ListGuard · a Born Between Generals, LLC product
A privacy layer that sits between fundraisers, your CRM, and outbound tools. Real names, addresses, and phones stay encrypted. Working systems see only opaque tokens. Emails merge inside the trust boundary — vendors get the rendered message, never the donor list. Licensed to nonprofits and fundraising organizations.
Donor and member lists at small and mid-sized nonprofits are an attractive target. Attackers know it — donor-list theft attempts against fundraisers are a recurring threat across the sector. The people on those lists include politicians, public figures, and ordinary donors who reasonably expect privacy.
Existing nonprofit CRMs advertise “encryption at rest” and an “anonymous donor” checkbox. None offer field-level tokenization that protects donor identity from in-house staff, IT contractors, departing employees, or downstream vendors. None provide per-fundraiser isolation. The product gap is real — and ListGuard fills it as a layer you license and run alongside the CRM you already use.
Donors sync from your CRM (Bloomerang and others) via OAuth. Each record gets its own AES-256-GCM data key, wrapped by a master key in a managed KMS. First name, last name, email, phone, and address are encrypted at field level. The working database now holds tokens like LG-FDL6-VD4R-AGJY7OQ6 — not donors.
The dashboard shows initials (J.S.) or, for high-sensitivity donors, a codename (CODENAME-OAK). Fundraisers can only list their own donors and any explicit shares. Stealing a fundraiser's laptop session yields tokens, not a donor list.
Templates use variables like {{first_name}}. The vault resolves those variables at the last possible moment, renders the message, and hands the rendered output to your email vendor with short retention and per-recipient purge. The email vendor never receives the donor list. The fundraiser never sees the resolved recipients.
The vault watches read activity per fundraiser. More than 50 reads in 60 seconds, or more than 500 in a session, fires a high-severity alert — written to a tamper-evident audit log. A stolen session that tries to dump the donor list trips the alarm before it gets far.
Break-glass is real-world necessary — legal subpoenas, IRS audits, donor data requests — but a single admin holding the keys is the failure mode. ListGuard rejects single-admin decryption. Two distinct admins with a written reason; every event logged and alerted.
The audit log is append-only. Each entry hashes the previous entry, so silently editing or deleting past records breaks the chain and is detectable. Production ships the stream to write-once cloud storage so even server admins can't rewrite history.
ListGuard is licensed to nonprofits and the fundraising organizations that serve them — deployed as a dedicated instance alongside your existing CRM, or white-labeled for agencies managing multiple clients. You keep your system of record; ListGuard is the privacy boundary around it.
ListGuard is a product of Born Between Generals, LLC. To see it run against a representative donor segment and discuss licensing for your organization, get in touch.
Architecture, threat model, compliance posture, and rollout plan available to qualified reviewers on request.