Core Content
Part 1 — Consumer vs. Enterprise/Managed Tiers (the one distinction that matters most)
Every major AI tool comes in two broad flavors. They can look almost identical on screen. The difference is in the contract and the controls behind them.
Consumer tier (free or cheap personal plans — e.g., free ChatGPT, the Gemini app on a personal account, Claude Free/Pro on a personal login):
- By default the vendor may use your conversations to train its models. On free ChatGPT, for example, chats may be used for training unless you manually opt out (directional, per OpenAI's stated policy).
- No central admin. If a staff member leaves, no one can see or revoke their account.
- No organization-wide data-processing agreement, no audit trail, no single sign-on.
Enterprise / managed tier (business and nonprofit plans tied to your org's accounts):
- A contractual commitment not to train on your content. This is the headline. Microsoft 365 Copilot Chat's "Enterprise Data Protection" states prompts and responses aren't used to train the foundation models, and aren't shared with or used to train OpenAI's models. OpenAI's Business/Enterprise and Anthropic's Claude Team/Enterprise tiers carry the same no-training-by-default commitment.
- Admin controls + SSO (single sign-on): IT can provision and de-provision accounts, enforce login through your existing identity, and offboard a departing staff member in one place — which matters enormously in a high-turnover sector.
- Audit + retention controls: visibility into use and the ability to set how long data is kept.
CONSUMER TIER ENTERPRISE / MANAGED TIER
┌───────────────────────┐ ┌───────────────────────────┐
│ personal login │ │ org account + SSO │
│ may train on your data │ ──vs──▶ │ contractual: NO training │
│ no admin / no offboard │ │ admin controls, audit │
│ fine for PUBLIC data │ │ ok for INTERNAL data; │
│ only │ │ sensitive only if vetted │
└───────────────────────┘ └───────────────────────────┘
A confusing trap — a plan can be priced like a business plan and still be a consumer tier. Don't buy on price or name; confirm the actual data-training term and whether there's an admin console. (Some "Team"-labeled plans have been flagged as consumer-tier with training on by default — verify the current terms for any tool before approving it.)
Do / Don't
- ✅ Do route everyone to the org's managed tier for anything beyond public information.
- ✅ Do confirm the no-training term in writing for each approved tool.
- ❌ Don't let staff use personal AI logins for work.
- ❌ Don't assume "paid" means "safe" — the Plus/Pro personal plans usually have the same data relationship as free.
How to actually verify "no training on our data" (a 4-step check the owner runs before a tool goes in the catalog):
1. Find the tier's terms / trust page (search: "<tool> business data not used for training")
2. Confirm it says NO training BY DEFAULT — not "you can opt out" (opt-out = consumer signal)
3. Confirm there's an admin console (you can add/remove users) and SSO support
4. Confirm a Data Processing Agreement (DPA) is available — required before sensitive data
If you can't tick all four, the tool is Public-data-only until you can.
Tie this directly to Module 2's cardinal rule — never paste sensitive beneficiary or donor data into a consumer AI tool. The managed tier is what makes that rule livable instead of just restrictive.
Part 2 — The Nonprofit Offers (free and discounted, claim them now)
You almost certainly qualify for enterprise-grade AI at little or no cost. Eligibility generally requires recognized nonprofit/charity status (501(c)(3) equivalent). Here is what's on the table as of mid-2026 (pricing and inclusions change — verify at the source links before budgeting):
- Microsoft for Nonprofits. Discounted/granted Microsoft 365. Microsoft 365 Copilot Chat is included free with nonprofit M365 plans and carries Enterprise Data Protection automatically (look for the green shield). The full Microsoft 365 Copilot add-on (the one embedded in Word/Excel/Outlook/Teams) is discounted ~15% for nonprofits — about $25.50/user/month billed yearly vs. ~$36 commercial (directional) — and requires an underlying M365 license.
