Three pillars of data protection for nonprofits

Increasingly, nonprofit organizations are employing cloud-based Software-as-a-Service (SaaS) applications such as G Suite, Office 365, and Salesforce to improve productivity, allow technical staff to focus on organizational improvements, and save on cost. According to NTEN’s State of the Nonprofit Cloud report, “Cloud services are a core part of nonprofit operations with 100% of survey respondents indicating they use at least two cloud services, up from 80% of survey participants in our last survey.”

SaaS has had a major impact on the nonprofit sector. For organizations of all sizes, SaaS provides a simple and effective way to scale growth, allowing for simple onboarding and minimal maintenance. The latter can be especially welcome by nonprofits where teams are lean and freeing up the time used to maintain productivity applications and databases has a lasting impact. But with all the benefits of SaaS, some important concerns around data protection often go overlooked.

Data loss is almost always caused by user error, accidental or malicious. A survey from Spanning found that accidental deletion of information is the leading cause of data loss from SaaS applications, responsible for 43 percent in the US and 41 percent in the UK, ahead of data loss caused by malicious insiders and hackers.

Common scenarios for cloud-based data loss

Compounding risk is the integration of key cloud applications such as Gmail or Office 365’s Exchange Online with applications like Salesforce (used for donor management or student lifecycle management), which can leave an organization further exposed.

For example, admin errors in importing or exporting data can overwrite critical data at compute speed—and when overwritten data syncs with other apps, errors spread exponentially. Nonprofit staff can also cause data loss by actions such as emptying a recycle bin full of “master” data, which cascade deletes “detail” data. Staff and volunteers with access to SaaS systems are also a vector for ransomware attacks, which can result financial hardship for non-profits forced to choose between paying a significant price to unlock their data or losing access to it. Finally, malicious actors (cybercriminals or disgruntled employees who have access to an organization’s email, collaboration apps, or CRM apps) can deliberately overwrite or delete vital data, leading to cascades of data loss as noted above.

Humans aren’t always to blame, however, and something as simple as a sync error where important data such as donor outreach records can be corrupted, can have a palpable impact on a nonprofit. For example, a bad sync between Gmail and Salesforce can corrupt contact activity records, leading to donors getting too many emails and feeling “spammed” and stopping their donation.

Nonprofit sysadmins and business analysts have an important role in managing their organizations’ data, and the time spent recovering from SaaS data loss is a drain on limited resources. As such, organizations who utilize SaaS applications should adhere to the three pillars of data protection to keep operations running smoothly and uphold mission-driven organizations.

Three pillars of data protection for nonprofits


Automating SaaS data backup and restoration greatly reduces the number of manual steps needed to protect data, which in turn eliminates the risks that human error and inconsistent execution can add. This approach also reduces audit and governance risk.


Implementing multiple layers of security is vital to protecting nonprofit mission and operations. This not only helps to secure critical data, but also contributes to overall compliance adherence. For example, a SOC 2 report describes the controls that a SaaS provider has in place to deliver on security, availability (uptime), data integrity, confidentiality, and the privacy of personal data. By ensuring that the SaaS vendors you use are SOC 2 Type II compliant, nonprofits get a window into the security measures protecting their data.


As indicated in customer reference calls and reviews, reliability goes beyond simple service uptime and accuracy—it helps ensure you’re selecting vendors you can trust. At the end of the day, this is one of the most important features that SaaS vendors can offer.

Integrating these three pillars into their policies and procedures has allowed organizations like the East Coast Migrant Head Start Project (ECMHSP) to scale up investments in cloud-based productivity applications, while meeting internal and regulatory requirements. Through its work with Spanning, ECMHSP has successfully met or exceeded recovery time objectives (RTO) in drills.

By taking an integrated approach to SaaS data threats and upholding all three pillars of SaaS data protection, nonprofits using a collaboration platform like G Suite or Office 365 along with a donor management or student lifecycle management application can maximize time and resources saved, safely and securely.

Lori Witzel
Lori Witzel, Senior Product Marketing Manager for Spanning Cloud Apps and Salesforce MVP ’15-’18, brings hands-on experience as a SaaS app administrator to her role working with the Product and Marketing Teams at Spanning. She shares a unique, research-informed perspective on the importance of SaaS data protection for Office 365 sysadmins, G Suite sysadmins, and Salesforce admins and developers.