Sovereignty Maturity Assessment for Faith-Based Foundations and Apostolates

Three data flows.
Three sets of obligations.
One fiduciary duty.

And the donor-management vendor activated AI features on all three at once.

Catholic foundations. Jewish family foundations. Islamic relief organizations. Protestant denomination-aligned foundations. Eastern Orthodox apostolates. Dharmic foundations. Diaspora-community foundations tied to a religious tradition. A faith-based foundation or apostolate sits at the intersection of religious tradition, nonprofit governance, and donor-fiduciary obligation, with professional staff and substantial grants in the $1M to $50M+ annual band. The data shape is unusually layered: donor records (the people giving), grant-funder records (institutions and individuals funding programs the foundation administers), and grantee records (the institutions and individuals receiving grants). Each data flow carries its own confidentiality and stewardship obligations. The intersections are where the work gets harder.

And the donor-management platform integrated AI features that crossed all three flows at once. Bloomerang, DonorPerfect, Salesforce NPSP, Blackbaud Raiser's Edge NXT, and the rest have shipped AI-assisted features across 2024 and 2025: donor wealth screening, giving prediction, grantee relationship analytics, beneficiary engagement modeling. The foundation's executive director or chief development officer who signed the original install years ago did not contemplate AI processing of donor, grantee, and beneficiary data at the time. The vendor's Terms of Service amendment was sent to the foundation's primary contact and read like every other vendor update from every other vendor that month. The donor who gave anonymously in 2018 did not consent to AI wealth screening in 2025. The grantee whose program records are processed for engagement modeling did not either.

Layer the regulatory stack on. State Attorney General enforcement on charitable trusts is sustained, and state AG Charities Bureaus take prudent-management obligations seriously. Form 990 (long form for most foundations at this scale), Schedule B donor-confidentiality (with the Americans for Prosperity Foundation v. Bonta 2021 federal-constitutional backdrop), and excess-benefit-transaction enforcement all apply at the foundation scale. Multi-state charity registration applies in most states where the foundation solicits or operates. State privacy laws apply to donor, grantee, and beneficiary data of state residents. Federal grant-management regulations apply where the foundation receives or passes through federal funding (Uniform Guidance at 2 CFR Part 200).

This page exists to give you a written, sourced evaluation of where your faith-based foundation or apostolate's sovereignty posture stands today. Free. Scope-selectable cycle. Short cycle works for focused governance questions (a specific donor-confidentiality posture review, a specific upcoming state filing, a specific board-committee documentation request). Long cycle works for foundations preparing for board-level governance review, sustained grant-program documentation work, or state AG inquiry already in motion.

Skip ahead, book the call now → What's in the assessment ↓

What the assessment actually delivers.

A written sovereignty-posture document organized the way a thoughtful state AG Charities Bureau investigator, an IRS examiner of tax-exempt foundations, or a board-level governance committee chair would organize a review of a faith-based foundation or apostolate at the $1M to $50M+ grant-making scale. Three to six pages on the short cycle. Six to twelve pages on the long cycle. Named observations sourced to your foundation's actual donor-management, grant-administration, and reporting infrastructure, with a remediation order written for the foundation's actual environment: the executive director, the chief development officer, the chief program officer or director of grants administration, the chief financial officer or controller, the board chair or governance committee chair, and (where applicable) general counsel.

Lens 1: State AG charitable-trust, IRS, and state privacy law exam-readiness posture at the foundation scale.

What can your foundation produce on demand to show that your prudent-management documentation, your donor-confidentiality practices (including Form 990 Schedule B posture), your grant-administration governance, your multi-state charity registration status, your data-breach notification readiness across donor and grantee jurisdictions, and any federal grant compliance posture (Uniform Guidance, where applicable) are consistent with what the state AG Charities Bureau, the IRS, and the state privacy regulators expect? Where would a Charities Bureau inquiry, an IRS examination of a tax-exempt foundation, or a state breach-notification audit find a gap? This lens reads your foundation's environment the way a thoughtful general counsel with charitable-trust experience would.

Lens 2: Vendor sovereignty across the foundation stack, with the donor-management platform at the center.

What does your donor-management platform (Bloomerang, DonorPerfect, Salesforce NPSP, Blackbaud Raiser's Edge NXT, or comparable) actually claim in the current Terms of Service and Data Processing Addendum? When was the addendum last amended? What AI features have been activated on the foundation's account since the original install? Can you export every donor record, every grant record, every grantee record, and every beneficiary record cleanly without the vendor's active cooperation? What does your grant-administration software, your accounting and investment-management software, your fundraising and communications platform, and any AI overlay look like around the donor-management center? Where does each data flow live, who has subpoena authority over it, and where are the data-handling addendum gaps that would surface in a state AG inquiry or an IRS examination?