- Google for Nonprofits. Google Workspace for Nonprofits is free for up to ~2,000 users and now includes the Gemini app, NotebookLM, and 10+ AI features with enterprise security and data protections. Paid upgrades for advanced Gemini are discounted up to ~75% (starting around $3.50/user/month, directional), managed in the Workspace Admin console.
- TechSoup. A free account gives access to donated/discounted software and services from 100+ partners (Microsoft, Adobe, Zoom, Dropbox, Intuit, AWS, and AI tools such as Otter.ai and Notion AI at nonprofit rates) — discounts commonly cited up to ~90% (directional). TechSoup is also the validation path many vendors use to confirm your nonprofit status.
- ChatGPT (OpenAI). Free/Plus are consumer tiers; Business and Enterprise carry the no-training-on-your-data commitment and admin controls. No broad public nonprofit discount as standard — negotiate or access vetted AI tools via TechSoup.
- Claude (Anthropic). Team and Enterprise include a contractual no-model-training commitment and admin features; consumer Pro does not provide a data-processing agreement. Anthropic also sponsors the NTEN nonprofit AI cohort (a capability resource, separate from licensing).
For many lean orgs the right starting stack is already free: Microsoft 365 Copilot Chat (or Google Workspace + Gemini) gives you a managed, no-training assistant at zero extra cost. Set that up before you pay for anything.
"We need a special nonprofit AI platform." Usually you don't. Start with the managed assistant inside the office suite you already run, then add a specialized tool only when a real task demands it.
A "good starter stack" most lean orgs can stand up this month (all free or near-free):
1. Managed assistant → M365 Copilot Chat OR Google Gemini in Workspace for Nonprofits
2. Identity + MFA → the same Microsoft/Google account, MFA enforced
3. Validation + extras → a free TechSoup account for discounted add-ons (transcription, etc.)
4. The two artifacts → the approved-tool catalog + the new-tool intake form
Notice what's not on the list: a separate paid chatbot, a custom build, or a consultant. You add those only when the catalog and a real task justify them — which is also the story Module 5 helps you tell a funder.
Part 3 — The Approved-Tool Catalog (the heart of this module)
The catalog is one short living table that answers three questions for every tool: What is it allowed to touch? Is it the safe tier? Who owns it? It turns "is this OK?" from a debate into a lookup.
It depends on your data classes from Module 2. Use three simple classes:
PUBLIC → already on your website / press release; no harm if seen
INTERNAL → org operations: drafts, budgets, internal memos; not for public
SENSITIVE → beneficiary or donor personal data; the people you serve
cannot absorb a leak — highest protection
The rule of thumb that staff can memorize:
PUBLIC → any approved tool is fine
INTERNAL → managed/enterprise tier only
SENSITIVE → managed tier AND explicitly vetted for that data class,
with a data-processing agreement — when in doubt, don't
Default beneficiary data to "no AI" unless a specific tool has been explicitly approved for sensitive data with a signed agreement. "Not yet approved" is a safe, acceptable answer.
(The starter catalog table is in Templates & Takeaway Artifacts below — you'll fill it in during the session.)
Do / Don't
- ✅ Do keep the catalog to one page; long policies don't get read.
- ✅ Do name a single owner per tool (license, renewal, who to ask).
- ❌ Don't list a tool you haven't confirmed the data-training terms for.
- ❌ Don't let the catalog go stale — review it at the 90-day mark and each grant cycle.
Part 4 — Baseline Security Hygiene (this matters more with AI)
AI raises the value of your accounts: an assistant connected to your email and files is a bigger prize for an attacker, and a phished login now exposes more. Non-profits are already prime targets — email attacks on nonprofits rose ~35% in a recent year, and most breaches start with a phished credential (directional; sources below). Four basics block the overwhelming majority of attacks. None require a big budget.
- MFA (multi-factor authentication) — the single highest-value control. Requires a second factor (app code or key) beyond a password. Microsoft and others report MFA blocks >99% of automated account-compromise attempts (directional). Turn it on for all email, finance, admin, and AI/cloud accounts. Prefer an authenticator app over SMS.
