Sterling Solutions LLC
success.build/risk › nonprofits and tax-exempt organizations
Sovereignty Maturity Assessment for Nonprofits and Tax-Exempt Organizations

The IRS sees five entities.
The donor sees one mission.
The vendor stack splits the difference.

And nobody asked the cluster which set of rules wins when they collide.

Picture a parish. Or a council. Or a post. Or a lodge. Or a community-based federation. Underneath the single name on the sign there is, often, a cluster of distinct 501c entities holding distinct functions of the same community life. A 501c3 holds the public-charity mission and receives the tax-deductible donations. A 501c2 holds the building, which limits the operating 501c3's exposure to unrelated business income tax on the rental and the function-hall revenue. A 501c4 holds the advocacy capacity the 501c3 cannot carry without losing its public-charity status. A fraternal 501c8 or 501c10, or a 501c19 for veterans organizations, holds the membership-and-fellowship-and-business operations: the lounge, the bingo, the Friday-night raffles, the function-hall rentals. Often a school or a program subsidiary holds its own 501c3 in turn. Five entities. One congregation, one community, one set of donors and members and beneficiaries who do not know or care which entity holds which asset on which Form 990. The cluster is the operational reality even when the IRS sees the entities as legally separate.

And then the vendor stack collides with the legal structure. The donor list crosses cluster members. The membership roll crosses cluster members. The building access data crosses cluster members. The financial records cross-entity for shared services, shared staff, shared facilities. The governance records cross because the same people sit on the operating charity board, the building- holding company board, and the auxiliary advocacy board. The AI vendor activation lands on whichever cluster member happens to operate that vendor: the council's membership management system, the parish's CRM, the foundation's grant-management platform, the post's reservation system for the function hall. The vendor stack treats the cluster as one operational reality. The regulator can treat the cluster as multiple legal entities. The contract surface treats the cluster as whoever signed.

Then layer in the state AG and the IRS. State attorneys general (the NY AG Charities Bureau, the CA AG Registry of Charitable Trusts, the IL AG Charitable Trust Bureau, the MA AG Non-Profit Organizations Division, the DC AG Office of the Attorney General, and the FL Department of Agriculture and Consumer Services which handles charity oversight there) all extend their oversight to every cluster member. The IRS treats the cluster as legitimate-and-separate up to the point where excess benefit transactions, private benefit, UBIT avoidance, or related-party transactions trigger a closer look. Form 990 Schedule R requires disclosure of related organizations and the transactions between them. Form 990 disclosure rules differ across the entities: 501c3 carries broader public disclosure; 501c4 narrower; 501c2 typically minimal; 501c8 and 501c10 and 501c19 each their own. The cluster's compliance posture is only as strong as its weakest cluster member, and the state AG reads the cluster as a whole even when the IRS lets the legal separation stand.

Then 2024 happened, and 2025 happened. Bloomerang, DonorPerfect, Salesforce NPSP, Blackbaud Raiser's Edge NXT, Neon CRM, Virtuous, Little Green Light, and the Bonterra portfolio all shipped AI features across that window. Grant-management vendors (Foundant, GrantHub, Submittable, Fluxx, SmartSimple) shipped AI features. Membership management systems for fraternal and veterans organizations (Wild Apricot, Personify, MemberSuite, YourMembership, and the various Order-level platforms) shipped AI features. Most of these activations happened by default for existing customers. The data-use authorization the cluster member signed years ago did not contemplate any of it. The cluster's consent posture varies cluster-member-by-cluster- member, and the cluster has no single person responsible for reconciling across all of it.

This page exists to give you a written, sourced evaluation of where your nonprofit cluster's sovereignty posture stands today. Free. Built around the four priority shapes this surface serves: 501c3 public charities and private foundations, 501c19 veterans organizations, fraternal 501s (501c8 and 501c10), and the 501c2 and 501c4 support-and-advocacy structures that operate alongside the cluster's center. The regulatory overlay and the vendor stack differ enough between them that the deeper read happens on a type-specific page; pick yours from the routing below or read through the broad cross-cluster threat surface here.

