complying with the new 990?

We are a very small, all-volunteer public charity, 501(c)(3).

We are reading that our organization must have a written whistle-blower policy, a written document retention policy, and a written board-member conflict of interest disclosure.

I think we can handle the conflict of interest disclosure OK. But we have questions on the other two:

1) Where can we find boilerplate for a rational whistle-blower policy for an all-volunteer organization? (And yes, I understand that boardmembers, volunteers, and members are supposed to be protected by such policies -- not just employees.) We'd prefer low-key language that doesn't "put a target on our backs" encouraging folks to shoot.

2) Given that we are all-volunteer, and all work is done on individual members personal computers at their homes -- what is rational language for a document retention/destruction policy? It's not like there is a central fileserver for email.

The so-called "minimum requirements" for retention (many of them 7 years or permanently) seem difficult to guarantee if paper records just keep getting added to a box that passes from treasurer to treasurer. Can all these records be retained as PDFs instead and stored on a commercial file serving service?

Some records are of historical value (though not legal value). Can we keep them beyond the stated retention period? Who decides?

Thanks for whatever insights you can provide.

At our nonprofit we have a document storage company that does keep it all digitally, so assume that that is okay. I know we had legal counsel review the policies.