A mid-size nonprofit in 2026 runs a software stack that would be familiar to a comparably sized commercial organization, with the inverse of its resources to manage that stack. The organization runs Salesforce Nonprofit Success Pack or Blackbaud Raiser's Edge for donor management, Bloomerang or DonorPerfect at the smaller end, a financial system like Sage Intacct or Blackbaud Financial Edge, a grant management platform like Fluxx or Foundant for inbound and outbound grant flows, an email marketing platform like Mailchimp or Constant Contact, and a long tail of program-specific tools that varies by mission. The aggregate is dozens of vendors, hundreds of integrations, and a security budget that is frequently zero.
The data those vendors hold is consequential. Donor records include personally identifiable information, giving history that constitutes financial information, and in some cases sensitive program data about beneficiaries who may be vulnerable populations. The board has fiduciary duty over how that data is held, and increasingly the state attorneys general who regulate nonprofit fundraising have started asking what the organization does about software vendor risk. The 2020 Blackbaud ransomware incident made that question concrete in a way the sector has not entirely processed.
What did the Blackbaud 2020 incident actually teach the nonprofit sector?
In May 2020 Blackbaud disclosed a ransomware incident that affected its self-hosted backup environment and resulted in the exfiltration of customer data from a self-hosted instance of its products serving thousands of nonprofit, healthcare, and education customers. The data included donor records, constituent profiles, and in some cases highly sensitive program information. Blackbaud paid the ransom and obtained an attacker assurance that exfiltrated data had been destroyed, which is the kind of assurance that none of the customers had a meaningful way to verify. Class action litigation followed and continued for years.
The lesson that landed hardest was that nonprofits had been treating Blackbaud's security posture as something they had outsourced rather than something they had inherited. The board members of affected organizations had to learn very quickly that vendor risk is part of the organization's fiduciary surface, and that the controls inside the contract were no substitute for any actual visibility into what the vendor was doing operationally. The Office of the New York State Attorney General and several state nonprofit regulators issued subsequent guidance that explicitly raised vendor management expectations for charitable organizations. The lesson that has been slower to land is that the Blackbaud-specific incident was not unique to Blackbaud, and that the next equivalent incident at any donor CRM vendor would produce similar consequences for similar reasons.
What is the donor CRM supply chain in 2026?
Salesforce Nonprofit Success Pack remains the largest deployment platform among mid-size and large nonprofits, with a managed package architecture that has been evolving toward Salesforce's broader nonprofit data architecture. The supply chain implications are that NPSP is itself an AppExchange-distributed package that depends on the broader Salesforce platform, and that most nonprofits using NPSP have a stack of additional AppExchange managed packages on top, including Volunteers for Salesforce, Click and Pledge, and a long list of integration packages connecting to email marketing, event management, and financial systems. Every package in that stack is a vendor with its own dependency tree.
Blackbaud's product portfolio is now anchored by Raiser's Edge NXT, with Financial Edge NXT, eTapestry for smaller organizations, and a set of cause-specific products. The architecture is more consolidated than Salesforce's marketplace model, which concentrates the supply chain risk into Blackbaud's own pipelines rather than distributing it across third-party developers. Smaller nonprofits running Bloomerang, DonorPerfect, Neon CRM, or Little Green Light have similar consolidated risk concentrated in their chosen vendor, with less visibility because those vendors typically do not produce the same level of transparency artifacts as Salesforce or Blackbaud. The sector-wide pattern is that risk is concentrated either in a small number of major vendors or in many small vendors whose collective transparency is poor.
How does grant management software fit into the supply chain picture?
Grant management is a supply chain question that operates in two directions. On the inbound side, nonprofits use grant management platforms to receive funding from foundations and government agencies, and those platforms hold the application materials and reporting data that the funder requires. On the outbound side, foundations themselves use grant management platforms to manage portfolios of grants, and the larger foundations are increasingly demanding security evidence from their grantees as a condition of funding.
Fluxx, Foundant, SmartSimple, and Submittable are the leading vendors in the space, with significant market share among private foundations and government grantors. The data they hold includes application materials, budget detail, theory-of-change documentation, and frequently sensitive information about beneficiary populations. A breach of a grant management platform is therefore both a grantor data breach and a grantee data breach simultaneously, and the contractual notification language often does not clarify which party has primary responsibility for downstream notifications. Sophisticated foundations have started addressing this in their grant agreements, but the typical small nonprofit has no leverage to push back on the standard contract terms its grant platform offers.
What does a resource-constrained TPRM program actually look like?
The honest reality is that the typical mid-size nonprofit cannot run a vendor management program that resembles the practice at a comparably sized commercial organization. The IT director is wearing multiple hats, the security function is often outsourced to a managed service provider, and the budget for security tooling is what is left after mission-critical software has been purchased. A vendor questionnaire program that requires staff to send and review SIG Lite questionnaires for fifty vendors is not going to be executed, and a board that demands it produces theater rather than improvement.
The realistic shape of a defensible program is risk-based concentration and continuous monitoring instead of annual review. The organization identifies the three to seven vendors that hold the most consequential data, including the donor CRM, the financial system, the grant management platform, and the email marketing platform, and it does real diligence on those vendors annually. For the long tail of other vendors, it relies on automated monitoring that surfaces emerging risk and triggers a conversation only when something has changed. That model is achievable for organizations that cannot resource the full program, and it produces evidence the board and the attorneys general can review when they ask.
How Safeguard Helps
Safeguard provides nonprofits with TPRM scoring and continuous monitoring tuned to the specific vendors that dominate the sector, including Salesforce Nonprofit Success Pack and its AppExchange ecosystem, Blackbaud, Bloomerang, Fluxx, Foundant, and the financial and email marketing platforms that nonprofits depend on. Griffin AI watches SBOM transparency and disclosure feeds for those vendors and surfaces what warrants a board-level conversation rather than burying the IT director under questionnaires. Policy gates can require minimum attestation and patch cadence for any system that holds donor PII or beneficiary data, blocking the kind of slow drift toward end-of-life software that defines so much resource-constrained reality. The audit trail and continuous evidence Safeguard produces is the kind of artifact a state attorney general inquiry or a sophisticated funder's due diligence will ask for, and it gives a small nonprofit the scale of oversight that its mission and donors deserve.