Pick the assessment for your nonprofit type ↓ The broad threat surface ↓ Or just book the discovery call →

Pick the assessment shaped for your cluster.

The regulatory layer and the vendor stack diverge enough between the four priority shapes that we built four type-specific pages. The framing, threat surface, and lens questions on each one are tuned to the actual regulators, funders, and vendors of that cluster shape. Pick the one that fits the entity at the center of your cluster; the assessment surfaces the cross-entity questions from there.

501c3 public charities and private foundations.

Operating charities, supporting charities, donor-advised funds, family foundations, and community foundations. State AG enforcement on charitable-trust duty, Form 990 disclosure, Schedule B donor confidentiality, intermediate sanctions on excess benefit transactions, grant-funder data flow obligations, sectoral overlays where applicable. The broadest audience of the four shapes.

Assessment for 501c3 public charities and private foundations →

501c19 veterans organizations (American Legion, VFW, AMVETS, DAV).

Posts operating as multi-entity clusters: the 501c19 itself, an Auxiliary or affiliate 501c4, a 501c2 holding the post home, and sometimes a 501c3 charitable arm. State liquor licensing, state gambling and raffle regulation, local property-tax exemption review, VA cooperation obligations, and the membership and donor systems most posts run on. Sterling has built and maintained technology in this segment for years.

Assessment for 501c19 veterans organizations →

Fraternal 501s: 501c8 fraternal beneficiary societies and 501c10 domestic fraternal societies.

Knights of Columbus councils, Masonic lodges, Elks, Moose, Eagles, and adjacent fraternal organizations. The council or lodge typically operates alongside a 501c3 charitable arm, a 501c2 holding the council home, and sometimes a 501c4. State AG nonprofit oversight, state-specific fraternal-benefit- society regulation for 501c8s, state liquor licensing for clubrooms, state gambling and raffle regulation, and the membership management systems specific to each Order or fraternal organization.

Assessment for fraternal 501s →

501c2 title-holding companies and 501c4 social welfare and advocacy organizations.

The support-and-advocacy structures around the operating cluster's center. The 501c2 holding the building (with debt- financed property scrutiny under IRC section 514 if the building was acquired on borrowed money). The 501c4 carrying the advocacy capacity the operating 501c3 cannot (with lobbying-allocation disclosure rules, FEC scrutiny on any electoral spending, state campaign-finance overlay, and donor-disclosure posture downstream of Americans for Prosperity Foundation v. Bonta). The cluster questions extend across both.

Assessment for 501c2 and 501c4 support structures →

If your cluster sits primarily in another 501c category (501c5 labor organizations, 501c6 trade and professional associations, 501c7 social and recreational clubs), or in a non-cluster single-entity operating nonprofit shape, the general success.build/risk assessment fits, and we will flag during the discovery call if a future type-specific surface would serve you better. The same applies if your organization's heaviest framing is sector-specific (clinical at a behavioral health nonprofit, HHA-shaped at a home care nonprofit, or faith-tradition-specific at a religious institution): see the adjacent-structures collapsible below.

The broad cross-cluster threat surface, named.

Four exposures that show up across the cluster shape no matter which 501c category sits at the center. Each type page sharpens these to its specific regulator and vendor stack. None of these are hypothetical. All of them are showing up in current state AG enforcement actions, IRS Form 990 scrutiny patterns, HHS OCR resolution agreements where HIPAA touches, and the nonprofit trade press.

Threat 1: Multi-501 cluster data flow runs across operational arrangements that may not match the legal separation the IRS expects.