The deliverable is yours. Keep it, share it with the board's governance or audit committee, use it in a vendor renewal negotiation, share it with the foundation's general counsel or external counsel ahead of a state filing or anticipated inquiry, or work the remediation in-house.

The threat surface, named for faith-based foundations and apostolates.

Four exposures sized specifically for foundations and apostolates in the $1M to $50M+ annual grant-making range with professional staff, board-level governance, and multi-state donor and grantee relationships. None of these are hypothetical. All of them are showing up in current state AG Charities Bureau enforcement actions, IRS examination patterns on tax-exempt foundations, state breach-notification filings, and nonprofit-technology trade press coverage of donor-management and grant-administration platform behavior.

Threat 1: Donor data, grant-funder data, and grantee data create three intersecting flows the vendor processes in ways the original consent did not contemplate.

The donor who gave $50,000 anonymously in 2018 was consenting to the foundation's use of the gift to advance its mission. The donor was not consenting to AI wealth-screening of the donor's external public records to predict future giving capacity. The grantee whose program records the foundation holds for accountability purposes was consenting to the grant-administration relationship. The grantee was not consenting to AI engagement modeling that produces relationship intelligence the grantee will never see and the foundation may not have governance for. The donor- management platform's AI feature activation since 2024 has expanded what the platform does with all three data flows at once, often by default, often with an amendment that read like every other vendor update from every other vendor that month. The foundation that has documented its data-handling posture across the three flows is in a fundamentally different position than the foundation that has not.

Sources: donor-management platform terms-of-service amendments 2024-2025 (Bloomerang, DonorPerfect, Salesforce NPSP, Blackbaud Raiser's Edge NXT, and comparable — verify current state at assessment time); state common law of charitable trust on donor-restriction enforcement; IRS guidance on donor-advised fund and private foundation reporting; nonprofit-technology trade press coverage of donor-management AI feature activation patterns.

Threat 2: Form 990 Schedule B donor-confidentiality posture under the Bonta backdrop and state-level disclosure pressure.

Foundations file Form 990 (long form) at the foundation scale, with Schedule B reporting donors who give $5,000 or more to the IRS. Schedule B is not publicly disclosed at the federal level; the state-level disclosure question was reshaped by Americans for Prosperity Foundation v. Bonta, 594 U.S. 595 (2021), which held that California's requirement of unredacted Schedule B disclosure to the state AG violated the First Amendment. The decision did not end state interest in donor-confidentiality and prudent-management oversight; it reshaped the constitutional backdrop. State AGs continue to take donor-confidentiality seriously in their charitable-trust enforcement, and the foundation that has documented its Schedule B handling posture, its donor-record access controls, and its breach-notification readiness for donor PII is in a fundamentally different position than the foundation that has not.

Sources: IRS Form 990 Schedule B instructions and donor- confidentiality guidance; Americans for Prosperity Foundation v. Bonta, 594 U.S. 595 (2021); state AG enforcement actions on donor-confidentiality 2022-2025; state nonprofit corporation law on prudent-management of charitable assets (varies by state); state privacy laws applicable to donor PII.

Threat 3: State AG enforcement on charitable trust prudent-management obligations applies at the foundation scale and donor-data handling is part of that surface.

State Attorneys General hold enforcement authority over charitable trusts and tax-exempt foundations. NY AG Charities Bureau runs the longest-standing program; CA, IL, MA, FL, and other states have meaningful equivalents. The prudent-management duty extends to how the foundation handles donor and grantee data, including the vendor relationships through which that data is processed. A breach of donor or grantee data at a foundation is not just a breach-notification incident; it is a potential breach-of-fiduciary-duty inquiry by the state AG. The foundation that has documented its governance around donor and grantee data handling — including the vendor-amendment review process, the AI feature activation governance, the multi-state breach-notification posture, and the board-level oversight — is in a fundamentally different position than the foundation that has not.

Sources: NY AG Charities Bureau enforcement actions and annual reports; state AG Charities Bureau equivalents in CA, IL, MA, FL, TX, and other states; state nonprofit corporation law on charitable-trust prudent-management (varies by state); IRS guidance on private-foundation governance and excess-benefit-transaction enforcement; state common law of charitable trust on donor-restriction enforcement.

Threat 4: Multi-state breach notification compounds across donor, grantee, and beneficiary jurisdictions, and a single vendor incident triggers obligations across every state where affected people reside.

