects the organization itself as an entity (sometimes called "entity coverage")

Make sure your policy includes all three sides. A Side A–only policy leaves the organization exposed; a Side B–only policy leaves directors exposed if the org goes under.

What to look for in a D&O policy

• Coverage limits — $1M minimum for small nonprofits; $2M+ recommended as you grow
• EPLI rider — covers employment-related claims (wrongful termination, discrimination, harassment, retaliation)
• Defense costs treatment — "outside the limit" is better than "inside the limit" because legal defense doesn't eat into coverage available for settlement/judgment
• Hammer clause — read carefully; some require board approval before the insurer can settle (this can be problematic in fast-moving cases)
• Past acts coverage — covers claims based on decisions made before the policy started (essential if you're getting your first D&O policy years into operation)
• Coverage for past, current, and future board members — directors who leave the board can still be sued for decisions made during their tenure
• Subpoena response coverage — many policies now cover the cost of responding to regulatory investigations even without a formal claim
• Pollution exclusion language — many D&O policies exclude environmental claims; understand what's excluded

What D&O costs

For typical small nonprofits, D&O coverage runs $500–3,000 per year:

• Under $500K annual revenue: $500–1,200/year typical
• $500K–$2M annual revenue: $1,200–2,500/year typical
• $2M–$10M annual revenue: $2,500–5,000/year typical
• Bundled with General Liability and EPLI: often saves 15–25% versus separate policies

Why this connects to the rest of this module

When your board adopts the policies generated by this app, the board members are personally taking on responsibility for the organization's compliance posture. If your nonprofit has a data breach despite the policies, or if the board is sued for failing to oversee data protection adequately, D&O is what stands between the directors and personal financial ruin. Cyber covers the breach response costs; D&O covers the personal liability of the people who made the decisions.

Common D&O carriers for nonprofits

• Nonprofits Insurance Alliance (NIA) — nonprofit-specific cooperative; often the best price for small nonprofits
• Philadelphia Insurance Companies — strong nonprofit specialty division
• The Hartford — wide nonprofit experience, often bundles well
• Chubb — premium pricing but strong claims handling
• CNA — nonprofit programs available

A common nonprofit insurance bundle

Many small-to-mid-size nonprofits carry these together, often through one carrier:

• General Liability ($1M minimum)
• Directors and Officers ($1M minimum)
• Employment Practices Liability Insurance (EPLI)
• Cyber Liability ($1M minimum)
• Crime / Fidelity (employee theft, embezzlement) — $250K minimum
• Professional Liability (if you provide professional services)
• Property / Contents (if you own or lease an office)
• Workers Compensation (if you have employees — required by state)
• Auto (if you own vehicles or have volunteers/staff driving for the org)

Total annual cost for the typical small nonprofit (under $1M revenue) running this bundle: $2,500–6,000/year. Worth budgeting for from year one.

↑ Back to top

14. Data Privacy

"Data privacy" is the discipline of being thoughtful and lawful about the personal information your nonprofit handles. It overlaps with security but is distinct: security is about protecting data from unauthorized access; privacy is about being honest with people about what you collect, how you use it, and what choices they have. The Privacy Notice generator in this app produces the public-facing legal document; this section is the reference for the laws and concepts behind it.

What every Privacy Notice should contain

Most state laws and best-practice guidance require that a Privacy Notice answer these questions clearly:

• What you collect — direct (forms, donations) and automatic (cookies, analytics)
• How you use it — fulfilling donations, sending communications, running programs, legal compliance
• Who you share with — service providers, legal requirements, never "sale" unless you actually sell data
• Cookies and tracking — what types, what they do, opt-out instructions
• Email marketing — opt-in or transactional, how to unsubscribe
• Your retention practices — how long you keep data and why
• User rights and how to exercise them — access, correction, deletion, opt-out
• Contact info — a real way for users to reach you about privacy
• Effective date and update process — version control and how you notify of changes

California Consumer Privacy Act (CCPA / CPRA)

California's privacy law is the most influential in the U.S. and applies to nonprofits if they meet at least one threshold:

• Annual gross revenue over $25 million (rare for small nonprofits), OR
• Buying, receiving, selling, or sharing personal information of 100,000+ California residents or households per year, OR
• Deriving 50%+ of annual revenue from selling or sharing California residents' personal information

If CCPA/CPRA applies, California residents have these rights:

• Right to know what personal information you collect, use, sell, or share — and request a copy
• Right to delete personal information (subject to legal exceptions like tax records)
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising
• Right to limit use of sensitive personal information (SSN, financial account numbers, precise geolocation, etc.)
• Right to non-discrimination for exercising any of these rights

Even if CCPA doesn't strictly apply to you, adopting its framework is increasingly considered best practice — and many funders and partners now expect CCPA-style notices from any organization handling their constituents' data.

