Software, App, and Integration Security Guide for Nonprofits

Nonprofits handle sensitive data, such as donor information, financial records, and personal details of beneficiaries and volunteers. And while you’ve most likely taken steps to secure this data, introducing any new software, app, integration, or other technologies all present their own data risks.

It’s important to note that every organization has a different risk tolerance and a different use case for each application. So, it’s not possible to say for sure whether any new platform, app, or integration is “secure” — what’s secure enough for one purpose might not be secure enough for another purpose. 

Use this guide to help determine whether an application meets your organization’s specific risk tolerance and to establish your own internal application review process. 

Note that this guide focuses on security. You may have additional considerations as you put together a process for approving new software — for example, compliance requirements (CCPA, HIPAA), change management concerns, or budgetary requirements. A security assessment is just one (important!) aspect to consider when you determine whether or not your organization should start using a new platform. 

Why minimize your data footprint?

Before diving into the specific strategies for assessing risk, it’s important to note that at Personified, we always err on the side of caution and recommend minimizing the number of platforms you use. 

Your organization can establish your own risk appetite for expanding your data footprint in balance with adding new systems that help you accomplish your mission. We know it’s often necessary to integrate new apps, platforms, or software, but these additions should be kept as minimal as possible. That’s simply because the more places your data resides, the higher risk of your data being exposed.

1. Security Research for New Platforms

Before adding any new software, app, or integration, we always recommend doing your research into the company behind it. Make sure to evaluate all available security documentation, privacy policies, and what features you’ll get for what price. 

Specifically, we recommend assessing the following areas:

• • Company attributes. How long has the company been around? Where are they based? Have you heard of them before? Do you know if any peers use their products?
  • AI practices. We don’t recommend using any platform that uses your data to train its AI models. Furthermore, be wary of any company that advertises AI features without published AI security or privacy documentation.  
  • Security documentation. When assessing a company’s security documentation, look for their practices around encryption, security audits, and vulnerability audits. Note how detailed the documentation is and whether or not the language sounds generic. Do they have common certifications like SOC II? How often do they release security updates?

• Privacy documentation. Review the privacy policy and pay special attention to what they’re collecting from you, who they share data with, and any specific mentions of AI. 

• Feature documentation. Specific features can provide added security value. Always make sure to check which features you’re getting at a given pricing tier. Look for feature information around data deletion & retention, audit logs of actions taken by admins or users, and account security.

2. Integrations for platforms you already use

Your organization may already use a number of platforms that you’ve decided to trust with your sensitive data. These platforms may offer integrations to connect one platform with another. If your organization has already decided to trust these core platforms with your data, then we believe the risk of connecting these platforms is minimal.  

For example, if you already use Google Workspace andSlack, you could install the Google Workspace Slack apps without adding a significant amount of risk to your data footprint. This integration is made by those platforms and therefore have more rigorous security and privacy controls.

However, be sure to verify what company made the integration. This ensures you aren’t introducing a new, potentially unsecure, third party platform. It’s especially important to look into who made the integrations because while many may appear to connect existing apps, they’re actually developed by third parties who are not affiliated with either platform you’re trying to connect. 

For example, you should not install an app like the Monday.com “Google Sheets Embedder” app. While the app uses the name “Google Sheets”, it is in fact developed by a third party, NOT Google. Adding a new integration like Google Sheets Embedder essentially means you are trusting that third party developer with your Google and your Monday.com data. And the fact is that this data is too sensitive for a small, relatively unknown developer without a robust security program. 

3. Assessing third party integrations/plug-ins

Many platforms now offer third-party integrations or plug-ins using their APIs (Application Programming Interface), a standard protocol for how different platforms can communicate with each other and access data on a different platform. These APIs facilitate data exchange between systems, and can add convenient and exciting functionality, like being able to automatically send an email from Google when an Airtable form is submitted. 

However, it’s worth repeating that adding integrations also increases your data footprint. This is especially true for third party integrations. When you install a third party integration, you are essentially trusting a new entity with all of the data that it will be processing for you. This significantly increases your data footprint, and is why we recommend limiting integrations to “first party” ones (i.e., integrations developed by the apps you already trust). 

Pay particular attention to how an integration or plug-in stores “secrets”, like your API keys, account credentials, and unique identifiers. Integrations and plug-ins are often developed quickly with little scrutiny, creating an environment where security vulnerabilities thrive. If you do want to use third party integrations, we recommend using a platform with extensive security documentation and certifications. 

When it comes to these integrations and plug-ins, we always recommend proceeding with caution. Here are a few things to always keep in mind:

• Limit permissions to install or approve integrations to admins only across all platforms.
• Once you approve core platforms (for example, Google Workspace and Zoom), it’s okay to install connections between those platforms that are built by the company itself (for example, the Zoom extension for Google Calendar). 
• Limit integrations/plug-ins built by third-party vendors. 
• Do not use integrations/plug-ins that require access to your account credentials. 

4. Limit browser extensions

Browser extensions carry a higher risk of being malicious than the other types of platforms we’ve addressed. To that end, we recommend limiting your browser extensions as much as possible. We recommend restricting browser extensions unless they are made by a trusted vendor (ex: Zoom’s scheduling extension, 1Password’s browser extension). 

For instance, if you use Google Workspace, Personified recommends managing browser extensions via Google Workspace administration. This means that staff’s ability to install browser extensions will be limited when they are logged into a Chrome profile with their work email. You can automatically push out approved extensions (like your password manager’s extension) and block all other extensions unless approved. 

Many browser extensions offer features that can be found with more secure alternative products. For example, there are a number of browser extensions advertising access to ChatGPT. However, many of these extensions sell your data, steal your browser session cookies, or install malware. 

If you must consider a browser extension, we recommend following the same guidance as above: assess their security policy, privacy policy, and what company develops it and where they are based. 

Don’t gamble with your organization’s cybersecurity

Taking the time to thoroughly assess your current platforms and integrations along with the diligence needed to review new ones is mission critical for any organization. And with so many specific considerations and threats, knowing where to start isn’t always clear.  

Personified understands the specific challenges and risks associated with nonprofit cybersecurity. Learn more about how we can help you to start securing your organization.