
Yes—your donor data can be secure if your CRM and payment stack follow accepted standards (ISO 27001, SOC 2, PCI DSS 4.0), use strong encryption, enforce MFA and SSO, log everything, and give you real-time transparency through a public trust portal. Salesforce, for example, publishes live service and security status and maintains broad compliance coverage. Salesforce Status
Why donor data security is non-negotiable
Trust fuels giving. Your donors share names, emails, addresses, card details, and sometimes sensitive data tied to their relationship with your cause. One widely reported nonprofit tech breach in 2020 showed exactly what is at stake: backup files with supporter information were removed, leading to multi-state settlements and long-tail remediation across the sector. Incidents like that hurt reputation and fundraising momentum, and they remind all of us to vet vendors with rigor.
What “good” security looks like in a nonprofit CRM
When you evaluate or re-evaluate your CRM and donation stack, look for:
- Public trust and status portal. A page that shows real-time availability, performance, and security advisories so you are never in the dark. Salesforce’s status site is a model here.
- Independent certifications. ISO 27001 and SOC 2 Type II are baseline signals that the provider’s controls are tested by third parties. Salesforce documents these across services and updates its Data Processing Addendum to reflect current controls.
- Encryption everywhere. TLS in transit, strong encryption at rest, key management, and field-level encryption options for especially sensitive fields. (See Salesforce security whitepapers for architecture detail.)
- Modern access controls. SSO, MFA, granular permission sets, and audit trails so you can see who touched what and when. Salesforce
- Payment security. If you process cards directly or via embedded forms, PCI DSS 4.0 now applies—with new expectations that took effect in 2025. Make sure your gateway and any self-assessment reflect v4.0, not older versions. McDermottMiddlebury
- Clear data processing and privacy terms. GDPR and UK GDPR require lawful bases, transparency, data minimisation, and breach notifications with defined timelines—requirements that apply to charities and nonprofits, too.
Note on “security ratings.” Some third-party services publish external security ratings for vendors (e.g., UpGuard). These are helpful for monitoring, but the number changes over time and should be paired with your own risk review and contracts.
Your nonprofit security checklist (copy this)
- Map your data. List what you collect from donors, where it lives, who can access it, and how long you keep it.
- Tighten access. Enforce SSO and MFA for all staff and volunteers with logins. Remove access the same day people leave.
- Encrypt and log. Ensure encryption for data in transit and at rest; enable field-level encryption for the most sensitive elements. Turn on audit logs.
- Harden payments. Confirm your processor and any hosted forms meet PCI DSS 4.0. Complete the correct SAQ and schedule quarterly scans if required.
- Train your team. Run short, practical training on phishing, data handling, and reporting incidents.
- Test backups and recovery. Practice restores. Ransomware is still a common threat; resilience matters.
- Review vendor DPAs. Keep current Data Processing Agreements on file; check sub-processor lists and breach notice clauses.
- Write it down. Keep a simple incident response plan and decide in advance who talks to donors if something goes wrong. Align to NIST CSF where practical.
Why many nonprofits choose Salesforce for donor CRM
Salesforce has long positioned trust as its number one value and provides live transparency through its Trust and Status sites. It also maintains a broad library of compliance attestations and documentation, which helps procurement and audits move faster. If your board or donors ask “How do we know it is secure?”, these public resources are easy to share.
If you prefer extra assurance, pair platform controls with your own practices: least-privilege roles, restricted exports, and routine user access reviews. That combination—secure platform + disciplined process—is what keeps donor data safe day to day.
What to ask any CRM or payment vendor before you sign
- Which certifications cover the services we will use (ISO 27001, SOC 2 Type II)? May we see the latest reports under NDA?
- Where is donor data stored and which sub-processors can access it? Do you publish a live list?
- Do you enforce MFA and support SSO with granular permissions and audit logs?
- How do you meet PCI DSS 4.0 if we accept card donations? Which SAQ applies to our setup?
- Where can we see real-time status and security advisories?
If you experience a breach or near miss
Act fast and follow your plan. Isolate affected systems, rotate credentials, review logs, notify your processor if payments are involved, and follow legal guidance on donor notifications. Regulators and recent settlements have made it clear that poor security and slow, incomplete disclosures add risk and cost.
FAQs
Is donor data secure in Salesforce?
Salesforce publishes live status updates, maintains broad compliance coverage, and documents security architecture. Your security still depends on your configuration and internal processes.
Does PCI DSS apply to donations?
If you process or store card data, yes. PCI DSS 4.0 requirements are in force; ensure your gateway and forms align and complete the correct SAQ.
We are a small charity. Does GDPR still apply?
Yes. GDPR and UK GDPR apply regardless of size. You must process donor data lawfully and transparently and respect privacy rights.
Wrap-up
Security is not a one-time setup. It is people, process, and platform working together. Choose a CRM with transparent trust tooling and proven certifications, pair it with strong internal controls, and keep training and testing. That is how you keep donor trust—and keep giving growing.