Australian data hosting
6-layer security model
Complete audit trails
Board-ready documentation
Enterprise-grade protection

Security built for organisations that can't afford a breach

CRM for NFP runs on Microsoft's enterprise infrastructure — the same platform protecting banks, hospitals, and government agencies. Your client data, funder records, and case files are protected by controls most NFPs could not build or afford independently.

Ask about our security documentation Book a 30-minute conversation

Verifiable documentation available for your board, your funders, or your auditors.

A 6-layer security model

Security is not a single switch — it is a stack of controls. CRM for NFP enforces protection at every layer: from the datacentre infrastructure to the individual field on a client record.

  • Infrastructure security — Microsoft-managed datacentres with physical access controls, redundancy, and 99.9%+ uptime SLAs
  • Network security — Encrypted in transit (TLS), firewall rules, DDoS protection, and threat detection
  • Identity security — Multi-factor authentication, conditional access policies, and role-based login enforcement
  • Application security — Security groups, business unit hierarchies, and role-based access control within the CRM
  • Data security — Record-level ownership, field-level security, and encryption at rest
  • Audit security — Every access, every change, every export is logged and retrievable
6-layer security model diagram for Microsoft Dynamics 365 CRM in Australian NFPs

What this means for your organisation

These are the controls your staff interact with every day — and the controls your board needs to know exist.

Record-level permissions

Staff only see cases and clients they own, or that have been explicitly shared with their team. Accidental access to another region's or program's records is structurally prevented — not just policy-dependent.

Field-level security

Sensitive fields — financial data, risk flags, medical information, consent status — can be hidden from roles that do not need them. A frontline intake worker does not see the same data as a clinical manager or finance officer.

Complete audit trails

Every record access, field change, and data export is logged with a timestamp and user identity. When a regulator, funder, or auditor asks who viewed or changed a record, you have a retrievable, tamper-evident answer.

Australian data hosting

Your data is stored in Microsoft's Sydney and Melbourne datacentres. It does not leave Australia by default. Microsoft publishes its data residency commitments publicly — and we can provide verifiable documentation for your board or funders on request.

Documentation your board can rely on

Many NFP boards are now asking specific questions about data governance. Where does our client data live? Who can access it? What happens if there is a breach?

CRM for NFP can provide:

  • Microsoft's Australian data residency certification documentation
  • ISO 27001, SOC 2 Type II, and other compliance certifications held by Microsoft
  • A data processing agreement covering your organisation's obligations under the Australian Privacy Principles
  • Configuration documentation showing how role-based access and field-level security are implemented in your specific system

Microsoft's compliance certifications

The platform your data runs on holds certifications that would cost millions to obtain independently:

  • ISO 27001 — International standard for information security management
  • SOC 2 Type II — Independent audit of security, availability, and confidentiality controls
  • IRAP assessed — Independent Security Assessment relevant to Australian government and regulated-sector data
  • Australian Government certified — Listed on the Certified Cloud Services List (CCSL)
  • GDPR compliant — Relevant for organisations with international data obligations

What happens if something goes wrong

Microsoft operates a 24/7 security operations centre that monitors for threats across its global infrastructure. In the event of a security incident, Microsoft notifies affected customers within 72 hours — meeting Australia's Notifiable Data Breaches scheme obligations.

Detection and containment

Microsoft's security monitoring detects anomalous access patterns and can isolate affected systems before you are even aware of an incident.

Notifiable Data Breaches

Audit logs give you the precise records needed to satisfy your obligations under the NDB scheme — including who accessed what, when, and from where.

Business continuity

Microsoft maintains geographic redundancy across its Australian datacentres. Your data is backed up and recoverable even in the event of a datacentre failure.

For your staff, security is invisible

Strong security should not slow your team down. CRM for NFP is designed so that staff see only what they need to see, and do only what they are authorised to do — without constant friction or manual access requests.

Single sign-on

Log in once with your Microsoft 365 account. No separate passwords, no extra credentials to manage or forget.

Role-based views

Each role sees a tailored interface. Intake workers see intake queues. Managers see team dashboards. Finance sees what finance needs.

No local data storage

Because CRM for NFP is cloud-based, no client data sits on staff laptops or local drives. When a staff member leaves, access is revoked centrally — immediately.

Ask us about our security documentation

We can provide documentation suitable for board review, funder due diligence, or audit preparation. No charge. No commitment required.

Request security documentation See the full product overview