What a retention policy is
A document retention and destruction policy is a written rule set that classifies your records (corporate, financial, tax, employment, program, donor) and assigns each a retention period. It does two jobs at once: it ensures you keep the records you're legally required to preserve, and it gives you a defensible reason to destroy records you no longer need — so you're not hoarding sensitive donor or employee data forever.
Why nonprofits need one (the Sarbanes-Oxley angle)
The Sarbanes-Oxley Act was written for public companies after corporate accounting scandals, and most of it doesn't touch nonprofits. But two provisions apply to everyone, nonprofits included:
- Document destruction. It is a federal crime to knowingly alter, destroy, or conceal documents to obstruct an investigation or official proceeding. A retention policy — with a clear pause-destruction rule when litigation is anticipated — keeps you on the right side of this.
- Whistleblower protection. Organizations may not retaliate against people who report suspected wrongdoing. That's why nonprofits typically adopt a whistleblower policy alongside a retention policy.
On top of that, Form 990 Part VI asks whether you have a document retention and destruction policy — one more "yes" that signals a well-run organization. See Form 990 explained.
What to keep — and for how long
Retention periods vary by record type. Some documents are kept permanently; others have a defined life. The table below reflects common nonprofit practice — confirm specifics against current IRS and state requirements.
| Record type | Typical retention (as of 2026) |
|---|---|
| Articles, bylaws, IRS determination letter | Permanent |
| Board & committee minutes | Permanent |
| Annual financial statements & audit reports | Permanent |
| Form 990 returns | Permanent (supporting records ≥ 7 years) |
| Tax & payroll records, general ledgers | At least 7 years |
| Grant agreements & restricted-gift records | 7 years after the grant closes (or longer if required) |
| Bank statements, invoices, expense records | 7 years |
| Employee records (after termination) | Commonly 7 years; benefits/EEO records may differ |
| Insurance policies | Permanent (or for the life of any claim) |
| Routine correspondence | 1–3 years |
Periods are general guidance, not legal advice — some grants, contracts, and state laws require longer. Verify before you destroy anything.
Destruction & the litigation hold
Destruction should be deliberate: on a schedule, documented (a short destruction log), and done securely (shredding paper, wiping digital files). The one absolute rule — the litigation hold — is that you immediately stop destroying any records relevant to a pending or reasonably anticipated lawsuit, audit, or government investigation, even if the schedule would otherwise allow it. Destroying records under those circumstances is exactly what Sarbanes-Oxley prohibits.
The two-line rule of thumb
Keep the permanent records forever; keep tax-related records at least seven years. When in doubt, hold — and never destroy anything once a dispute or investigation is on the horizon.
Adopting the policy
Have the board formally adopt the policy, name a person responsible for applying the schedule, and review it during your annual compliance checklist. You don't need to write it from scratch — pull a ready-made version from our template library and approve it at your next meeting. Pair it with a conflict-of-interest and whistleblower policy and you've answered the governance questions funders and the IRS care about. See conflict-of-interest policy.
Tighten governance, then add durable income
Grab the retention-policy template from our template library and adopt it in one meeting. Then make your organization look even safer to funders with recurring, unrestricted income from Good Circles: supporters pick your cause once, then a share of their everyday local spending funds you automatically — about $72 per active supporter per year (≈ $36,000/year from 500 supporters), free to join. (A Main Street–first marketplace launching September 2026.)
Claim a Founding Nonprofit spot →Retention-policy readiness
- The board has formally adopted a written policy
- Each record type has an assigned retention period
- One person owns applying the schedule
- Destruction is documented and secure
- A litigation-hold rule pauses destruction when needed
Sources & tools
Free first
- National Council of Nonprofits — Document Retention Policies for Nonprofits — Authoritative guidance plus a downloadable sample retention/destruction schedule keyed to the Form 990 question.
- National Council of Nonprofits — Whistleblower Protections (Sarbanes-Oxley) — Explains the SOX anti-retaliation and document-destruction prohibitions that drive retention-policy requirements.
- IRS — Recordkeeping Requirements for Exempt Organizations — Primary IRS source on what records to keep and how long to support income, deductions, and exempt status.
- IRS Publication 4221-PC — Recordkeeping Section — IRS booklet detailing permanent vs. limited-period records and the statute-of-limitations basis for retention periods.
Paid — optional labor-savers
- Box — Cloud Content Management — Secure document storage with retention policies, legal holds, and access controls to enforce a retention schedule. Worth it when You must apply automated retention/legal-hold rules and audit who accessed sensitive records.
- Shred-it / Stericycle — Secure Document Destruction — Certified, witnessed shredding with a destruction certificate satisfying the policy's secure-disposal step. Worth it when You routinely purge paper records and need documented, compliant destruction rather than office shredding.
Last verified 2026-06-16. Figures and rules change — verify at the source before you act.
FAQ
Do nonprofits need a document retention policy?
Yes — it's strongly expected. Form 990 asks whether you have a document retention and destruction policy, and adopting one is standard good practice. It tells the IRS, auditors, and funders that you keep records responsibly and don't destroy documents you're required to preserve.
How does Sarbanes-Oxley apply to nonprofits?
Most of Sarbanes-Oxley targets public companies, but two provisions apply to all organizations, including nonprofits: it is a crime to alter, destroy, or conceal documents to obstruct an investigation, and organizations must protect whistleblowers from retaliation. That's why a retention policy and a whistleblower policy go together.
How long should a nonprofit keep records?
It depends on the record. Permanent records include articles, bylaws, IRS determination letters, board minutes, and annual financial statements. Tax returns and supporting documents are typically kept at least 7 years, and routine correspondence far less. Verify against current IRS and state requirements.