Anyone who has been around nonprofit tech for the last few years can think of examples. Vendors in the sector have suffered incidents at scale — platforms supporting meaningful shares of charitable organizations breached, with a blast radius that wasn’t bounded by their customer lists. The harm has reached the donors and beneficiaries those customers served. Coordinated enforcement actions have followed in some of those cases, across multiple regulators, in numbers and amounts that made the sector pay attention.
The systemic conditions that produced these incidents pre-existed them and will outlast them. What we want to do is read the pattern as a vendor would. Because the most important thing about incidents like these, for our argument, is not the breaches themselves. It’s the responses.
What the contracts said
By most reasonable measures, the contractual posture going into these incidents was unremarkable for our category. Data protection addenda in place. Certifications current. Breach notification language standard for the industry. Master service agreements that allocate security responsibility in a way that’s familiar to anyone who’s signed a SaaS contract in the last decade.
The contracts were satisfied. The certifications were in good standing. The governance frameworks held. None of them prevented the failures. None of them, by themselves, drove the responses that occurred.
What was added from outside the market
What regulatory responses have added is a statement about the standard of care a vendor at that scale should meet, given the kind of data it holds and the kind of customers it serves. Responses include disclosure obligations, consumer protection, cumulative harm to residents of individual states. Viewed together, they have articulated that holding data in large numbers — of donors and beneficiaries on behalf of large numbers of charitable organizations — is a public-interest position, and a vendor in that position carries obligations that go beyond what its customers think to negotiate for.
What this means for SaaS
If you are a vendor in this sector, ask three questions about your own posture:
- If an incident occurred tomorrow at a scale that affected the majority of our customers, what is our response?
- Are there things we can work on today?
- Is our incident response plan written and ready for prime time?
These are uncomfortable questions. They are not the questions a sales conversation usually invites. They are not the questions a SOC 2 audit asks. But they help frame the risk & mitigation conversation.
Continuous improvement
We are not arguing that vendors at the center of major incidents are uniquely negligent. The opposite is closer to true. The vendors involved in sector-defining incidents have, in most cases, been meeting or exceeding the standards their commercial peers meet. The problem is that the standards themselves were designed for commercial enterprise contexts, and the charitable giving ecosystem is not a commercial enterprise context.
We are also not arguing that the answer is more regulation. Regulators are an important backstop, and we’d rather have them than not. But the most useful version of this conversation is the one where the industry applies the standards meaningfully before someone else has to. Continuous improvement here is an operational responsibility in addition to the compliance work required.
