How to Evaluate a Political Mail Vendor for IE and PAC Programs

In the 2024 election cycle, 2,502 super PACs raised $5.1 billion and spent $2.69 billion, according to OpenSecrets. Direct mail takes a big share of that spend. But the operatives running these programs, people managing nine-figure IE budgets, are often choosing mail vendors without a procurement framework that fits their world.

That’s because nobody has built a procurement framework for the IE and PAC context specifically: coordination-clean vendor structures, data security that matches combined voter-file-and-donor datasets, and documented production capacity at the volumes these programs actually run. This guide fills that gap.

If you’ve bought campaign mail before, some of this will feel familiar. But three things make the IE and PAC side a different animal.

Budget scale. IE programs routinely blow past $1 million in mail spend during a single cycle. A vendor that can “scale theoretically” isn’t the same as one with documented throughput at 2 million or more pieces in a compressed general election window. At this spend level, you need production references from comparable IE programs, not from a campaign manager mailing 50,000 pieces for a state house race.

Data sensitivity. IE programs combine voter files with proprietary donor data, prospect models, and issue advocacy targeting overlays. That combined dataset (names, giving history, employer information, modeled propensity scores) is the organization’s competitive intelligence. It needs data handling protocols closer to financial services than standard political mail.

Coordination cleanliness. Using the same vendor as a candidate’s campaign doesn’t count as coordination under FEC rules (11 CFR 109.21). But seasoned IE operatives structure vendor relationships to avoid even the appearance of campaign involvement, and that preference shapes how you vet vendors, manage data access, and document communication.

Here’s the core rule: an independent expenditure has to be made without coordination with a candidate or their campaign. Under FEC regulations, coordination is determined by a three-prong test covering payment, content, and conduct. All three prongs must be met for a communication to count as coordinated.

So what does that mean when you’re picking a mail vendor? The vendor relationship itself isn’t coordination. Hiring the same mail house that prints a candidate’s campaign mail doesn’t, by itself, create a violation. But the conduct prong includes a “common vendor” standard: if a vendor has access to nonpublic campaign strategy, polling, or creative materials through its work for the candidate, and that information gets used in producing your IE communication, the expenditure may meet the conduct standard.

The good news: the FEC does provide a safe harbor. A vendor can serve both an IE committee and a candidate’s campaign in the same cycle if it maintains a written firewall policy that prevents sharing nonpublic information between the two relationships. According to FEC guidance materials on independent expenditures, the firewall must be a written policy, and a 120-day safe harbor period applies to common vendor and former employee/contractor situations.

The practical takeaway: ask every vendor whether they have active relationships with candidate campaigns in your target races this cycle. If they do, request a copy of their written firewall policy. No written firewall? That’s a deal-breaker for most IE buyers, and it should be addressed before you sign anything. Many IE programs simplify the whole issue by picking vendors with no active candidate campaign relationships in their target races at all.

Let’s talk about what’s really at stake with your data. IE programs generate combined datasets that are extraordinarily sensitive. A voter file for a large state can hold 2 million or more records. Layer donor databases, giving history, employer data, and propensity models on top of that file, and you’ve got a dataset that would be valuable to opposing campaigns and damaging if exposed.

Here are six data security requirements you should treat as non-negotiable when evaluating vendors.

1. SOC 2 Type II attestation covering the production facility. A SOC 2 Type II report, performed under AICPA’s attestation standards (commonly referenced as SSAE 18), evaluates control effectiveness over 6 to 12 months and is typically refreshed annually. Ask for the actual report, not just a claim. Make sure the scope covers the physical production facility where your mail is printed, not just the vendor’s web platform or corporate IT environment. If a vendor calls it a “certification,” they may be using the term loosely (the correct term is “attestation”), so it’s worth confirming the audit’s scope and dates directly.

2. Data isolation between client programs. Your voter file and donor data shouldn’t be accessible to the vendor’s other political clients. Ask how isolation works: separate servers, access-controlled directories, or something else? Get the answer in writing in your vendor agreement.

3. Signed data handling agreement. The agreement should specify permitted use (production of your mail program only), data retention period, and destruction protocol. It should also name the individuals at the vendor authorized to access your data.

4. Staff data access controls. Ask who at the vendor can access your files and under what conditions. Production operators, data analysts, and account managers may each need different levels of access. The vendor should be able to walk you through their access control framework, not just say “we take security seriously.”

5. Post-production data destruction confirmation. After your program completes, you need written confirmation that your data has been purged from the vendor’s systems, including backup systems and staging environments. Establish the destruction timeline in your agreement before production begins.

6. Breach notification protocol. The agreement should specify the notification window (how many hours from discovery to your notification), the contact protocol (who gets called), and what information the vendor is obligated to provide about the scope and nature of the incident.

