diff --git a/app/controllers/nonprofits/imports_controller.rb b/app/controllers/nonprofits/imports_controller.rb
index a50f296c..a5344a06 100644
--- a/app/controllers/nonprofits/imports_controller.rb
+++ b/app/controllers/nonprofits/imports_controller.rb
@@ -10,13 +10,19 @@ module Nonprofits
     def create
       render_json do
         InsertImport.delay.from_csv_safe(
-          nonprofit_id: params[:nonprofit_id],
+          nonprofit_id: import_params[:nonprofit_id],
           user_id: current_user.id,
           user_email: current_user.email,
-          file_uri: params[:file_uri],
-          header_matches: params[:header_matches]
+          file_uri: import_params[:file_uri],
+          header_matches: import_params[:header_matches]
         )
       end
     end
+
+    private
+
+    def import_params
+      params.permit(:nonprofit_id, :file_uri, :header_matches)
+    end
   end
 end
diff --git a/app/models/import.rb b/app/models/import.rb
index 8a93f4c6..4c6453a4 100644
--- a/app/models/import.rb
+++ b/app/models/import.rb
@@ -2,14 +2,12 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class Import < ApplicationRecord
-  # TODO
-  # attr_accessible \
-  #   :user_id, :user,
-  #   :email, # email of the user who ma
-  #   :nonprofit_id, :nonprofit,
-  #   :row_count,
-  #   :imported_count,
-  #   :date
+  # :user_id, :user,
+  # :email, # email of the user who ma
+  # :nonprofit_id, :nonprofit,
+  # :row_count,
+  # :imported_count,
+  # :date
 
   has_many :supporters
   belongs_to :nonprofit