15 Security Questions to Ask Your Print & Mail Vendor Before Signing
By Martin C | March 6, 2026
15 Security Questions to Ask Your Print and Mail Vendor Before You Sign
Most print and mail vendors will tell you they are “fully compliant.” Mailing.com believes compliance teams deserve more than reassurance. They deserve concrete evidence. This checklist gives you the exact questions to ask, what a strong answer looks like, and what red flags should stop the conversation.
Whether you are running a formal RFP, conducting annual vendor due diligence, or evaluating a new partner for sensitive communications, these 15 questions separate vendors with real security infrastructure from those relying on surface-level claims. Print them, bring them to your next facility tour, and use them to hold every vendor, including us, accountable.
How to Use This Checklist
Ask each question directly during vendor evaluations. A strong vendor answers with specifics: documentation, system names, audit reports, and live demonstrations. A weak vendor deflects with generalities, cites “proprietary processes,” or declines to show evidence.
For each question below, we have included what a great answer sounds like and what should concern you. Score each area during your evaluation and compare across vendors using the scoring framework at the end.
Section 1: Infrastructure and Encryption (Questions 1–4)
This first set of questions helps you confirm that a vendor’s technical foundation keeps your data safe from the moment it leaves your environment, all the way through production and storage.
Question 1: How are files transferred into your environment, and what encryption protects data in transit?
What to look for: SFTP with AES 256-bit encryption as a minimum standard. The vendor should specify the exact cipher suites in use and confirm that legacy protocols like standard FTP are not available as a fallback. Ask whether multi-factor authentication is required for file access.
Red flag: The vendor accepts files via email, unencrypted FTP, or a web portal without documented encryption. Any vendor that offers a “convenient” unencrypted upload option alongside their secure channel has not committed to security as a baseline.
Question 2: What encryption protects data at rest during processing and storage?
What to look for: NTFS-encrypted volumes or equivalent encryption at the storage layer. The vendor should describe key rotation policies and confirm that encryption applies to all storage locations where your data resides, including temporary processing queues and backup volumes.
Red flag: Vague answers like “our servers are secure” without specifying encryption standards. If the vendor cannot name the encryption method, they likely have not implemented one consistently.
Question 3: Do you run CASS certification and NCOA processing on your own servers, or outsource to third parties?
What to look for: Address validation processing performed on-premises without routing data through external vendors. Ask for a network diagram showing where address validation occurs and whether any data leaves the primary facility during processing.
Red flag: The vendor uses a third-party address hygiene provider without disclosing this in their security documentation. Every external transfer introduces an additional attack surface.
Question 4: Can you provide current SOC 2 Type II certification and NIST CSF compliance reports covering the facility where our production will occur?
What to look for: Reports dated within the last 12 months that explicitly cover the physical facility handling your data. Verify the SOC 2 report specifies which Trust Services Criteria are included: security, availability, processing integrity, confidentiality, and privacy are available, but not always all covered.
Red flag: The vendor offers a SOC 2 report that covers a corporate office or API layer, but not the production floor where your data is actually printed and mailed. Certifications must cover the specific facility handling your files.
Section 2: Personnel and Physical Access (Questions 5–8)
These questions verify that the people who touch your data are screened, trained, and physically restricted to appropriate areas.
Question 5: What background checks do you require for employees who handle customer data?
What to look for: Criminal background checks for all personnel with data access, including temporary staff, contractors, and third-party workers on-site. Ask to see anonymized documentation of the screening policy and the frequency of re-screening.
Red flag: Background checks limited to full-time employees only, or screening performed only at hire with no periodic re-evaluation.
Question 6: How often do you conduct security awareness training, and what does it cover?
What to look for: At minimum, annual security training covering social engineering, phishing, data handling procedures, and incident reporting. Ask for training completion records showing participation rates.
Red flag: No formal training program, or training that has not been updated in more than a year.
Question 7: Can I schedule a facility tour to observe production security controls in person?
What to look for: An open invitation to tour the production facility where your data will be processed. During the tour, observe badge-access systems at entry points, camera placements on the production floor, server room access restrictions, and how visitor access is logged.
Red flag: The vendor declines tours, restricts you to a conference room presentation, or routes you through a “showroom” that is not the actual production environment. Vendors who will not show you where your data lives likely outsource production to third parties.
Question 8: What are your documented visitor access policies?
What to look for: A formal visitor log that records name, company, purpose, escort assignment, and time in/out. Ask how long visitor records are retained for audit purposes and whether visitors are restricted from production areas without escort.
Red flag: No formal visitor policy, or a sign-in sheet with no escort requirement.
Section 3: Data Lifecycle and Destruction (Questions 9–11)
These questions help you confirm that a vendor properly manages your data throughout its lifecycle and can prove it has been destroyed once the business purpose is complete.
Question 9: What are your data retention schedules, and what triggers destruction?
What to look for: Documented retention windows defined by regulation and business purpose, with automatic triggers for destruction when the retention period expires. The vendor should describe how they track retention across different data types and client agreements.
Red flag: No formal retention policy, or a policy that defaults to indefinite retention “just in case.”
Question 10: How do you verify data scrubbing at job conclusion, and does it extend to backup systems?
What to look for: A documented overwrite process that covers all storage locations, active production servers, temporary processing queues, and backup volumes. Ask whether the vendor can provide proof of the overwrite method used and whether it applies to all copies of your data.
