Skip to Content

A Brief Intro to Nonprofit Data Security and Compliance

By Garrett Farwell July 17, 2019

To get started on improving your nonprofit data security, start with understanding who needs to access what data. Map your organizational processes: collaborative discussions like in this image can help!
While data privacy, security and compliance can seem scary, they don’t have to be. You may be wondering: Where do we start? Who is responsible for what pieces of nonprofit data security? Who will help us understand if we are compliant? These are just a few of the questions and concerns nonprofits face when implementing new technology or evaluating existing systems. The good news is the Salesforce platform serves organizations of all sizes. We take that responsibility seriously: Trust is our number one value. We have features built into the Salesforce platform and features you can implement to meet your specific security and visibility requirements.

Data Security is Like Building Security

Think about Salesforce security as a building. Let’s pretend you are in charge of the physical security of a high-rise office building. Your job is to make sure people entering the building are authorized to do so and those who aren’t, cannot enter. Many of the doors in the building already have locks and access controls in place that help you ensure proper authorization. Our platform has many built-in features that make your Salesforce deployment secure, similar to the locks on the building doors. You may need to implement custom or specific access controls, depending on your need to secure different areas of the building. Ultimately you are looking to ensure people who shouldn’t have access to the building or portions of the building (floors, rooms, boxes in certain rooms) don’t, and those who need access to portions of the building to do their job, do.

Let me explain what this diagram signifies.

The “building” analogy around data security. CRED is the ability to Create, Read, Edit or Delete data.
An image of the “building” analogy around data security. CRED is the ability to Create, Read, Edit or Delete data.

When you want to enter an office building, you first must be authorized to enter the front door. The front door is like our login page: You will either be permitted to enter the building or will be prevented from doing so. If you are permitted to enter the building, the next level of access is to certain floors. Are you able to access all of them or only a subset of them? Maybe your offices are only on one floor, so that is the only floor you have access to. Floors equate to types of data in the “building” analogy. Do you have access to the financial information floor? Do you have access to the donor or volunteer information floor? If you are permitted on a particular floor, what rooms do you have access to? All of them or a portion of them? The rooms represent individual information found on certain floors. Can you access Sam Smith the donor’s volunteer or financial data? Once in the room, let’s pretend there are boxes in each room. The boxes represent granular data relating to that constituent. For example, should you be permitted to access the phone number box but not the email address box for Sam Smith? The security settings in Salesforce help you make those privilege choices.

If you are interested in understanding the details of data security in Salesforce, I highly recommend reviewing the Who Sees What video series. To avoid getting overwhelmed with all the details, permissions, and logistics of data security, take a step back and think about how you would ensure a building was secure and usable for its users. If people get into the building, where should they go from there? If they access certain floors what rooms should they have access to? Simply think through what it’s like to access an office building. Each Salesforce security feature maps to that building access experience. For more, keep learning on Trailhead.


Continuing the building analogy…what if the state or county requires I enforce certain building codes? When it does, you can comply by making adjustments. The Salesforce platform grows and evolves to help support organizations on their data protection compliance journey. A great place for compliance resources is the trust site.

Two often top-of-mind regulations are The General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA).

What is GDPR?

The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data.


As the best CRM for nonprofits, Salesforce provides organizations with transparency and control of their customer data to enable compliance with regulations like the General Data Protection Regulation (GDPR) while harnessing the power of that data to connect with customers in new ways. Here are a few of my favorite resources:

What is HIPAA?

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. HIPAA is another regulation your nonprofit may encounter, especially if your nonprofit works in human services.

HIPAA compliance

Some useful resources for HIPAA and Salesforce are:

Compliance can be tricky, as it is usually specific to your business needs, customer base, Salesforce implementation and location, among other things. Importantly, we want to empower you as a user of our technology to be the best compliant organization you can be.

As you can see, thinking through how to secure your data and how to maintain compliance with laws take a bit of planning. We recommend you talk to a lawyer for details and guidance, as this post is not meant to be a substitute for legal advice.

To help you think about your data needs (which is a great first step for nonprofit data security), check out this Trail that introduces Salesforce for nonprofits. You may find the module about the NPSP Data Model to be particularly helpful.

Ready to get started? Watch an NPSP demo video.