- Backups — and test a restore. Keep recent backups of your core data, ideally with one copy offline/separate (the "3-2-1" idea: 3 copies, 2 media, 1 off-site). The only proof a backup works is restoring a small file from it. This is your ransomware insurance.
- Phishing awareness. Most intrusions start with a convincing email. Teach staff to slow down on urgency, hover links, verify money/data requests on a second channel, and report suspicious mail without blame. Note: AI now makes phishing emails cleaner and more personalized — "bad grammar" is no longer a reliable tell.
- Access controls (least privilege) + device basics. People get access to only what their role needs; shared logins are eliminated; accounts are removed the day someone leaves (high turnover makes this critical). Keep devices updated and screen-locked.
PASSWORD ALONE ──────────▶ easily phished / reused / leaked
PASSWORD + MFA ──────────▶ blocks >99% of automated attacks
+ tested BACKUPS ──────────▶ you survive ransomware
+ PHISHING-AWARE STAFF ──────────▶ you stop the #1 entry point
+ LEAST PRIVILEGE ──────────▶ one breach ≠ everything breached
If you have no IT lead (common), assign these as named tasks anyway — "MFA owner," "backup-restore tester." NTEN's Nonprofit Cybersecurity Readiness program and CISA's free guidance can stand in for staff you don't have.
Before you connect any AI assistant to your email or document store, confirm MFA is on for those accounts. Connecting AI to an unprotected account multiplies the blast radius of one stolen password.
Part 5 — API / Export & Integration, in Plain Language
You don't need to be technical to make good integration decisions. Two plain ideas:
- Export = can you get your data out in a usable file (CSV/Excel)? If yes, you're never trapped, and you can move data to where it's useful. Check this for every system before you adopt it.
- API (application programming interface) = a doorway that lets two systems talk automatically, so data flows without manual copy-paste. Tools like Zapier connect common nonprofit apps (e.g., a donation form to Salesforce) using these doorways.
Why it matters for AI: integration is what turns AI from a clever toy into time saved — but every new connection is also a new place data can flow, so it must respect the same data-class rules.
A quick way to check any tool you already use:
Settings / Account → look for "Export," "Download data," or "API / Integrations"
Has CSV/Excel export? → good, you're not locked in
Has an API / Zapier app? → automation is possible (review it like a new tool)
Has neither? → flag it; manual copy-paste is your only path, and
that's where sensitive data gets pasted into the wrong place
Newer platforms (e.g., Salesforce Nonprofit Cloud) sometimes outrun their connectors — not all data objects sync yet, and teams use staging objects or scheduled flows as workarounds (directional). Translation: confirm a real working connection exists for your systems before you promise leadership "it'll just sync."
Do / Don't
- ✅ Do prefer tools with clean export — it protects you against lock-in and dead grants.
- ✅ Do treat each integration as a data flow that needs the same approval as a new tool.
- ❌ Don't wire sensitive data into an automation just because the connector exists.
Part 6 — The New-Tool Request Process (fast on purpose)
If approval takes a month, staff will route around it — that's how shadow AI is born. The goal is a process that says "yes" to low-risk tools in days, and asks harder questions only when sensitive data or money is involved. A practical three-tier triage (adapted from common 2025 governance guidance):
TIER A — fast-track (decide in ~2 days)
Managed-tier tool · PUBLIC or INTERNAL data only · no sensitive data, no payments
→ Owner + one reviewer approve; add to catalog.
TIER B — standard review (~1–2 weeks)
Touches SENSITIVE data OR connects to a core system OR has a cost
→ Confirm no-training terms, data-processing agreement, MFA/admin support,
export capability; ED or data lead sign-off.
TIER C — escalate
AI influencing beneficiary eligibility/decisions, crisis comms, or health/legal data
→ Goes to leadership + Module 7 safeguards review; often the answer is "not yet."
The intake form (in Templates below) is deliberately five questions. The reviewer's job is to slot it into A/B/C and respond fast.
A fast, predictable "yes-path" for safe tools is your best defense against shadow AI. Make the right way the easy way.