Donor lists, membership rolls, beneficiary records, and governance records cross the cluster's entities under operational reality even when the entities are legally separate. The IRS reviews related-party transactions, private benefit, and excess benefit transactions on the assumption that asset and data flows between cluster members are documented and arms-length. State AGs review the cluster as a whole when a complaint or a Form 990 anomaly draws scrutiny. Most clusters cannot reconstruct who has access to what across the cluster on demand. The vendor stack determines whether the documentation exists. The Form 990 Schedule R asks about related organizations and the transactions between them; the answers have to be supportable from the records the cluster actually keeps.

Sources: IRS Form 990 Schedule R instructions on related organizations and unrelated partnerships; IRC section 4958 on excess benefit transactions and intermediate sanctions; IRC section 512 on unrelated business income tax and section 514 on debt-financed property; state nonprofit corporation law on related-party transactions (varies by state); state AG enforcement actions on cluster-wide governance (verify at assessment time).

Threat 2: State AG enforcement on nonprofit tax-exempt status is increasing across the country, and the AG looks at the whole cluster.

NY AG Charities Bureau, CA AG Registry of Charitable Trusts, DC AG Office of the Attorney General, IL AG Charitable Trust Bureau, MA AG Non-Profit Organizations and Public Charities Division, and FL Department of Agriculture and Consumer Services have all published enforcement priorities over 2023-2025 that increase nonprofit scrutiny. The AG reads the cluster as a whole. Cluster members do not get evaluated independently when the AG asks how the cluster's governance interlocks across the operating 501c3, the 501c2 building- holder, the 501c4 advocacy arm, the fraternal 501c8 or 501c10, and the 501c19 veterans entity. The Form 990 disclosures, the Schedule R related-organization filings, and the state charity registration filings have to tell a consistent story.

Sources: state AG charity oversight statutes (varies state-by- state); NY AG Charities Bureau annual reports; National Association of State Charity Officials (NASCO) annual conference materials and Single Portal Initiative documentation; recent state AG settlements with nonprofit clusters (verify current state at assessment time).

Threat 3: AI vendor activation across the cluster's vendor stack has happened without the cluster reviewing whether the data-use authorization framework matches.

The donor management platforms (Bloomerang, DonorPerfect, Salesforce NPSP, Blackbaud Raiser's Edge NXT, Neon CRM, Virtuous, Little Green Light, the Bonterra portfolio including EveryAction and ETapestry). The membership management systems (Wild Apricot, Personify, MemberSuite, YourMembership, Naylor, the Order-level systems for K of C and the major fraternals, the membership systems for the American Legion and the VFW). The grant-management platforms (Foundant, GrantHub, Submittable, Fluxx, SmartSimple, WizeHive). The building-side vendors (POS for the lounge, reservation system for the function hall, access-control vendor). Each cluster member often selected its vendor independently. The vendors activated AI features by default for existing customers across 2024 and 2025. The cluster's consent posture varies cluster-member-by-cluster-member. Where HIPAA touches (the parish school's clinic, the post's veterans-service work that interacts with VA records, a 501c3 behavioral health program inside the cluster), the Business Associate Agreement gap compounds. Where HIPAA does not touch, the donor-confidentiality duty under state common law of charitable trust and the state-AG fiduciary-duty layer carry the exposure independently.

Sources: vendor product release notes 2024-2025 for the named CRM, AMS, and grant-management vendors (verify current state at assessment time); OpenAI Enterprise Terms 2026; Anthropic Acceptable Use Policy 2026; Google enterprise terms 2026; state nonprofit-fiduciary-duty case law on board duty of care; HHS OCR Resolution Agreements 2022-2025 where HIPAA touches.

Threat 4: The 501c2 building-ownership structure and the 501c4 advocacy capacity each carry audit surfaces the operating 501c3 wouldn't carry alone.

