Sovereignty Maturity Assessment for Religious Institutions

Your records span
generations. The people
in them never consented
to commercial intermediation.

Every tradition names the obligation differently. The duty is the same.

A baptism in 1962. A chevra burial society's roll going back four generations. A Chinese benevolent association's family ledger of remittances since 1948. An awqaf donor register reaching across borders. A parish sacramental record older than the diocese it sits inside. A federation's member roll that includes people who gave their first dollar in 1979 and whose grandchildren now receive scholarships from the same fund. These are records every religious institution and diaspora community organization holds in some shape, and every tradition names the obligation to steward them carefully in its own vocabulary. Dignity. Shmirat ha-lashon. Amanah. Stewardship. Duty of care. Selfless service. Duty of trust. The vocabulary differs. The duty is the same.

And somewhere between roughly 2018 and now, a Church Management System vendor, a donor-management platform, a federation operational platform, or a generic AI-overlay vendor inserted itself between the institution and the record. The contract was signed years ago by a board member, a development director, an executive director, or a finance officer who was optimizing for a different problem at the time. The terms ran past on the install. The vendor's data-handling posture lived in a Data Processing Addendum nobody opened. Then 2024 and 2025 happened, AI features activated by default across the institutional-software stack, and the BAA-equivalent or donor-data-handling addendum signed three years ago started covering processing the original signers never contemplated.

Layer the regulatory stack on. State Attorney General authority over tax-exempt organizations runs the primary enforcement layer, with NY AG Charities Bureau as the long-running model. Donor confidentiality, prudent management of charitable assets, and governance failures all sit inside the AG's enforcement posture. IRS rules on 501(c)(3) status, 990 disclosure boundaries, and Form 990 Schedule B donor-confidentiality (with the Americans for Prosperity Foundation v. Bonta 2021 precedent shaping state-level Schedule B disclosure litigation). State charity registration in most states for organizations soliciting donations. State data-breach notification laws in every state — religious institutions are not exempt. State privacy laws (NY SHIELD, MODPA, CCPA, and the rest) for data of members, donors, and beneficiaries who are state residents. HIPAA for institutions operating clinical services. FERPA for institutions operating parochial schools, day schools, yeshivot, madaris, or dharmic schools. Each layer has its own audit, its own penalty surface, and its own expectations about how the vendor stack handles the data underneath.

This page exists to give you a written, sourced evaluation of where your institution's sovereignty posture stands today. Free. Built around the four structural types this surface serves: single-congregation institutions, national federations and umbrella organizations, diaspora mutual-aid societies, and faith-based foundations and apostolates. The regulatory overlay, the vendor stack, the governance shape, and the moral weight differ enough between them that the deeper read happens on a type-specific page. Pick yours from the routing below, or read through the broad threat surface here.

Pick the assessment for your institution type ↓ The broad threat surface ↓ Or just book the discovery call →

Pick the assessment shaped for your institution.

The regulatory layer, the vendor stack, the budget shape, and the governance reality diverge enough between the four structural types that we built four type-specific pages. The framing, threat surface, and lens questions on each one are tuned to that type's actual regulators, payers, vendors, and audience. Pick the one that fits. The tradition cross-cut lives in a collapsible inside this page and inside each type page, so the type axis and the tradition axis can both be navigated cleanly.

Single-congregation institutions.

Local parishes, individual synagogues, single masjid, single temple, single church or assembly. Smaller operating budgets in the $100K to $2M annual range, owner-operator-equivalent shape with one pastor, rabbi, imam, priest, swami, or elder making most decisions. Church Management System vendor lock-in is the practical exposure; donor confidentiality at the small-congregation scale is the moral exposure. Short cycle natural fit.

Assessment for single-congregation institutions →

National federations and umbrella organizations.

Catholic dioceses, Jewish federations, Islamic relief national bodies, Eastern Orthodox jurisdictions, Protestant denominational bodies, national Hindu, Buddhist, Sikh, or Jain temple bodies, Chinese benevolent association nationals, Latino faith network nationals. Multi-site governance, distinct legal entities, more complex vendor stack, board fiduciary duty under state nonprofit corporation law, and multi-state charity registration. Long cycle natural fit.

Assessment for national federations and umbrella organizations →

Diaspora mutual-aid societies.

Chinese benevolent associations, Latino mutual-aid networks, family associations, immigrant-serving organizations. Often older than the privacy statutes, governed through community practice as much as written policy, with data intimacy at multi-generational scale. Remittance and immigration-adjacent data sensitivity is higher than other types; vendor exposure is often lower because many organizations run on Excel and bespoke databases. The data carries community memory. Scope-selectable cycle.