A faith-based foundation's data set routinely covers donors across many states, grantees across many states, and beneficiaries across many states. A single ransomware event, a single phishing-driven credential compromise, or a single vendor breach involving the donor-management platform, grant-administration system, or financial-management software can trigger state breach-notification obligations across the union of those state surfaces. The notification timelines, content requirements, and regulator-notification processes vary by state; the foundation that has not documented its multi-state incident-response posture in advance is going to be reconstructing it under time pressure while also managing the substantive incident. The reputational layer is also real, and at the foundation scale it intersects directly with future-fundraising capacity.

Sources: state data-breach notification laws (all 50 states and DC; NCSL Security Breach Notification Laws tracker); state AG breach-notification filings against foundation and nonprofit organizations 2022-2025; foundation-scale breach coverage in mainstream and nonprofit-sector press 2022-2025 (verify specific named incidents at assessment time); IAPP US State Privacy Tracker 2026.

The cycle, sized to the faith-based foundation or apostolate.

Faith-based foundations and apostolates default to scope-selectable. Short cycle works for focused governance questions (a specific donor-confidentiality posture review, a specific vendor amendment review, a specific upcoming state filing, a specific board-committee documentation request). Long cycle works for foundations preparing for board-level governance review, sustained grant-program documentation work, multi-state charity registration audit, or state AG inquiry already in motion.

Short cycle (about two hours of your time, roughly one week elapsed). Thirty-minute discovery call. Homework on your side: a list of your current donor-management, grant-administration, and financial-management vendors, the specific question you want answered, and any pending state filing, vendor amendment, or board meeting shaping the timing. One sixty-minute evaluation session. A three-to-six page written posture document delivered within five business days.
Long cycle (about ten business days, multi-vendor-and-multi-state-and-multi-flow reconciliation deliverable). Forty-five-minute discovery call. One week of homework on our side: we pull current public terms for the vendors you name, current state AG Charities Bureau filing and enforcement context for your registered states, current state privacy and breach-notification guidance across donor and grantee jurisdictions, and current IRS examination posture for tax-exempt foundations at your scale. One ninety-minute evaluation session with the executive director, chief development officer, chief program officer or director of grants administration, chief financial officer or controller, board chair or governance committee chair, and (where applicable) general counsel. A six-to-twelve page written posture document within five business days.

The choice is made on the discovery call. Either option is free.

Who this is for.

The fit is clearest for faith-based foundations and apostolates in the $1M to $50M+ annual grant-making range with professional staff, board-level governance, and donor and grantee relationships across multiple states. The pattern generalizes across traditions: the foundation-scale regulatory and vendor exposure shape is similar across Catholic, Jewish, Islamic, Eastern Orthodox, Protestant, and Dharmic foundations.

Catholic foundations and apostolates (diocesan foundations, religious-order foundations, lay-led Catholic foundations, Catholic apostolate organizations with grant programs) with donor and grantee relationships across states and (sometimes) borders.
Jewish family foundations, federation-affiliated foundations, and Jewish denominational foundations with donor, grant-funder, and grantee data flowing through donor-management infrastructure at federation scale.
Islamic relief organizations, awqaf-governed foundations, and zakat-administering foundations with multi-state and international grant-administration responsibilities and donor-confidentiality obligations under amanah.
Eastern Orthodox foundations and apostolates tied to jurisdictional or parish-network governance with stewardship obligations to donors and beneficiaries.
Protestant denomination-aligned foundations and mission-society foundations with denominational governance, donor-confidentiality obligations, and multi-state or international grantee relationships.
Dharmic foundations (Hindu, Buddhist, Jain, Sikh) with seva-program administration, donor and devotee stewardship, and multi-state or international grantee relationships.
Foundations preparing for board-level governance review, audit-committee documentation, or anticipated state AG inquiry where donor, grantee, and beneficiary data handling will be examined in scope.
Foundations in or considering significant grant-program restructuring or program-related-investment expansion where the data-stewardship posture across the expanded surface needs documentation.

Traditions and community structures we work with (the cross-cut)

Catholic apostolates, foundations, and missions with donor and beneficiary data that deserves better than vendor capture.
Jewish federations, chevras, day schools, and burial societies stewarding member, donor, and family records under duties older than any privacy statute.
Muslim awqaf, zakat foundations, and Islamic relief organizations holding donor and beneficiary data in trust (amanah), often across borders and jurisdictions.
Eastern Orthodox jurisdictions and parish networks with sacramental, pastoral, and stewardship records that should never have been someone else's training data.
Protestant missionary societies, evangelical networks, and faith-based NGOs with field-worker, congregant, and partner data crossing legal jurisdictions.
Dharmic temple and seva institutions (Hindu, Buddhist, Jain, Sikh) stewarding devotee, donor, and service-recipient records.
Chinese benevolent associations, family associations, and diaspora mutual-aid societies with membership, remittance, and intergenerational records that carry community memory.
Latino faith communities, mutual-aid networks, and immigrant-serving organizations with congregant, beneficiary, and immigration-adjacent data under elevated risk.