The 501c2 holds the building to limit the operating 501c3's exposure to unrelated business income tax on rental income. But the 501c2 itself carries debt-financed property scrutiny under IRC section 514 if the building was acquired on borrowed money, and the qualifying-use rules are strict. The 501c4 carries political-activity limits (the c4 cannot support or oppose candidates as its primary activity), lobbying-allocation disclosure rules, FEC scrutiny if any electoral spending crosses the threshold, and state campaign-finance overlay where applicable. Americans for Prosperity Foundation v. Bonta (2021) struck down California's blanket donor-disclosure regime as applied to Form 990 Schedule B but left the door open for narrower compelled disclosure; downstream state regulatory responses vary materially. The cluster's c2 + c4 + c3 + fraternal + c19 entities each have a Schedule B donor-list posture, and the public-disclosure surfaces differ across them.

Sources: IRC section 501(c)(2) on title-holding companies and section 514 on debt-financed property; IRC section 501(c)(4) on social welfare and political activity limits; Treasury Regulations on lobbying allocation; FEC regulations on 501(c)(4) electioneering; Americans for Prosperity Foundation v. Bonta, 594 U.S. ___ (2021), No. 19-251; state campaign- finance and lobbying-registration statutes (varies by state); IRS Form 990 Schedule B donor-list disclosure rules.

The two lenses, sized to the cluster.

Every type-specific page narrows these to the cluster shape's actual regulatory layer and vendor stack. At the hub level, the lenses are the broad shapes of inquiry the assessment uses across all cluster members.

Lens 1: State AG and IRS exam-readiness posture across the cluster.

Governance documentation across every cluster member. Donor confidentiality practices across every cluster member. Form 990 conformance across all the entities (the operating c3's 990, the c4's 990, the c2's 990 where applicable, the c8 or c10 or c19's 990). Schedule R related-organization disclosures consistent across entity filings. Data-breach notification procedures across cluster vendors. Intermediate- sanctions and excess-benefit-transaction risk review. Sectoral overlays (HIPAA where clinical, FERPA where school, HUD where housing, state child welfare where child-serving) routed to specialist counsel where appropriate. This lens reads the cluster the way a state AG with subpoena power or an IRS reviewer with Form 990 in hand would: starting from the obligation, working outward to every cluster member and every vendor relationship, naming gaps with specificity and remediation paths with proportion.

Lens 2: Vendor sovereignty across the cluster's vendor stack.

Donor management across the cluster (CRM, donation processor, email, prospect research). Membership management for the fraternal 501 or the 501c19. Grant management (Foundant and peers). Building management for the 501c2 (POS for the lounge, reservation system for the function hall, access-control vendor). Accounting and payroll across cluster entities (QuickBooks Nonprofit, Sage Intacct Nonprofit, Aplos, MIP Fund Accounting). AI overlays wherever they have activated. Where does the cluster's data live, who has subpoena authority over it, and can the cluster produce a clean export across all entities without the vendors' active cooperation? Which AI features have been activated since the cluster member signed its current vendor agreement, and were those changes accepted by silence?

Who this is for.

The fit is clearest for nonprofit clusters in the $500K to $30M operating-budget band, with a professional staff in the 3-to-150 range, where one person (the executive director, the COO, the development director, the operations director, the council secretary, the post adjutant, the lodge secretary, the foundation administrator, the compliance officer) is the one trying to keep the cluster's governance and vendor posture coherent across all the entities. Smaller organizations should start with the general success.build/risk assessment. Larger national operating charities or major foundations ($100M+ in budget or assets) typically have an internal compliance function large enough that this surface is the wrong shape; the success.build/conformance assessment serves that buyer better.