An IE program that needs to drop 2 million pieces during a compressed general election window can’t afford to find out its vendor doesn’t have the throughput after creative is already approved. This is something you prove before the contract is signed, not after.

Here’s what “proven at scale” actually looks like for IE programs, and what to ask for in every vendor RFP.

Maximum single-drop production capacity. Can the vendor produce 1 million or more pieces within a 72-hour window? Request documentation of prior runs at that volume, including dates, piece counts, and format types. A verbal assurance isn’t documentation.

Multi-wave production during peak season. IE programs often run consecutive large-scale drops 10 to 14 days apart during the final weeks before Election Day. Can the vendor handle your program alongside their other political clients without queue delays? Ask what percentage of their total capacity your program would consume, and what happens if a competing client’s program overlaps with yours.

Multi-state induction capability. National IE programs need simultaneous USPS induction across multiple postal districts to hit in-home dates in different states. Ask whether the vendor has established drop-ship relationships in your target states. The RSLC’s Project Doorstrike initiative for 2025-2026, a multi-state GOTV program spanning Virginia, New Jersey, and midterm target states, shows the kind of multi-state coordination IE-level programs require. Your vendor needs to demonstrate this capability with specifics, not generalities.

Reference programs at comparable scale. Request references from prior IE or PAC clients who ran programs at volumes similar to yours. Campaign manager references are helpful but not enough. You need references from buyers who dealt with the same data sensitivity, coordination cleanliness, and production compression your program demands.

Mailing.com operates as a single-facility, in-house production partner with On-Site USPS Verification: a Detached Mail Unit staffed by USPS employees who verify mail right after production. That step saves an average of 30 hours compared to trucking finished mail to a post office for acceptance. For IE programs where every day between drop and in-home date counts, that’s the kind of time compression that actually changes outcomes.

Here’s your checklist for the RFP process. Every item should produce a documented response, not a verbal assurance.

SOC 2 Type II attestation. Request the report. Confirm the scope covers the production facility where your mail will be printed. Verify the report date and observation period (current-year reports are standard; older reports may be flagged by your compliance team).

Data isolation documentation. How is your program’s data separated from other clients? Request a written description of the isolation architecture.

Campaign relationship disclosure. Does the vendor have active relationships with candidate campaigns in your target races this cycle? If yes, request a copy of their written firewall policy.

Production throughput documentation. What is the vendor’s maximum single-week production capacity for political mail? Request evidence from prior cycles.

Multi-state induction capabilities. List the states where the vendor has established USPS drop-ship relationships or On-Site USPS Verification capability.

Prior IE/PAC reference clients. Request at least two references from IE or PAC programs at comparable scale. Speak to those references directly.

Data destruction confirmation. What is the timeline for post-production data purge, and what format does the written confirmation take?

Breach notification protocol. How many hours from discovery to notification? Who is the designated contact? What information is provided?

Print this list. Bring it to every vendor conversation. A vendor who answers all eight with documentation, not promises, has earned the next conversation.

Picking a political mail vendor based on a website and a phone call means accepting the risk that a real procurement process eliminates. At the volume, data sensitivity, and coordination constraints IE programs operate under, vendor selection is a compliance decision just as much as a production decision.

Mailing.com is a non-partisan, enterprise-scale political mail production partner with in-house print and mail, documented data security protocols, and the production throughput IE programs need. Every piece is printed and mailed under one roof with zero outsourcing, so your data never leaves the facility. On-Site USPS Verification and Seamless Acceptance membership compresses timelines and reduces risk at the postal acceptance stage.

Direct mail continues to deliver among the highest response rates of any voter contact channel, which is why mail remains a primary channel for IE programs even in heavily digital cycles.

Request an IE program production assessment and data security documentation.

No. Under FEC regulations (11 CFR 109.21), using the same vendor doesn’t by itself count as coordination. But if the vendor shares nonpublic campaign strategy or materials between clients, that conduct may satisfy the coordination test’s conduct prong. Most professional IE programs either pick vendors with no active candidate campaign relationships in their target races or require vendors to maintain a written firewall policy.

A SOC 2 Type II report, performed under AICPA’s attestation standards (commonly referenced as SSAE 18), evaluates how well a service organization’s security controls actually work over a 6 to 12-month period. It matters for political mail because IE programs handle combined voter file and donor datasets that need documented security controls. Ask for the report itself, not just a vendor’s claim, and confirm the scope covers the physical production facility.

Production capacity varies by vendor. For large IE programs, you should expect your vendor to document the ability to produce 1 million or more pieces within a 72-hour window, with the capacity to run consecutive drops 10 to 14 days apart during peak political season. Request evidence from prior cycles, including dates, volumes, and format types.

National IE programs target voters across multiple states at the same time. Hitting in-home dates in different states requires your vendor to have established drop-ship relationships or direct induction capability in each target state’s USPS district. Without that, your mail sits in transit while your in-home window closes.