Assessment for diaspora mutual-aid societies →

Faith-based foundations and apostolates.

Catholic foundations, Jewish family foundations, Islamic relief organizations, Protestant denomination-aligned foundations. Donor-facing institutions tied to a religious tradition, operating with professional staff and substantial grants in the $1M to $50M annual band. Sits at the intersection of religious tradition, nonprofit governance, and donor-fiduciary obligations. Three intersecting data flows: donor data, grant-funder data, grantee data. Scope-selectable cycle.

Assessment for faith-based foundations and apostolates →

If you operate a megachurch with corporate staffing, a for-profit religious media or publishing company, a solo religious counseling practice, or a religious publisher operating a distinct vendor stack, the work shape is different enough that this surface is not yet shaped for you. The general success.build/risk assessment fits as a starting point, and the success.build/conformance surface serves larger institutional buyers better.

The broad threat surface, named.

Four exposures that show up across all four institutional types in different shapes. Each type page sharpens these to the type's specific regulator and vendor stack. None of these are hypothetical. All of them are showing up in current state Attorney General Charities Bureau enforcement actions, IRS examination patterns, state data-breach notification filings, vendor product release notes, and nonprofit-technology trade press coverage.

Threat 1: AI vendor training-on-your-data clauses collide with every tradition's privacy obligation, regardless of how that obligation is named.

OpenAI, Anthropic, and Google's enterprise terms each contain provisions for using customer prompts and outputs to improve their systems unless the institution opts out, and the opt-out is often only available on annual contracts above a price floor most small religious institutions cannot reach. The Church Management System vendor, the donor-management platform, the federation operational platform, and the generic AI overlays in the institutional stack have all integrated similar AI features over 2024 and 2025. The institution's covenant with members, donors, and beneficiaries did not contemplate this. Every tradition names the obligation to steward those records carefully in its own vocabulary, and every tradition's vocabulary lands on the same point: the people in the records came to the institution because they trusted the institution, not the institution's vendor.

Sources: OpenAI, Anthropic, and Google enterprise terms 2026; ABA Formal Opinion 512 on generative AI as cross-professional precedent on confidentiality-collision; vendor product release notes 2024-2025 across major ChMS and donor-management platforms (verify current state at assessment time); tradition-specific authoritative texts on data-stewardship obligations (canon law on sacramental confidentiality; halakhic sources on shmirat ha-lashon; awqaf governance references; and the rest, each within its own tradition's internal scholarship).

Threat 2: State Attorney General enforcement on tax-exempt organizations is active, and donor data is in scope.

State Attorneys General hold the primary enforcement authority over tax-exempt organizations, including religious institutions and faith-based foundations. NY AG Charities Bureau runs the longest-standing sustained enforcement program and is the model many other states reference. Donor confidentiality, governance, prudent management of charitable assets, and breach-of-fiduciary-duty enforcement all sit inside the AG's surface. State AGs increasingly attend to cyber posture and data-handling practices as part of broader governance review, particularly when an incident triggers a state breach-notification filing. Form 990 Schedule B donor-confidentiality litigation (Americans for Prosperity Foundation v. Bonta, 594 U.S. 595 (2021)) settled the federal constitutional question on state-mandated Schedule B disclosure, but the broader state-level interest in donor data protection and tax-exempt governance has not lifted.

Sources: NY AG Charities Bureau annual reports and published enforcement actions; state AG Charities Bureau equivalents in CA, IL, MA, FL, TX, and other states; Americans for Prosperity Foundation v. Bonta, 594 U.S. 595 (2021); state privacy laws (NY SHIELD Act, Maryland Online Data Privacy Act, CCPA, and the rest); IRS guidance on Form 990 Schedule B donor-confidentiality; state charity-registration tracker via CharitableSolicitations.com (verify current state at assessment time).

Threat 3: Church Management Systems and federation operational platforms have activated AI features without denominational review.

Planning Center, Realm, Tithe.ly, Subsplash, Faithlife, MinistryPlatform, Shelby Systems, Aplos, the Ministry Brands portfolio, and tradition-specific platforms (ParishSOFT, ShulCloud, and the rest) have shipped AI-assisted features across 2024 and 2025: pastoral-care follow-up suggestions, donor-engagement intelligence, attendance and giving prediction, communications personalization, transcription of recorded services. The pattern is the same as healthcare, finance, legal, and home care: the vendor activates AI features by default, the BAA-equivalent or data-processing-addendum signed at install treated as sufficient because the data was already in the platform. The institution's covenant with members and donors did not contemplate AI processing of pastoral, sacramental, attendance, giving, or relational records. The vendor's Terms of Service amendment was sent to whoever signed the original install and read like every other vendor update from every other vendor that month.