  • Operating 501c3 public charities at the center of a cluster of related 501c entities, where the operating charity carries the program work and the donations and the public-charity status. Assessment for 501c3 public charities and private foundations.
  • Private foundations (donor-advised funds, family foundations, community foundations) with their own regulatory layer on private foundation excise tax, self-dealing rules, distribution requirements, and expenditure responsibility on grantee data stewardship. Assessment for 501c3 public charities and private foundations.
  • 501c19 veterans organizations (American Legion posts, VFW posts, AMVETS, DAV chapters) operating multi-entity clusters. Assessment for 501c19 veterans organizations.
  • Fraternal 501s (501c8 fraternal beneficiary societies and 501c10 domestic fraternal societies): Knights of Columbus councils, Masonic lodges, Elks, Moose, Eagles, and adjacent fraternal organizations where the fraternal entity holds membership-and-fellowship-and-business operations alongside other 501c entities in the cluster. Assessment for fraternal 501s.
  • 501c4 social welfare and advocacy organizations carrying the political-speech capacity around an operating 501c3 mission. Assessment for 501c2 and 501c4 support structures.
  • 501c2 title-holding companies operating the building that a cluster of operating 501c entities uses. Assessment for 501c2 and 501c4 support structures.
  • Multi-entity clusters where the executive director, council secretary, post adjutant, lodge secretary, foundation administrator, or compliance officer is the person trying to hold the cluster's governance and vendor posture together across all the entities.
Adjacent nonprofit and cluster-adjacent structures we also work with
  • Faith-based clusters where the moral framing of the cluster's work differs by tradition (a parish + parish c2 + parish c4 + parish K of C c8 + parish school c3 is the canonical example; the analogous patterns exist across Jewish federations and chevras, Muslim awqaf and zakat foundations, Eastern Orthodox jurisdictions, Protestant missionary networks, Dharmic temple and seva institutions, Chinese benevolent associations, and Latino faith and mutual-aid networks). The cluster regulatory and vendor questions are the same shape we treat here; the tradition-specific framing routes to religious institutions and diaspora community organizations.
  • Behavioral health nonprofits (community mental health centers, FQHCs with behavioral health programs, SUD treatment 501c3s) where the clinical confidentiality framing carries the heaviest weight. The cluster questions overlap; the sector framing routes to the behavioral health assessment.
  • Home care nonprofits (501c3 home health agencies, LHCSAs that are nonprofit-structured) where the caregiver-family-patient trust framing carries the heaviest weight. The cluster questions overlap; the sector framing routes to the home care assessment.
  • 501c5 labor organizations, 501c6 trade and professional associations, 501c7 social and recreational clubs, and other 501c categories with their own regulatory shape. Real audiences exist for each; we treat them through the general success.build/risk assessment today, with type-specific surfaces possible when engagement volume warrants.
  • Megafoundations and major operating nonprofits ($100M+ budgets) with internal compliance teams large enough that the in-house infrastructure carries the work. The success.build/conformance assessment serves that buyer better.
  • B Corp benefit corporations operating with a social mission but under for-profit corporate law. Different legal frame; the general success.build/risk assessment is the right entry point.

Why us.

Sterling Solutions is a Westchester-based small firm operating in the same Hudson Valley communities most of the prospect nonprofit clusters we serve are rooted in. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

We are not a CRM vendor and we are not pitching one. We are not a membership-management vendor. We are not a grant-management vendor. We are not selling the cluster a migration off any of the vendors named on this page. The assessment is not a stalking horse for a vendor-switch engagement. If the conclusion is "your cluster's vendor posture is defensible with four documentation gaps closed and a renewal-timing strategy for the next two contract cycles," that is the conclusion. We have no commission structure with any of the vendors we evaluate.

The donor gave to the mission. The beneficiary received the mission. The member carries the fellowship. The public exempted the cluster from taxation. The 501c3 holds the public-charity work and the donations. The 501c2 holds the building. The 501c4 holds the advocacy. The fraternal 501c8 or 501c10, or the 501c19 for veterans organizations, holds the membership-and-fellowship-and-business operations. Together they are accountable to one community, even when the IRS sees them as separate entities. The vendor stack the cluster operates should reflect that stewardship across all the entities, not extract from it. Sterling takes this seriously because we have operational depth in this segment. We have built and maintained technology for American Legion posts, Knights of Columbus councils, and adjacent fraternal and veterans organizations for years. The cluster's reality is not abstract to us.

