We're small and donor-funded. Is this level of security really necessary?

The honest answer depends on what data you hold. If you hold sensitive client information (homelessness services, DV services, disability, health), the answer is yes, and the obligations don't scale down with headcount. If you hold only donor and financial data, the risk is different but real: charity sector business-email-compromise losses are not small, and donor trust is the asset the whole organisation runs on. We scope to the actual risk, not a template.

Our board wants to keep IT spend low. How do we argue for proper investment?

Boards respond to specifics. "We spend $X on IT" is unhelpful; "Without MFA on finance accounts, a single phishing incident historically costs charities between Y and Z" is the conversation to have. We attend board meetings when asked and translate the risk into terms trustees recognise. We also tell you the things you don't need to buy, which is usually more material than what you do.

We run a mix of volunteers and paid staff. Can both access our systems?

Yes, with identity that recognises the difference. Volunteer accounts should be time-bounded, role-scoped, and MFA-enforced. When someone stops volunteering, the access ends at the same time, not six months later. Most of the NFP account-audit issues we see trace back to volunteer accounts that outlived the volunteer's involvement.

What about donor data in our CRM (Salesforce NPSP, Raiser's Edge, DonorTec, etc.)?

We integrate those platforms into centralised identity (SSO through Microsoft 365 where the platform supports it) and into the vendor-management register so we can track access, audit, and offboarding properly. We don't rebuild your CRM; we secure the environment around it so donor trust stays intact.

Industry · Not-for-profit

IT and cybersecurity for Australian not-for-profits.

Donors trust you with their data. Beneficiaries trust you with theirs. Boards are watching spend. Grant funders are increasingly writing security into the deed. It's a narrower budget envelope than the private sector, but the exposure is the same. We scope to the risk, not to a template price.

What's actually different in not-for-profit

Not-for-profit IT is trust capital, operationalised.

The trust a charity builds with its donors and beneficiaries is the balance-sheet asset most funders actually care about. A data breach in the NFP sector isn't just an incident; it's a mass-donor notification letter on letterhead, a board meeting, a funder who quietly stops taking your calls. That consequence is why security investment in the sector should look different from private-sector equivalents: less about insurance premium, more about donor confidence.

The practical side: most NFPs we assess have an aging environment, under-licensed software, dozens of dormant volunteer accounts, a backup arrangement that was set up years ago and never tested, and a CRM that's grown organically to hold far more sensitive information than anyone realises. The fixes aren't exotic. The work is in sequencing them against a budget that's already spoken for.

We also take on NFP clients with a pricing conversation that's honest. If your budget doesn't meet our minimums, we'll tell you, point you at alternatives, and share the baseline documentation anyway. We'd rather an NFP succeed with another provider than be underserved with us.

Live right now · not-for-profit

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

ACNC 2025–26 regulatory focus: cyber security

Cyber security and terrorism-financing misuse are named priorities in the ACNC's current compliance focus. The Governance Toolkit: Cyber Security, previously positioned as a resource, is now effectively the baseline expectation for registered charities. Boards that can't point to a written IT policy are behind the curve.

Grant-funder security conditions, 2025/26

Paul Ramsay, Minderoo, state health departments, several philanthropic trusts and federal grant programs now include MFA deployment, tested backups and a documented incident response plan as grant conditions. Expect the ask, prepare the evidence, and avoid having a funded program delayed at contracting because your IT setup can't answer three questions.

Privacy Act Tranche 2, expected mid-2026

Tranche 1 reforms are live; Tranche 2 is expected to remove the small-business exemption and bring approximately 100,000 businesses (including many charities under $3M turnover) into full APP coverage from 1 July 2026. Charities holding sensitive client or beneficiary data should treat themselves as APP entities now rather than wait.

External Conduct Standards + SaaS overseas

For charities operating internationally, the ACNC's External Conduct Standards require documented controls over funds, personnel and data sent offshore. Cloud and SaaS platforms with offshore hosting or support are in scope. The register doesn't build itself.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for not-for-profit in Australia.

ACNC Governance Standards: Registered charities have governance obligations covering financial record-keeping, internal controls, and responsible persons. IT controls are not named directly, but evidence of reasonable governance is expected.
Privacy Act 1988 + APPs: Any NFP handling personal information (donors, clients, beneficiaries, volunteers) carries APP obligations. The $3M-turnover threshold that exempts small businesses does not exempt NFPs handling health, credit, or tax-file-number information.
Grant and funding conditions: State and federal grant agreements increasingly include information-security clauses: data-handling requirements, breach-notification timelines, and sometimes audit rights. These vary by funder and you'll inherit whatever's written.
Fundraising regulation (state-based): States have their own fundraising acts and registers. Most require record-keeping for donation transactions and donor information, which becomes an IT-retention concern in practice.
ACSC Essential Eight: Large philanthropic funders, corporate partners and insurers are starting to reference the Essential Eight in funding and partnership agreements. See /essential-eight for the maturity model.

Common questions

The things not-for-profit clients ask us first.

We're small and donor-funded. Is this level of security really necessary?: The honest answer depends on what data you hold. If you hold sensitive client information (homelessness services, DV services, disability, health), the answer is yes, and the obligations don't scale down with headcount. If you hold only donor and financial data, the risk is different but real: charity sector business-email-compromise losses are not small, and donor trust is the asset the whole organisation runs on. We scope to the actual risk, not a template.
Our board wants to keep IT spend low. How do we argue for proper investment?: Boards respond to specifics. "We spend $X on IT" is unhelpful; "Without MFA on finance accounts, a single phishing incident historically costs charities between Y and Z" is the conversation to have. We attend board meetings when asked and translate the risk into terms trustees recognise. We also tell you the things you don't need to buy, which is usually more material than what you do.
We run a mix of volunteers and paid staff. Can both access our systems?: Yes, with identity that recognises the difference. Volunteer accounts should be time-bounded, role-scoped, and MFA-enforced. When someone stops volunteering, the access ends at the same time, not six months later. Most of the NFP account-audit issues we see trace back to volunteer accounts that outlived the volunteer's involvement.
What about donor data in our CRM (Salesforce NPSP, Raiser's Edge, DonorTec, etc.)?: We integrate those platforms into centralised identity (SSO through Microsoft 365 where the platform supports it) and into the vendor-management register so we can track access, audit, and offboarding properly. We don't rebuild your CRM; we secure the environment around it so donor trust stays intact.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.