Sources: ChMS vendor product release notes and terms-of-service updates 2024-2025 (Planning Center, Realm, Tithe.ly, Subsplash, Faithlife, MinistryPlatform, Shelby Systems, Aplos, Ministry Brands, Pushpay, and tradition-specific platforms — verify current state at assessment time); nonprofit-technology trade press coverage (TechSoup, Nonprofit Quarterly, NTEN reporting, Church Tech Today, Religion News Service technology coverage); Sterling's anti-lock-in doctrine (REFERENCE_anti-lock-in-doctrine.md).

Threat 4: Multi-generational records create disproportionate breach exposure. The data spans generations the people in them never consented to commercial intermediation of.

Sacramental records can be century-old. Diaspora mutual-aid records carry community memory across generations and across borders. A federation member roll can include people who gave their first dollar decades ago and whose grandchildren now receive scholarships from the same fund. A breach of those records is not the same as a breach of last year's customer list. The institution holds something more fragile than a customer relationship. The people in the records did not choose to be commercially intermediated, and many of them are no longer alive to consent or object. State breach notification laws apply regardless of the data's age, and reputational consequences in tight-knit religious or diaspora communities are difficult to measure but real. When a breach happens, the conversation is not only with regulators; it is with the families whose records were exposed, including families whose elders trusted the institution generations ago.

Sources: state breach notification laws (all 50 states and DC; see NCSL Security Breach Notification Laws tracker); state Attorney General breach-notification filings against nonprofit and religious organizations 2022-2025; news coverage of named breaches at religious institutions and faith-based organizations (diocesan ransomware events, denominational data breaches, genealogical-record incidents — verify specific cases at assessment time); IAPP US State Privacy Tracker 2026.

The two lenses, sized to the institution.

Every type-specific page narrows these to the institution's actual regulatory layer and vendor stack. At the hub level, the lenses are the broad shapes of inquiry the assessment uses.

Lens 1: State AG, IRS, and state privacy law exam-readiness posture.

What can your institution produce on demand to show that your governance documentation, donor confidentiality practices, 990 disclosure conformance, data-breach notification procedures, state charity registration, and any sectoral overlay (FERPA for institutions operating schools, HIPAA for institutions operating clinical services) are consistent with the enforcement expectations of the state AG Charities Bureau, the IRS, and the state privacy regulator? Where are the gaps a state AG inquiry, an IRS examination, or a state breach-notification audit would find? This lens reads your institution's environment the way a thoughtful charities bureau investigator with subpoena power would: starting from the obligation, working outward to the vendor relationships, naming the gaps with specificity and the remediation paths with proportion.

Lens 2: Vendor sovereignty across the institutional stack.

What does your Church Management System, your donor-management platform, your accounting and payroll system, your fundraising and email platform, your member portal, your livestream and media tooling, and any AI overlay actually claim in their current Terms of Service, Data Processing Addenda, and AI feature activation defaults? Where does your data live, who has subpoena authority over it, and can you produce a clean export of every member record, every donor record, every sacramental or pastoral record, and every grant or beneficiary record without the vendor's active cooperation? Which AI features have been activated since your original install, and were those changes accepted by silence? When the vendor next sends an amendment, does your institution have a documented review process before someone clicks accept?

The hybrid cycle, sized to the institution.

Religious institutions and diaspora community organizations default to scope-selectable. Short cycle works for focused questions (a specific vendor amendment review, a breach-notification readiness check, an upcoming state AG Charities Bureau filing). Long cycle works for institutions preparing for a board-level governance review, a sustained data-stewardship documentation effort, a federation-wide vendor consolidation evaluation, or a state-AG inquiry already in motion.

Short cycle (about two hours of your time, roughly one week elapsed). Thirty-minute discovery call. Homework on your side: a list of your current institutional-software vendors, the specific question you want answered, and any pending state filing or vendor amendment that is shaping the timing. One sixty-minute evaluation session. A three-to-six page written posture document delivered within five business days.
Long cycle (about ten business days, multi-vendor and multi-regulator reconciliation deliverable). Forty-five-minute discovery call. One week of homework on our side: we pull current public terms for the vendors you name, current state AG Charities Bureau filing and enforcement context, current state privacy and breach-notification guidance, and current IRS examination posture for tax-exempt organizations in your structural category. One ninety-minute evaluation session with the executive director, the board chair or governance committee chair, the development director, and the operations or finance lead. A six-to-twelve page written posture document within five business days.

