How We Evaluate AI Tools
Use-case specific. Tier-aware. Community-informed.
Our Approach
Most AI tool reviews give you a single score. But the same tool can be safe for one task and risky for another. ChatGPT is fine for drafting a newsletter. It's a problem for client case notes.
We rate every tool for 12 specific nonprofit use cases, so you get answers that match your actual work.
The Use Cases
Use cases are grouped by inherent risk level based on data sensitivity. Lower-risk use cases involve public content with no sensitive data. Higher-risk use cases involve confidential, regulated, or personally identifiable information.
The Rating System
Green Light:
Safe
No significant concerns for this use case. Use freely.
Yellow Light:
Safe with Precautions
Usable if you follow specific guidelines. Every Yellow rating includes a "Safe if you..." note explaining exactly what to do.
Red Light:
Not Recommended
Risk outweighs benefit. Every Red rating includes a specific explanation of the risk.
Why We Evaluate by Tier
Free and paid tiers often have completely different data policies.
The same tool might be Red on free tier and Green on paid tier for the exact same use case. We evaluate each tier separately because that's what responsible decision-making requires.
How We Gather Information
Primary Sources
- Privacy policies and terms of service
- Security documentation and SOC 2 reports
- Pricing pages and nonprofit discount information
- Accessibility statements
Third-Party Verification
- FedRAMP authorization status
- Common Sense Media privacy ratings
- Industry certification databases
We do not accept payment from vendors. These are independent assessments.
Community Input
The best information comes from nonprofits actually using these tools. Community members report their experiences, flag policy changes, and help keep evaluations current.
Keeping It Current
- Every evaluation shows a "last reviewed" date
- We monitor for policy changes and update ratings
- Community members help flag changes we might miss
Limitations
We review publicly available policies. We cannot audit actual data handling practices. Policies change frequently, sometimes without notice.
Use these evaluations as a starting point, not a final answer. When handling highly sensitive data, consult your own legal or compliance advisors.
Understanding the Ratings
FedRAMP Authorized
U.S. government security standard. Tools with this designation passed rigorous federal security review and can be used by government agencies. Authorization levels (Low, Moderate, High) indicate the sensitivity of data they're approved to handle.
Common Sense Media Privacy Rating
Independent nonprofit that evaluates apps and tools for data privacy practices. Ratings range from Pass to Warning to Fail based on whether the tool sells data, displays targeted ads, or tracks users across sites.
SOC 2 Type II
Annual security audit by an independent accounting firm. Evaluates whether a company's systems protect customer data over time. Reports are confidential.
ISO 27001
International standard for information security management. Companies must demonstrate security controls and pass third-party audits.
Verification Sources
What We Verify Independently
- 🏛️FedRAMP authorization verified via marketplace.fedramp.gov and official agency announcements
- 📋Common Sense Media privacy ratings included where available
- 💰Nonprofit discount availability verified via TechSoup/Goodstack listings
What Remains Vendor-Reported
SOC 2 and ISO 27001 certifications are vendor-reported. There is no public database to verify SOC 2 certifications, and ISO 27001 verification requires access to the certificate itself.
Organizations should conduct their own verification before adoption, especially for tools handling sensitive data. Request audit reports directly from vendors for due diligence.