Adjacent foundation-and-apostolate structures we also work with

Faith-based community foundations and donor-advised fund sponsors with intermediary-fundholder responsibilities and donor-confidentiality posture distinct from operating foundations; some questions sit cleanly in this assessment.
Faith-based foundations operating program-related investments or social-impact investing programs where the investment side adds a layer to the data-stewardship posture.
Faith-based foundations with significant federal grant pass-through where Uniform Guidance (2 CFR Part 200) applies to the grant-administration posture.
Faith-based foundations operating clinical or behavioral health programs where HIPAA overlays the foundation's posture; the behavioral health assessment may also fit for those program areas.
Faith-based foundations operating K-12 education-grant programs where FERPA and state education law overlay the grantee-data posture.
Faith-based foundations in or considering merger, consolidation, or asset transfer with another foundation where data-trail completeness shapes the transaction.

Why us.

Sterling Solutions is a Westchester-based small firm. We do not run on venture capital. We do not have a sales team pretending to be your friend. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it.

We are not a donor-management platform vendor, a grant-administration platform vendor, or a foundation operational platform vendor. We are not pitching a migration off any of those. The assessment is not a stalking horse for a vendor switch. If the conclusion is "your donor-management stack is defensible with three governance documentation gaps closed and an AI-feature-activation consent process to document," that is the conclusion. We have no commission structure with any vendor.

Sterling is the technical-layer firm. The tradition holds its own ethical layer. We do not speak for any tradition or denomination. When the question is whether a particular data-stewardship practice meets your tradition's or denomination's internal obligation around donor, grantee, or beneficiary data, the answer comes from your tradition's or denomination's relevant authority — canonical authority, halakhic authority, awqaf governance, synodical body, denominational polity structure, or community-governance authority — not from us. The cross-tradition resonance is real because every tradition's donor-stewardship and beneficiary-confidentiality obligation is older than the charitable-trust statutes and deserves to be honored on its own terms. We hold the technical layer cleanly so the foundation's leadership and the relevant tradition authorities can focus on the ethical layer with clean technical ground underneath.

What this page is not.

This is not a pitch for a six-figure modernization engagement. The assessment is the deliverable.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. Faith-based foundations and apostolates at this scale typically have or retain general counsel for state AG, multi-state charity registration, IRS, state privacy law, employment, governance, tax-exempt, charitable-trust, and donor-restriction matters; for decisions with religious-law or denominational-polity implications, the tradition's or denomination's relevant authority is the right consultation. The written deliverable identifies sovereignty and vendor-posture gaps and names the regulatory categories they sit under. We are happy to coordinate with your counsel and the appropriate authority.

This is not theological or denominational-polity advice. Sterling is not a religious authority. We do not speak for any tradition or denomination. The technical layer is ours; the ethical and polity layer belongs to the tradition and its governing bodies.

This is not a donor-management vendor endorsement. We evaluate what the foundation actually uses against what the foundation is trying to steward across donor, grantee, and beneficiary data flows; we do not have a preferred vendor in this category. Secular foundations without the tradition-specific stewardship layer have a related but distinct assessment shape; see the broader nonprofits assessment (specifically the 501c3 public-charities and private foundations type page) for that frame, or email [email protected] to discuss fit.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We come to the evaluation session prepared. We ask the same of you: bring the executive director, chief development officer, or chief financial officer who actually makes vendor and governance decisions, and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Forty-five minutes for the long cycle, thirty for the short. The donor-management platform's terms, the Schedule B donor-confidentiality posture, the grantee-data handling documentation, the state AG charitable-trust enforcement surface, the multi-state breach-notification readiness posture, and the board-level governance documentation that frames vendor and program decisions are all going to be the subject of the next state filing, the next vendor amendment, the next breach or near-breach, the next board meeting, or the next state AG Charities Bureau inquiry whether or not you have a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in your favor by default.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. For the short cycle, thirty minutes is the right length. For the long cycle, once you pick a time we will extend it to forty-five minutes on our end, provided the fifteen minutes before or after your selected slot are open on our calendar. If the adjustment does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/religious-institutions/foundations-apostolates · [email protected] · scope-selectable on the discovery call

Three data flows.Three sets of obligations.One fiduciary duty.