Protecting applicant data: A practical security checklist for grant programs

Grant programs handle a remarkable volume of sensitive information—financial disclosures, organisational tax records, personal contact details, project budgets and community data. For nonprofits, government agencies and foundations running these programs, that data is a trust asset. And like all trust assets, it needs to be protected.

Whether you are overseeing a state and local cybersecurity grant program, managing a nonprofit security grant program or running a private foundation’s giving cycle, your grant readiness checklist should include a dedicated security component.

Effective data governance is foundational to trustworthy, sustainable grantmaking. The good news? Protecting applicant data does not require a massive IT budget. It requires intention, consistency and the right framework.

Here is a practical digital security checklist to help your team get started.

Why grant program security matters

Cybersecurity threats to nonprofit and government entities have grown significantly in recent years. Phishing attacks, ransomware and data breaches are no longer reserved for large corporations. Smaller organisations and programs are also increasingly targeted, precisely because they often hold sensitive applicant data without enterprise-grade protections.

The scale of the problem is striking. According to NetHope’s 2025 State of Humanitarian and Development Cybersecurity Report, cyber-attacks on nonprofits and civil society organisations rose by 241% between 2024 and 2025, with nonprofits ranked among the most heavily targeted sectors globally. Yet most organisations have not adjusted their defences to match the pace of these threats.

For grant programs specifically, the stakes are high. A breach of your grant management system could expose:

• Applicant names, addresses and contact information
• Federal Employer Identification Numbers (EINs) and tax filings
• Bank account details for disbursement
• Project narratives and community data
• Board and staff personally identifiable information (PII)

Beyond regulatory penalties, a breach can irreparably damage the trust applicants place in your program. And, trust, once lost, is extraordinarily difficult to rebuild.

The core digital security checklist for grant programs

Use this as your baseline grant readiness checklist when evaluating or auditing your program’s security posture. For a deeper grounding in the terminology, our cybersecurity glossary for nonprofit technology is a useful place to start!

1. Data collection and minimisation

• Only collect data you actually need for grant review and compliance
• Audit your application fields annually; remove anything that is not operationally necessary
• Clearly communicate to applicants what data is collected and why
• Use applicant-facing privacy notices written in plain language

2. Access controls and user permissions

• Apply role-based access so staff only see data relevant to their function
• Immediately revoke access when staff or reviewers leave the program
• Require multi-factor authentication (MFA) for all system logins
• Maintain an access log — know who viewed what and when
• Never share login credentials across staff members

3. Secure data storage and transmission

• Store applicant data in encrypted databases or cloud systems with SOC 2 compliance
• Ensure all data transmitted through your portal uses HTTPS (SSL/TLS)
• Avoid storing sensitive data in email inboxes or local desktop folders
• Use secure file-sharing platforms — not personal Dropbox or Google Drive accounts
• Encrypt physical storage devices if any offline backups are maintained

4. Vendor and platform security

• Review the security documentation of any grant management software you use
• Ask vendors directly about their data breach notification policies
• Confirm that your platform has data residency options if required by funder mandates — see our guide to picking the right data region for your grant data for practical guidance
• Ensure vendors undergo regular independent security audits
• Review data ownership and deletion clauses in vendor contracts

5. Staff training and culture

• Conduct phishing awareness training at least once per year
• Create a clear policy for reporting suspected security incidents
• Train staff on proper data handling before each grant cycle opens
• Designate a data security point of contact for your program
• Integrate security awareness into onboarding for new grant staff

It is worth noting that research from BDO found that 68% of data breaches in 2024 involved a human element, such as phishing or human error. Training should not be optional; instead, it can be one of your strongest defences.

6. Incident response planning

• Document a written incident response plan before a breach happens
• Know your legal notification obligations — federal, state and funder-specific
• Identify in advance who will communicate with applicants if a breach occurs
• Test your response plan annually — tabletop exercises work well for smaller teams
• Back up data regularly and verify that restores actually work

Beyond compliance: building a culture of data stewardship

Security checklists matter, but the real goal is building a culture where protecting applicant data is understood as part of your mission, and not just a regulatory obligation.

That means talking openly with your board or leadership team about data governance. It means asking hard questions of your technology vendors. And it means treating applicants’ willingness to share sensitive information as the gift of trust that it is.

If you are in the process of evaluating or procuring grant management software, read more on why security should be your number one feature priority in software procurement.

Grant programs that take security seriously attract better applicants, retain funder confidence and build lasting community credibility. The checklist is where you start—but the culture is where it lives.

Ready to strengthen your grant program’s security posture? Good Grants is designed with data protection built in—from role-based access controls to encrypted applicant submissions. Explore Good Grants or read more about how we approach security in our Trust Centre.