Children's Online Privacy Protection Act (COPPA)

COPPA applies if you knowingly collect personal information from children under 13 — including through online signups, program registrations, or any digital form. Requirements:

• Verifiable parental consent before any collection (a signed paper form, a credit card transaction, or a video conference are all acceptable methods)
• Clear notice to parents of what you collect, how you use it, and their rights
• Parental review of collected information on request
• Parental deletion rights at any time
• No conditioning participation on collecting more data than reasonably necessary for the activity

FTC enforces COPPA and penalties for violations can be substantial. If you serve youth, take this seriously — even casual data collection (newsletter signups, photo releases) needs proper consent if a child under 13 might fill out the form.

Family Educational Rights and Privacy Act (FERPA)

FERPA applies if you receive federal education funding AND maintain education records (grades, transcripts, attendance, disciplinary records). For nonprofits this typically means after-school programs partnered with schools, charter schools, and educational organizations receiving federal funds. Key requirements:

• Annual notification of FERPA rights to students/parents
• Parental consent (or student consent if 18+) before disclosing education records
• Specific limited exceptions for "directory information" and certain officials
• Documented process for record access requests

Data subject rights — the practical workflow

Beyond the legal framework, you need an actual process for handling requests. Here's what works for a small nonprofit:

• Designated email for privacy requests (e.g., [email protected]). One inbox, one person checking it daily.
• Identity verification before fulfilling requests — usually 2 pieces of info matching what you have on file (e.g., email + last donation date).
• 30-day response window from receipt of verified request. Acknowledge within 10 days, complete within 30.
• Log every request — date received, who requested, what was requested, when fulfilled, how. Maintain this log for at least 3 years.
• Standard response templates for "access fulfilled," "deletion fulfilled," "request denied due to legal retention requirement," etc.

Vendor management and Data Processing Addendums (DPAs)

Every vendor that processes your data on your behalf — donor CRM, email platform, payment processor, cloud storage, analytics tool — should sign a Data Processing Addendum (DPA) to your master services agreement. The DPA template generated by this app covers the standard sections: scope, security measures, sub-processors, breach notification, data subject rights, audit rights, return/deletion, and governing law.

For each vendor, get answers to:

• What data of ours do they access?
• What security certifications do they hold? (SOC 2 Type II, ISO 27001 are common)
• Where are their servers? (Important for international transfers)
• Who do they sub-process to? (Your data may pass through multiple vendors)
• What's their breach notification window?
• How do they handle deletion at termination?

Track all of this in your Data Processing Inventory (also generated by this app).

Privacy by Design — the principles

These seven principles (originally from Ann Cavoukian, now the basis of GDPR's "privacy by design" requirement) are good guides for any nonprofit:

1. Proactive not reactive — anticipate privacy issues, don't wait for them
2. Privacy as the default — collect the minimum, retain the minimum, share the minimum
3. Privacy embedded in design — bake it into how systems are built, not bolted on
4. Full functionality — privacy doesn't have to come at the cost of utility
5. End-to-end security — protect data from collection through deletion
6. Visibility and transparency — be open about practices
7. Respect for user privacy — make it easy for users to exercise their rights

What about GDPR?

The European Union's General Data Protection Regulation applies to your nonprofit only if you offer goods/services to EU residents OR monitor their behavior. For most U.S. small nonprofits with no EU operations, GDPR doesn't directly apply — but if you have international donors or use vendors with EU operations, it may affect you indirectly through your vendor agreements.

Even if GDPR doesn't apply, its principles (lawful basis for processing, purpose limitation, data minimization, accuracy, storage limitation, security, accountability) align well with what U.S. state laws are converging toward. Building your privacy practices around them future-proofs you against the laws coming next.

↑ Back to top

Administrator Access

The sign-in screen has an Administrator Access link below the Sign In button. Use it to sign in as Administrator with just a password — no email needed. This is a per-browser admin role; the password is stored only on the current computer.

• First time: Click Administrator Access. You'll see a "First-time setup" prompt with two password fields — enter a password (6+ characters) and confirm it. Click Create & Enter.
• Subsequent times: Click Administrator Access, enter that same password, and click Enter Admin Panel.
• Once signed in as Administrator, you can see all user accounts on this browser and reset all data if needed.
• Click ← Back to regular sign-in at the bottom of the admin panel to return to the normal email/password form.

Note: the admin password is unique to each browser. If you set it up at home and then visit the app on a work computer, you'll see the first-time-setup prompt again. The "Reset All Data" action wipes everything — org profile, all generated policies, checklist progress, user accounts — and cannot be undone.

↑ Back to top

Contact & Support

For questions, feedback, or feature requests, contact the Build Your Club Academy team at [email protected]. We update these tools regularly — check back for new features.

↑ Back to top