The choice is made on the discovery call. Either option is free. (See also the parent success.build/risk assessment when the question is broader than this vertical.)

Who this is for.

The fit is clearest for religious institutions and diaspora community organizations where the executive director, board chair, finance officer, or operations lead is the person reading vendor contracts and making the institutional-software decisions, and where the institution holds membership rolls, donor records, beneficiary lists, sacramental or pastoral records, mutual-aid history, or intergenerational family data the institution wants to steward carefully. Smaller institutions should start with the general success.build/risk assessment. Larger institutional buyers with full procurement, legal, and InfoSec teams already in-house are better served by the success.build/conformance entry surface.

Single-congregation institutions at the parish, individual synagogue, single masjid, single temple, or single church or assembly scale, with $100K to $2M annual operating budget and one pastor, rabbi, imam, priest, swami, or elder making most decisions. Assessment shaped for single-congregation institutions.
National federations and umbrella organizations including Catholic dioceses, Jewish federations, Islamic relief national bodies, Eastern Orthodox jurisdictions, Protestant denominational bodies, national Hindu, Buddhist, Sikh, or Jain temple bodies, Chinese benevolent association nationals, and Latino faith network nationals. Assessment shaped for national federations and umbrella organizations.
Diaspora mutual-aid societies including Chinese benevolent associations, Latino mutual-aid networks, family associations, and immigrant-serving organizations, with data intimacy at multi-generational scale. Assessment shaped for diaspora mutual-aid societies.
Faith-based foundations and apostolates with donor-facing operations, professional staff, and substantial grants in the $1M to $50M annual band. Assessment shaped for faith-based foundations and apostolates.
Institutions operating parochial schools, day schools, yeshivot, madaris, or dharmic schools with the additional FERPA layer on student records.
Institutions operating clinical services (hospital systems, health clinics, behavioral health programs that bill insurance) with the additional HIPAA layer; the behavioral health assessment may also fit if BH is the primary line.
Institutions with significant grant-funding operations (incoming foundation grants, outgoing programmatic grants, government grants) where the grant data trail intersects with the donor and beneficiary data trails.

Traditions and community structures we work with (the cross-cut)

Catholic apostolates, foundations, and missions with donor and beneficiary data that deserves better than vendor capture.
Jewish federations, chevras, day schools, and burial societies stewarding member, donor, and family records under duties older than any privacy statute.
Muslim awqaf, zakat foundations, and Islamic relief organizations holding donor and beneficiary data in trust (amanah), often across borders and jurisdictions.
Eastern Orthodox jurisdictions and parish networks with sacramental, pastoral, and stewardship records that should never have been someone else's training data.
Protestant missionary societies, evangelical networks, and faith-based NGOs with field-worker, congregant, and partner data crossing legal jurisdictions.
Dharmic temple and seva institutions (Hindu, Buddhist, Jain, Sikh) stewarding devotee, donor, and service-recipient records.
Chinese benevolent associations, family associations, and diaspora mutual-aid societies with membership, remittance, and intergenerational records that carry community memory.
Latino faith communities, mutual-aid networks, and immigrant-serving organizations with congregant, beneficiary, and immigration-adjacent data under elevated risk.

Adjacent religious-and-community structures we also work with

Megachurches with megachurch budgets and corporate staffing where the institutional buyer profile matches a mid-sized enterprise more than a small congregation; the success.build/conformance surface fits better.
For-profit religious media and publishing companies where the business shape is media-and-IP rather than congregation-and-donor; a different assessment shape.
Solo religious counselors and pastoral counselors where the work shape is solo professional practice; the behavioral health assessment fits if the counselor is clinically licensed and bills insurance, otherwise the general success.build/risk surface.
Religious publishers and curriculum providers operating a distinct vendor stack around content management, e-commerce, and subscription delivery; a different assessment shape.
Religious schools that are primarily K-12 educational institutions with the FERPA-and-state-education-law overlay as the central regulatory layer; an adjacent shape with significant overlap to this surface.
Faith-based institutions operating as multi-501 clusters where the heaviest framing is the regulatory cluster reality (a parish with a parish 501c3, a parish 501c2 holding the hall, a parish 501c4 advocacy arm, a parish K of C 501c8 council, and a parish school 501c3 subsidiary; or analogous patterns in Jewish federations, Muslim awqaf, Eastern Orthodox jurisdictions, Protestant networks, Dharmic institutions, and diaspora associations) rather than the tradition-specific moral framing this surface leads with. The cross-cluster regulatory and vendor questions are treated at the nonprofits and tax-exempt organizations assessment, with type pages for 501c3 public charities and private foundations, 501c19 veterans organizations, fraternal 501s (501c8 and 501c10), and 501c2 title-holding and 501c4 social welfare support structures.

