Digital Footprint Audit

Purpose

This audit maps the publicly indexed digital footprint of the Native BioData Consortium across federal agency databases, nonprofit transparency platforms, court records, certificate transparency logs, web archives, and the entity's own web properties.

What can anyone with a search engine learn about your organization in 30 minutes?

As a nonprofit research institute operating at the intersection of Indigenous data sovereignty and federal biomedical funding, your organization's digital footprint reveals not just your web presence, but the full contour of your funding relationships, scientific output, leadership roster, and the environmental risk profile of your physical location. This audit identifies what is visible, what is expected, and what warrants attention.

Methodology

The following data sources were queried:

• Google Advanced Search (dorking): Targeted queries for PDFs, spreadsheets, sensitive keywords, exposed directories, and infrastructure across the entity's domain and federal agency sites
• Wayback Machine CDX API: Historical archive of nativebio.org pages and documents
• Certificate Transparency (crt.sh): SSL/TLS certificate logs for subdomain discovery and hosting analysis
• USASpending / IRS 990 / Foundation Directories: Federal and philanthropic funding records
• Court Databases (Justia, CourtListener, JudyRecords): Litigation and regulatory filings
• DNS / Infrastructure Analysis: DNS records, hosting platform, email provider, security headers
• FEMA OpenFEMA API / EPA / USGS: Disaster declarations and environmental monitoring for jurisdiction
• News and Media: Indian Country media, academic journals, general news coverage

No unauthorized access was performed or attempted. All data sources are publicly available.

Governance & Sensitive Documents

"Native BioData Consortium" filetype:pdf "confidential" OR "internal" OR "not for distribution"
"Native BioData Consortium" filetype:pdf "agreement" OR "contract" OR "memorandum" OR "MOU"
"Native BioData Consortium" filetype:csv OR filetype:xlsx "member" OR "employee" OR "roster"
site:nativebio.org inurl:backup OR inurl:admin OR inurl:config
site:nativebio.org intitle:"login" OR intitle:"sign in" OR inurl:portal
"Native BioData Consortium" intitle:"index of"

#	Document	Hosted On	Risk	Notes
1	ZoomInfo Company Profile	zoominfo.com	Low	Commercial data aggregator; scraped from public sources
2	NIH Compiled Public Comments on Genomic Data Sharing	nih.gov	Medium	NBDC policy positions in compiled comments; intentional advocacy on third-party server

Assessment: Clean

No confidential, internal, or restricted documents were found indexed anywhere. No MOUs, contracts, or agreements leaked to third-party servers. No PII exposure beyond what the organization intentionally publishes on its own website.

Wayback Machine Archive

Metric	Value
Total unique URLs archived	841
Total unique PDFs archived	1
Earliest snapshot	2018-02-23
Most recent snapshot	2026-03-23
Hosting platform detected	WordPress + Elementor (2018-2025), then Drupal 10.5.4 (2025-present)

Notable Archived Paths

#	URL	Type	Notes
1	native-biodata-consortium-fact-sheet.pdf	PDF	Only archived document -- organizational fact sheet
2	wp-login.php	Admin	WordPress login page archived with 200 OK (historical)
3	/author/admin/	Admin	WordPress author page exposing default "admin" username
4	/product/blank-product-1/	Placeholder	WooCommerce test product never removed
5	/?wc-ajax=%%Endpoint%%	Config	WooCommerce AJAX endpoint with unresolved template variable

Assessment: Low

The archive reveals a typical small-nonprofit web history with WordPress-era placeholder content and an exposed admin username. The document footprint is minimal (1 PDF). No sensitive files (.env, .sql, backups) were found.

Certificate Transparency

Property	Value
Total certificates found	20
Certificate issuer(s)	GoDaddy G2 (16 certs, 2020-2025), Let's Encrypt R12/R13 (4 certs, 2025-present)
Earliest certificate	2020-12-22
Most recent certificate	2026-03-20
Wildcard certs?	No
Renewal pattern	~90-day automated renewal throughout

Subdomains Discovered via SANs

#	Subdomain	First Seen	Last Seen	Notes
1	www.nativebio.org	2020-12	2026-03	Standard www -- present on all certs
2	indigidata.nativebio.org	2021-01	2023-01	IndigiData project subdomain; now redirects to indigidata.org

Related Domains Discovered

#	Domain	First Seen	Notes
1	decolonize-dna.org	2020-12-22	Linked via GoDaddy cert SANs; now lapsed with no DNS records

Assessment: Clean

Minimal subdomain surface area. No wildcard certificates, no exposed dev/staging/API endpoints. Hosting migration from GoDaddy to cPanel shared hosting visible in the certificate record.

Funding & Contract Records

USASpending Recipient Profile: Not found. The flagship $9M NIH award was structured as an Other Transaction Agreement with Stanford University as the prime awardee; NBDC received its portion as a sub-award.

