Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Record Retention Policy for Nonprofits is a board-adopted governance document that defines which organizational records must be preserved, for how long, in what format, and how they must be securely destroyed when their retention period expires. It covers every record category a nonprofit generates β founding and legal documents, financial statements, grant files, personnel records, board minutes, and program files β and assigns responsibility for implementation to a named staff role. The policy also includes a litigation hold provision that suspends normal destruction when legal proceedings are reasonably anticipated.
Without a written retention policy, a nonprofit faces three concrete risks simultaneously. First, IRS Form 990 Part VI asks directly whether the organization has adopted a document retention and destruction policy β answering "no" signals a governance weakness to the IRS, state charity regulators, and institutional funders who review 990s before making grants. Second, destroying records too early β because no schedule exists β can eliminate the financial documentation needed to defend an IRS audit, satisfy a funder's expenditure review, or respond to litigation, which courts can treat as spoliation of evidence. Third, retaining records indefinitely creates its own risk: confidential donor, client, and employee data stored without expiration raises privacy liability. A properly adopted record retention policy eliminates all three exposures for the cost of an afternoon's work, and this template gives your organization a complete, board-ready starting point aligned to IRS guidance and standard nonprofit governance practice.
| If your situation is⦠| Use this template |
|---|---|
| Small nonprofit with one staff member and a working board | Simplified Nonprofit Record Retention Policy |
| Organization with active grant funding requiring funder-specific retention | Record Retention Policy for Nonprofits (Grant-Focused) |
| Healthcare or social services nonprofit subject to HIPAA | HIPAA-Compliant Document Retention Policy |
| Nonprofit undergoing IRS audit or litigation | Litigation Hold Notice |
| Organization wanting to pair retention policy with destruction log | Document Destruction Log |
| Nonprofit adopting a full governance policy suite | Nonprofit Conflict of Interest Policy |
| Organization needing a broader internal controls framework | Nonprofit Financial Policies and Procedures Manual |
Why it matters: The IRS has 6 years to audit if it suspects a substantial understatement of income. A 3-year schedule destroys records that could defend the organization during a late audit.
Fix: Set the default financial record retention period to 7 years to cover the longest realistic IRS audit window with a comfortable buffer.
Why it matters: Auditors and funders routinely request email correspondence and digital files. A policy that only addresses paper records leaves the organization with no documented standard for its largest record volume.
Fix: Add an explicit definition of electronic records and a statement that all retention periods apply regardless of format β paper, email, cloud storage, or otherwise.
Why it matters: Destroying records under a routine retention schedule after a legal complaint is filed can constitute spoliation of evidence, resulting in court sanctions and adverse inference instructions.
Fix: Include a litigation hold section naming who issues the hold, how staff are notified, and how the hold is lifted β even if the organization has never faced litigation.
Why it matters: When no individual is accountable for implementing the schedule, destruction reviews are skipped, records pile up indefinitely, or records are deleted informally without documentation.
Fix: Designate a specific staff title as document custodian in the policy and include implementation duties in that role's job description.
Why it matters: USCIS requires I-9 forms to be stored separately and produced within 3 business days of an inspection request. Mixing them with personnel files slows retrieval and risks non-compliance.
Fix: Create a dedicated I-9 binder or folder β paper or digital β segregated from all other personnel records, with its own audit trail.
Why it matters: IRS guidance, state law, and grant funder requirements change periodically. An outdated policy may no longer satisfy Form 990 Part VI or current funder audit expectations.
Fix: Set a calendar reminder for a board review every three years and assign the executive director to flag any law changes that require an off-cycle amendment.
Replace all [ORGANIZATION NAME] placeholders with your nonprofit's full legal name as it appears on your IRS determination letter. Note the state of incorporation, as state law may impose retention periods that exceed federal minimums.
π‘ Check your state's nonprofit association website for a state-specific retention addendum β about 15 states have requirements that go beyond the IRS baseline.
Go through each record category and confirm the listed retention period meets or exceeds the applicable statute of limitations for your state, funder requirements, and IRS rules. Edit any period that falls short.
π‘ When in doubt between two periods, choose the longer one β over-retention is rarely a problem; under-retention can be.
If your organization operates in healthcare, housing, childcare, or another licensed program area, add the relevant client or service record categories and their funder- or license-required retention periods.
π‘ Pull the retention requirements directly from your current grant agreements and licensing regulations and paste them into Schedule A so there is no ambiguity.
Replace the [DOCUMENT CUSTODIAN] placeholder with the specific staff title responsible for implementing the schedule. Avoid naming an individual by name so the policy survives staff turnover.
π‘ For small organizations, the executive director or office manager typically serves as custodian β just make sure the role is in that person's job description.
Fill in the approved paper destruction method (cross-cut shredding is the minimum for sensitive records), the electronic deletion method, and the title of the person who must authorize each destruction event.
π‘ For electronic records stored in cloud platforms, document the deletion procedure specific to that platform β Google Workspace, Dropbox, and Microsoft 365 each have distinct permanent-deletion workflows.
Confirm that the litigation hold section names the executive director (or general counsel if applicable) as the person responsible for issuing holds, and that the notification chain reaches everyone who manages records.