We are also researching member-ownership and cooperative structures for our own firm. The goal is that as Sterling grows, the people we serve benefit alongside us, rather than the opposite (which is what every venture-backed SaaS model produces by structural necessity). A formal recommendation publishes later this year. The audience that reads this page tends to recognize this shape, because the audience that reads this page operates inside it. (See also the vertical-specific assessments shaped for mutual carriers and cooperatives, for credit unions, for solo and small-firm attorneys, for behavioral health practices and clinics, for family-owned firms in the trades, for home care agencies, and for religious institutions and diaspora community organizations.)

If your cluster's heaviest exposure is sector-specific (clinical at a community mental health 501c3, HHA-shaped at a nonprofit home health agency, faith-tradition-specific at a parish or federation or congregation), the sector vertical may be the better entry point. Sterling will help size which page to engage from on the discovery call. The cluster questions this hub treats often compose with the sector questions; we route accordingly.

What this page is not.

This is not a pitch for a six-figure modernization engagement disguised as a free assessment. The assessment is the deliverable. If you read it, file it, do the work in-house, and never speak to us again, that is a good outcome and we are not chasing you for a sales call.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. Nonprofit cluster operators typically need a nonprofit-specialist attorney for state AG, Form 990, governance, intermediate-sanctions, lobbying-allocation, and campaign-finance questions, and a nonprofit-specialist CPA for 990 preparation, excess benefit transactions, private foundation excise tax, and Schedule R related-organization disclosure. The written deliverable identifies sovereignty and vendor-posture gaps and names the regulatory categories they sit under. Decisions about specific actions (vendor contract renegotiation, audit response, lobbying-allocation method, FEC reporting posture, sale or succession structuring of cluster assets) should run through your own counsel of the appropriate type. We are happy to coordinate.

This is not a state charity registration service. Multi-state solicitation requires multi-state registration, and roughly 40 states have active registration regimes. Services exist for this (Harbor Compliance, Affinity Network, and adjacent); we route to them when registration is the operational gap.

This is not a Form 990 preparation engagement. Nonprofit specialist CPAs do that work; we route to them when 990 preparation is the operational gap.

This is not a sector-specific compliance audit. If your cluster's heaviest exposure is sector-specific, the sector vertical or a specialist firm is the right shape.

This is not a position-taking surface. Sterling is non- partisan. The regulatory facts on Form 990 Schedule B donor disclosure, on Americans for Prosperity Foundation v. Bonta and its downstream state responses, on FEC and state campaign-finance regulation of 501c4 electoral activity, and on lobbying-allocation rules apply identically to 501c4 operators across the political spectrum. The page names the regulatory reality clearly. It does not editorialize on the underlying political positions, and it does not adopt language that signals partisan alignment in any direction.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We pull the current public terms of service and BAA templates for the vendors your cluster names. We check the most recent product release notes and amendments for the named CRM, AMS, and grant-management vendors. We pull the cluster member's most recent Form 990 filings from the IRS public file. We come to the evaluation session prepared. We ask the same of you: bring the executive director, the council secretary, the post adjutant, the lodge secretary, the foundation administrator, or the compliance officer who actually makes the cluster's vendor decisions, and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Thirty minutes for the hub discovery. Pick the cluster- specific page first if you can (501c3 public charities and private foundations, 501c19 veterans organizations, fraternal 501s, 501c2 and 501c4 support structures) and book from there; the cycle is sized to the cluster on the call. The next state AG inquiry, the next Form 990 filing review, the next state charity registration audit, the next grant funder reporting cycle, the next sectoral overlay audit (where applicable) is going to ask these questions whether or not the cluster has a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in the cluster's favor by default. Sterling is happy to help close it.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. That is the right length for the hub-level cluster discovery. The cluster-type pages explain the per-type cycle. If the standard slot does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/nonprofits · [email protected] · cluster-type pages route from here

Sterling Solutions LLC
Purpose-built technology for community organizations. Platforms, AI, and development services designed for nonprofits, fraternal organizations, and professional associations.