IRS 990 Profile

Year	Revenue	Expenses	Net Assets
2022	$1,009,562	$1,878,751	$2,115,344
2021	$3,267,587	$498,716	$2,876,874
2020	$55,182	$17,618	$40,827

Source: ProPublica Nonprofit Explorer

Funding Records

#	Record	Amount	Funder	Notes
1	NIH RADx Tribal Data Repository (D4I)	$9,000,000 total (~$3M NBDC)	NIH	Dec 2023. Stanford prime. Funding cut March 2025; only ~$1M spent.
2	MacArthur Equitable Recovery	$2,000,000	MacArthur Foundation	2021. Unrestricted general operating.
3	McGovern Digital Health	$400,000	McGovern Foundation	Dec 2021. Indigenous data governance.
4	Henry Luce Indigenous Knowledge	$90,000	Luce Foundation	Dec 2023. Data sovereignty education.
5	MacArthur Journalism & Media	$50,000	MacArthur Foundation	2025. Data sovereignty summits.
6	MacArthur New Work	$15,000	MacArthur Foundation	2025. Operations support.
7	Illumina NextSeq 550 (in-kind)	In-kind	Illumina	2021. Sequencer donated to Eagle Butte lab.

Total identified funding: ~$9,555,000 (plus in-kind equipment)

Assessment: Medium-High

The organization's entire funding portfolio is publicly reconstructable. Form 990 data reveals revenue, expenses, and key employee compensation. The funding picture is dominated by one NIH award that was cut short in 2025.

Legal & Regulatory Records

#	Resource	Source	Notes
1	ProPublica 990 Filings	ProPublica / IRS	Annual returns filed 2020-2022. 501(c)(3) confirmed.
2	GuideStar Profile	Candid/GuideStar	Standard nonprofit transparency profile.

Litigation: Zero cases found across Justia, CourtListener, JudyRecords, and general web searches.

Federal Register: No mentions found.

Congressional records: No indexed testimony or hearing appearances.

Assessment: Clean

Zero litigation footprint. No lawsuits, complaints, consent decrees, settlements, or enforcement actions found. Clean and appropriate regulatory profile for a 501(c)(3).

Infrastructure & Technical Surface

DNS Configuration

Record	Value	Significance
A	198.46.91.127	Hosting: InMotion Hosting (cPanel shared)
MX	aspmx.l.google.com (pri 1) + alternates	Email: Google Workspace
NS	ns09.domaincontrol.com, ns10.domaincontrol.com	DNS registrar: GoDaddy
TXT (SPF)	v=spf1 include:_spf.google.com ~all	SPF configured
TXT (DKIM)	google._domainkey -- RSA 2048-bit	DKIM configured
TXT (DMARC)	v=DMARC1; p=none	DMARC monitor-only (does not reject spoofed mail)

Infrastructure Profile

Property	Value
Hosting platform	InMotion Hosting (cPanel shared, nginx 1.29.4)
Domain registrar	GoDaddy
Domain type	.org
Email provider	Google Workspace
CDN/Proxy	None detected
SSL/TLS	Let's Encrypt (cPanel AutoSSL)
Security headers	Minimal -- only X-Content-Type-Options: nosniff

Related Domains

Domain	Status	Notes
decolonize-dna.org	Lapsed	No DNS records; domain expired
indigidata.nativebio.org	Redirect	301 to indigidata.org (GoDaddy hosting)
indigidata.org	Active	GoDaddy shared hosting

Assessment: Low

Standard small-nonprofit infrastructure. Email authentication nearly complete but DMARC in monitor-only mode. Security headers minimal. The decolonize-dna.org domain has lapsed and could be registered by a third party.

Disaster & Environmental

The Cheyenne River Sioux Reservation has one of the highest disaster declaration densities in the FEMA database: 45+ declarations since 1997, averaging ~1.5 per year.

Recent FEMA Declarations (6 of 45+)

#	Declaration	Date	Type	Notes
1	FEMA-5628	2026-03-22	Fire	Jumping Juniper Fire, Dewey County
2	FEMA-4842-DR	2024-11-01	Major Disaster	First standalone tribal DR for CRST. $6.7M+ federal funding. DRC in Eagle Butte.
3	FEMA-4807-DR	2024-08-15	Major Disaster	Severe storms, flooding. Dewey & Ziebach counties.
4	FEMA-4689-DR	2023-02-27	Major Disaster	Severe winter storms. Ziebach County.
5	FEMA-4587-DR	2021-02-24	Major Disaster	Severe winter storms (ice storm). Dewey County.
6	EM-3536	2020-03-13	Emergency	COVID-19 tribal emergency for CRST.