π‘ Add a sample litigation hold notice as an appendix so staff know exactly what one looks like and can act quickly when needed.
Place the policy on a board meeting agenda, present it as a governance policy, and record the adoption vote in the board minutes. The IRS Form 990 Part VI asks whether the board reviewed this type of policy.
π‘ Date the policy with the board adoption date, not the draft date β the 990 disclosure asks when the policy was adopted or last reviewed.
Send the adopted policy to all staff, add it to your employee handbook or internal policy library, and calendar the first annual records destruction review for 12 months from the adoption date.
π‘ Pair the annual destruction review with your fiscal year-end close so it becomes a routine part of your financial wrap-up calendar.
No federal law mandates that nonprofits adopt a written record retention policy, but IRS Form 990 Part VI explicitly asks whether the organization has one β and answering 'no' signals a governance gap to the IRS, state regulators, and major donors. Many state nonprofit acts and grant funders require documented records management procedures. Adopting a written policy is the recognized best practice and takes less than an hour with a template.
The IRS generally has 3 years to audit a Form 990, but the window extends to 6 years if it suspects a substantial understatement of income. Most governance advisors recommend retaining financial records β bank statements, general ledgers, payroll records, and grant files β for 7 years to cover the longest realistic audit window. Audited financial statements and Form 990 filings should be kept permanently.
Permanent records typically include: Articles of Incorporation, all versions of Bylaws, the IRS Determination Letter (Form 1023 or 1024 approval), all annual Form 990 filings, board and committee meeting minutes, executed real property deeds, and any document that defines the organization's legal existence or tax-exempt status. These records should never be destroyed.
Yes β IRS Form 990 Part VI asks whether the board reviewed the organization's document retention and destruction policy. For the disclosure to be accurate, the board must formally adopt the policy by vote and record that vote in the board minutes. A policy drafted by staff but never presented to the board does not satisfy the Form 990 question.
Destroying records after litigation is filed or reasonably anticipated β even under a written retention schedule β can constitute spoliation of evidence. Courts may sanction the organization, instruct the jury to draw adverse inferences, or in extreme cases dismiss defenses. Every record retention policy must include a litigation hold provision that suspends all destruction when legal proceedings become foreseeable.
Paper records containing personal information, financial data, or donor details should be cross-cut shredded β strip shredding is not sufficient for sensitive records. Electronic records must be permanently deleted using the specific procedure for each platform (not simply moved to the trash). Each destruction event should be documented in a destruction log noting the record category, date, method, and authorizing staff member.
Yes β federal grant awards under the Uniform Guidance (2 CFR Part 200) require financial records, supporting documentation, and program reports to be retained for 3 years after the final expenditure report submission, but longer if litigation is pending or the awarding agency specifies otherwise. Many private foundation grants specify 5β7 years in the grant agreement. Always check the specific grant agreement and apply the longer of the policy standard or the funder requirement.
Yes. The IRS and most courts treat electronic records β emails, cloud documents, database records, and instant messages β as equivalent to paper records. A retention policy that covers only paper files is incomplete. The policy should explicitly state that all retention periods apply regardless of format and should address the deletion procedures for each platform the organization uses to store records.
A conflict of interest policy governs how board members and staff disclose and manage personal interests that may conflict with the organization's mission. A record retention policy governs how documents are stored and destroyed. Both are governance policies asked about on IRS Form 990 Part VI, and most nonprofits should adopt both β but they address entirely different operational risks.
A document destruction log is the operational record used to document each destruction event authorized under a retention policy β it names the records destroyed, the date, method, and authorizing staff member. The retention policy sets the rules; the destruction log proves they were followed. Nonprofits need both, and the policy should require the log to be maintained.
An employee handbook covers the full range of HR policies β conduct, benefits, leave, and workplace expectations. A record retention policy is a standalone governance document adopted by the board that applies to all organizational records, not just HR files. The handbook may reference the retention policy, but the two documents serve distinct audiences and purposes.
A financial policies and procedures manual covers authorization limits, expense approval, cash handling, and internal controls. A record retention policy is narrower in scope β it addresses only how long financial and other records are kept and how they are destroyed. Organizations benefit from both, but the retention policy is the one specifically disclosed on Form 990.
Client case records are subject to state licensing retention requirements that commonly mandate 5β10 years after case closure, superseding the standard 7-year financial records default.
HIPAA requires covered entities and business associates to retain medical records and related documentation for 6 years from creation or last effective date, with state law often extending this further.
Student and minor participant records, including consent forms and incident reports, frequently require retention until the participant reaches age of majority plus the applicable statute of limitations β often 21 to 25 years in total.
Intellectual property agreements, exhibition contracts, and provenance documentation for collection items are permanent records that must be retained alongside standard financial and governance files.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small and mid-size nonprofits without specialized program licensing or federal grant compliance obligations | Free | 1β2 hours to customize and prepare for board adoption |
| Template + professional review | Organizations with federal grants, HIPAA obligations, or state-licensed program operations | $200β$600 for a nonprofit attorney or CPA review | 3β5 business days |
| Custom drafted | Large nonprofits with complex multi-program operations, international activities, or pending litigation | $1,000β$3,000+ | 2β4 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
