• April 27, 2026April 27, 2026
• Betterleg Studios

A Charitable Dollar Is Not the Same as Any Other Dollar

Why the data we hold for the nonprofit sector requires a different standard of care — and why that argument starts with us, the vendors.

Most of us in nonprofit technology arrived here because the work meant something. We wanted to build the platforms that make giving work — the donation forms that don’t break on Giving Tuesday, the donor records that survive a database migration, the payment rails that move a $25 monthly gift across the country without losing it. We measure ourselves on uptime, conversion, and renewal, and those are reasonable measures. But there is a measure underneath those measures that we have not yet fully named, and this week we want to argue that we should.

A charitable dollar is not the same as any other dollar. It carries the trust, hopes, and intentions of the person who gave it, and the mission, gratitude, and obligation of the organization that received it. When someone makes a gift to a nonprofit, they are not merely transferring funds; they are entrusting an organization with the work of translating their values into outcomes for people they will likely never meet. The dollar is a placeholder for something more difficult to measure — belief in a mission, hope for a beneficiary, faith that the gift will reach the place the donor intended.

The data trail that accompanies the dollar carries the same weight. A donor’s name, contact information, giving history, payment credentials, and in many cases their wealth indicators or health information are not commercial data points to be aggregated and monetized. They are the material record of donated trust.

If charitable dollars and the data that accompanies them are treated as ordinary commercial assets governed by ordinary commercial standards, the sector will continue to experience the failures it has been experiencing.

Why this is a vendor question, not just a nonprofit question

When a donor contributes to a nonprofit, they extend trust along a chain of custody longer than they likely imagine. Their information passes from a donation form into a fundraising platform, into a donor management system, across a payment processor, and into one or more downstream environments — analytics, wealth screening, direct marketing, grant reporting — before they ever see an acknowledgment letter. The nonprofit itself typically touches only a small portion of this chain. The majority of the technical custody, storage, processing, and transmission of that donor’s information is performed by software platforms operated by third-party technology vendors. That’s us.

The market we operate in is not small. Nonprofit-serving software is an estimated $4.56 billion industry in 2025, projected to exceed $7.24 billion by 2031, with more than 78 percent delivered through cloud-based platforms. The data of the overwhelming majority of U.S. nonprofits — and their donors, grantees, and beneficiaries — lives in vendor-operated environments. The sector has, in a very real sense, been infrastructuralized, and we are the ones who built the infrastructure. That is an extraordinary achievement. It is also the reason the standard of care we apply to ourselves matters more than the standard the sector has historically asked of us.

The thesis, in plain words

The argument we want to make this week is simple, even if its implications are not. The governance instruments currently regulating vendor behavior in the nonprofit sector were largely designed for commercial enterprise contexts. SOC 2, ISO 27001, the standard set of contractual data protection addenda — these are good frameworks. They are necessary. They are not sufficient. The charitable giving ecosystem is not a commercial enterprise context, and the data we hold is not commercial data. Donors are not customers. Beneficiaries are not users. When a vendor in our space is breached, the harm is not bounded by a customer relationship that can be repriced or terminated. The harm reaches strangers who never agreed to be in our system in the first place.

We’ve watched this play out at scale. A single vendor incident in this sector reached more than 13,000 nonprofit customers and an estimated 13 million individuals, and ultimately produced coordinated enforcement settlements from federal securities regulators, the federal consumer protection authority, and 49 state attorneys general totaling more than $59 million. The detail that matters most for our argument is not the dollar figure. It is that the regulators, not the market, were the ones who articulated what the vendor had failed to do. The contracts had been satisfied. The security attestations were in place. The governance frameworks were in good standing. None of them prevented the failure. The gap was visible only after the fact, and only because public enforcers were willing to draw the line that vendor governance had not yet drawn for itself.

What we’re going to do this week

Over the next six days, we’re going to walk through the thesis one piece at a time. Tuesday, we’ll trace the chain of custody a donor’s data actually travels — and how much of it lives in our environments. Wednesday, we’ll look at how the sector got infrastructuralized, and what that means for the people who built it. Thursday is a case study: what regulators had to say about a vendor incident that, on paper, looked compliant. Friday is the harder question — why the commercial frameworks we’ve inherited don’t quite fit the work. Saturday gets practical: what an elevated standard actually looks like in product, in incident response, in contracting, in onboarding. Sunday is an open invitation to the rest of the field.

We’re not writing this as a critique of any specific vendor. We’re writing it as one. The thesis is that with the capability we’ve built comes a specific and elevated obligation, and that the frameworks governing our behavior should be rebuilt — by us, in conversation with the sector — to reflect it. We’d like you to read along, push back, and tell us where we’re wrong. That’s the whole point.

If you only take one thing from this post

Take this: the dollar that lands in a donor’s checkout flow on your platform tonight is not a commercial transaction. It is a small, voluntary act of trust between a stranger and a mission. The data record of that trust is in your database before it is in anyone else’s. Whatever standard you apply to it is, in practice, the standard the sector has. That responsibility is bigger than the contract you signed with the nonprofit, and it is bigger than the certification on your trust page. Most of us already feel this. We’d like to spend the week putting words to it.