Environmental Monitoring

#	Station/Facility	Agency	Notes
1	Cheyenne River Near Eagle Butte (USGS-06439500)	USGS	Real-time streamflow; nearest to NBDC HQ
2	CRST 106 Water Quality Program	CRST EPD / EPA	Mercury & heavy metal contamination documented
3	EPA NPDES Permit SD-0020192	EPA Region 8	Eagle Butte wastewater discharge permit

Assessment: Medium-High

Eagle Butte headquarters sits in one of FEMA's most declaration-dense jurisdictions. The 2024 standalone tribal disaster declaration and $6.7M+ recovery directly affected the area. Mercury contamination from upstream mining is documented in the watershed. Biological specimens and lab equipment face significant natural hazard exposure.

Media & Public Narrative

Key Coverage

#	Article	Date	Publication	Key Points
1	SD Tribes Seek Restoration of Federal Support	2025-11	SD Searchlight	NIH funding revoked; 5 tribes wrote congressional delegation
2	A Tribal Data Repository (Nature Genetics)	2025	Nature Genetics	Peer-reviewed publication on D4I repository
3	Data as Strategic Asset	2026-04	Native News Online	Yracheta on "surveillance colonialism"; April 2026 summit
4	How Indigenous Scientists Are Taking Control	~2021	Illumina	NextSeq 550 donated to Eagle Butte lab
5	Native Scientists Taking Control (NPR)	2022-10	Science Friday	Tsosie, Yracheta, Anderson interview

Leadership Identified

#	Name	Role	Notes
1	Guthrie Ducheneaux	Board President / IT Director	Lakota, CRST
2	Joseph Yracheta, MS	Executive Director	P'urhepecha & Raramuri. Public face of organization.
3	Krystal Tsosie, PhD	Co-founder / Board Secretary	Dine/Navajo. ASU faculty.
4	Keolu Fox, PhD	Co-founder / Board Member	Kanaka Maoli. UCSD faculty.
5	Kali Dale	Research Director	White Earth Ojibwe
6	Ashlynn Gerth	Development Director	Mille Lacs Ojibwe
7	Burt Dillabaugh	Tribal Liaison	Cheyenne River Lakota

Assessment: Clean

The organization is in a "growth-under-stress" phase: extraordinary scientific legitimacy combined with an acute funding crisis. No negative coverage, controversies, or organizational disputes found.

Risk Summary

The Native BioData Consortium has a clean digital security posture -- no leaked documents, no PII exposure, no litigation, no infrastructure vulnerabilities. The two areas of elevated exposure are (1) the fully reconstructable funding portfolio, which is inherent to the nonprofit transparency regime and cannot be avoided, and (2) the extreme disaster exposure of its physical jurisdiction, which affects business continuity for a facility housing irreplaceable biological specimens.

Recommendations

Immediate Actions

1. Upgrade DMARC policy from p=none to p=quarantine. The current monitor-only configuration means anyone can send spoofed email appearing to come from @nativebio.org. Given the organization's relationships with tribal governments and federal agencies, email impersonation is a meaningful risk.
2. Add security headers to web server. Missing HSTS, Content-Security-Policy, and X-Frame-Options on the Drupal site. These are configuration-level changes on the cPanel/nginx stack.
3. Register or monitor decolonize-dna.org. This domain has lapsed and could be registered by a third party. Given its historical association with NBDC, a bad actor could use it for phishing or brand damage.
4. Clean up archived placeholder content. The Wayback Machine preserves WordPress-era placeholders that reflect poorly on technical maturity.

Ongoing Monitoring

1. Certificate transparency monitoring. Set up alerts on crt.sh for nativebio.org to detect unauthorized certificate issuance.
2. FEMA declaration tracking. Monitor for events that could affect Eagle Butte operations (~1.5/year frequency).
3. 990 filing monitoring. Each annual filing reveals updated revenue, compensation, and asset data.

Strategic Considerations

1. Funding diversification. The 2025 NIH cut demonstrated concentration risk in a single federal award.
2. Business continuity planning. D4I data servers provide geographic redundancy, but the physical lab and biological specimens in Eagle Butte face significant natural hazard exposure.
3. Domain authority. Operating on .org carries less inherent authority than .gov or .nsn.gov for an organization working with tribal governments on sovereign data governance.

What This Means

Donor and grant transparency means your funding portfolio, tax filings, and program outcomes are publicly assembled in ways that shape how funders and the public perceive your organization. For the Native BioData Consortium, this transparency cuts both ways: it validates your scientific legitimacy and federal funding track record, but it also means your current funding crisis is visible to anyone who looks. The fact that your entire grant history, leadership roster, and physical location can be assembled from public sources in under 30 minutes is not a vulnerability -- it is the cost of operating as a 501(c)(3) in the current transparency regime. The question is whether you are managing that visibility intentionally or whether it is managing you.