Why us.

Sterling Solutions is a Westchester-based small firm. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

Sterling is the technical-layer firm. The tradition holds its own ethical layer. We do not speak for any tradition and we do not pretend to. We do not recommend on matters with religious-law implications. When the question is whether a particular data practice meets your tradition's internal stewardship obligation, the answer comes from your tradition's relevant authority, not from us. What we do is hold the technical layer: what the vendor actually does with the data, what the contract actually says, what the regulator actually expects, and where the institution's posture would or would not hold up under examination. The cross-tradition resonance is real because every tradition's data-stewardship obligation is older than the privacy statutes and deserves to be honored on its own terms, but the work we do is technical work, not theological work.

The same anti-lock-in doctrine that protects member sovereignty for the mutual carriers and cooperatives we work with, protects client confidentiality for the solo and small-firm attorneys we work with, protects therapeutic alliance for the behavioral health practices we work with, protects the customer-list equity of family-owned firms in the trades we work with, protects the caregiver-family-patient trust of home care agencies we work with, and protects the cluster-stewardship duty of nonprofits and tax-exempt organizations operating as multi-entity 501c clusters we work with — that same doctrine applies here, in a context where the moral weight is older than every privacy statute on the books. The moral frame is cross-tradition fiduciary, distinct from the cooperative-member-ownership frame at mutual carriers, the therapeutic-alliance frame at behavioral health practices, the privilege-holding frame at attorneys, the customer-list-as-business-equity frame at trades firms, the caregiver-family-patient-trust frame at home care agencies, and the cluster-stewardship frame at nonprofits. Same doctrine, different vertical, different shape of the underlying obligation. When the institution operates as a faith-based multi-501 cluster (a parish operating 501c3 with a 501c2 hall and a parish K of C 501c8 council, a Jewish federation with a foundation and a school 501c3 and a chevra mutual-aid c8, a Muslim awqaf with affiliated zakat foundations and a 501c3 relief operation), the cluster-form regulatory and vendor questions compose with the tradition-specific framing this page leads with; the cluster-form treatment is at the nonprofits and tax-exempt organizations assessment, with type pages for 501c3 public charities and private foundations, fraternal 501s (501c8 and 501c10), and 501c2 title-holding and 501c4 social welfare support structures.

What this page is not.

This is not a pitch for a six-figure modernization engagement disguised as a free assessment. The assessment is the deliverable. If you read it, file it, do the work in-house, and never speak to us again, that is a good outcome and we are not chasing you for a sales call.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. Religious institutions and faith-based foundations typically need both their own legal counsel (for state AG, IRS, state privacy law, employment, governance, and tax-exempt matters) and, for decisions with religious-law implications, the tradition's relevant canonical, halakhic, awqaf, denominational-polity, or community-governance authority. The written deliverable identifies sovereignty and vendor-posture gaps and names the regulatory categories they sit under. Decisions with legal or religious-law consequence should run through the appropriate counsel and authority. We are happy to coordinate.

This is not theological advice. Sterling is not a religious authority. We do not speak for any tradition. The technical layer is ours; the ethical layer belongs to the tradition. The assessment names what the vendor actually does and what the regulator expects; the tradition names what the obligation requires.

This is not a tradition-specific endorsement of any particular vendor or approach. The assessment evaluates what the vendor stack actually does against what the institution is trying to steward. The conclusion may favor one vendor over another in a specific institutional context, but the page itself does not endorse vendors by tradition or community.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We pull the current public terms of service and data-processing addenda for the vendors you name. We check the most recent product release notes and amendments. We come to the evaluation session prepared. We ask the same of you: bring the executive director, board chair, or finance officer who actually makes the vendor decisions, and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Thirty minutes for the hub discovery. Pick the institution-specific page first if you can (single-congregation institutions, national federations and umbrella organizations, diaspora mutual-aid societies, faith-based foundations and apostolates) and book from there; the cycle is sized to the institution on the call. The Church Management System, the donor-management platform, the federation operational platform, and the AI overlays your institution relies on today are going to be the subject of the next state AG Charities Bureau inquiry, the next breach-notification trigger, the next vendor amendment, or the next board-level governance review whether or not you have a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in your favor by default. Sterling is happy to help close it.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. That is the right length for the hub-level discovery call. The institution-type pages explain the per-type cycle. If the standard slot does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/religious-institutions · [email protected] · institution-type pages route from here

Your records spangenerations. The peoplein them never consentedto commercial intermediation.