The ideal solution is a carrier that has its own true DDoS mitigation platform, and does not rely on black hole routing . Have the carrier handle the the large bulk flood attacks, then have your own prem base mitigation platform take care of the more application specific attacks that get through .
This represents the best solution , and also the most expensive . So it may not work for a non profit.
My experience with most providers has been that null routing is the "industry standard" when a DDoS hits their network.
I would suggest approaching companies who specialize in DDoS mitigation - Prolexic and Blacklotus to name two I am familiar with. These outfits may have something that works for a non-profit from a pricing point of view.
Ping me off list, I deal with a few providers and may be able to point you in the right direction.