Red flag: Scrubbing is applied only to production servers, while backups retain your data indefinitely. If backups are excluded from the scrubbing process, your data persists beyond the stated retention window.
Question 11: How do you document the destruction of backup copies on optical media and removable storage?
What to look for: A certificate of destruction that lists the job ID, destruction date, media type, and method used. If the vendor uses a third-party shredding service for physical media, ask for the shredding vendor’s certifications and chain-of-custody documentation.
Red flag: No destruction certificates available, or the vendor cannot confirm whether backup copies exist on media they do not directly control.
Section 4: Disaster Recovery and Incident Response (Questions 12–15)
These questions help you evaluate how well a vendor can maintain service continuity and respond effectively when something goes wrong.
Question 12: What is your disaster recovery protocol, and do backup locations follow identical access controls?
What to look for: A documented disaster recovery plan with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). Backup locations should undergo the same security audits as the primary site. Ask whether the vendor has tested failover within the past 12 months.
Red flag: A single facility with no backup infrastructure, or a backup site that has not been audited to the same standards as the primary location.
Question 13: Do you maintain mirrored production sites for business continuity?
What to look for: At least one secondary production site with equivalent equipment and security controls. Ask whether the secondary site can handle your peak volumes and whether the failover process has been tested under realistic conditions.
Red flag: The vendor claims redundancy through cloud backups alone without a physical production alternative. Digital redundancy does not solve for physical production disruption.
Question 14: How quickly can you replicate data through backup systems, and are backups encrypted during transfer?
What to look for: A defined replication schedule (daily at minimum) with encryption applied during backup transfer. Ask whether the backup process is automated or manual, and what monitoring exists to confirm successful completion.
Red flag: Manual backup processes with no monitoring, or unencrypted backup transfers between sites.
Question 15: What is your breach response timeline, and who owns incident resolution?
What to look for: A written incident response plan that defines notification timelines measured in hours, not days, escalation procedures, and a named point of contact for breach communications. The vendor should describe their cyber insurance coverage and whether their plan has been tested through tabletop exercises.
Red flag: No formal incident response plan, or a plan that does not include client notification timelines. If the vendor cannot name who you would contact during a breach, they have not operationalized their response.
Scoring Framework: Compare Vendors Side by Side
Use this scoring framework during vendor evaluations to create an objective comparison. Rate each section on a 1–5 scale based on the quality of evidence provided.
| Section | Weight | Vendor A | Vendor B | Vendor C |
|---|---|---|---|---|
| Infrastructure & Encryption (Q1–4) | 30% | ___ / 5 | ___ / 5 | ___ / 5 |
| Personnel & Physical Access (Q5–8) | 25% | ___ / 5 | ___ / 5 | ___ / 5 |
| Data Lifecycle & Destruction (Q9–11) | 25% | ___ / 5 | ___ / 5 | ___ / 5 |
| Disaster Recovery & Incident Response (Q12–15) | 20% | ___ / 5 | ___ / 5 | ___ / 5 |
| Weighted Total | ___ | ___ | ___ |
Scoring guide:
- 5: Provided audit-ready documentation, demonstrated controls live, and offered facility tour evidence
- 4: Provided documentation with minor gaps, answered specifics directly
- 3: Answered with general descriptions but limited documentation
- 2: Deflected with generic reassurances, cited “proprietary” processes
- 1: Could not answer or declined to provide evidence
Any vendor scoring below 3 in Infrastructure & Encryption or Data Lifecycle & Destruction should be disqualified from consideration for sensitive communications.
How mailing.com Answers These Questions
We built this checklist because we believe transparency is a competitive advantage. Here is how we answer our own questions:
Infrastructure: SFTP with AES 256-bit encryption for all data transfers. NTFS-encrypted volumes for data at rest. CASS and NCOA processing is performed on our own servers, with no third-party routing. We hold current SOC 2 Type II reports covering our production facilities.
Personnel: Background checks for all employees with data access. Annual security training with documented completion. Open facility tours, we welcome compliance teams to inspect our production floor, server room access controls, badge systems, and camera verification on inserters.
Data lifecycle: Documented retention schedules with post-job data scrubbing that covers production servers, temporary queues, and backup volumes. Certificates of destruction are provided for every engagement.
Continuity: Mirrored production sites with tested failover. Documented incident response plan with named contacts and defined notification timelines.
We have maintained in-house production for over 80 years, combining the legacy expertise of DFS and Mailing.com. Request your security audit to evaluate your current mail stream for compliance gaps, or schedule a facility tour to see these controls in action.
FAQs
What is the single most important question to ask a print and mail vendor about security?
Ask whether you can tour the facility where your data will actually be processed. A vendor’s willingness to show you the production floor, server room, and access controls tells you more than any certification alone. Vendors who decline tours or redirect you to a different location likely outsource production.
How do I verify that a vendor’s SOC 2 report covers the right things?
Request the full SOC 2 Type II report and check three things: the facility scope (does it cover the location handling your data?), the Trust Services Criteria included (security is baseline, but look for confidentiality and processing integrity), and the report date (it should be less than 12 months old). Reports covering only a corporate office or API layer do not validate production security.
Should I require both SOC 2 and NIST CSF?
SOC 2 verifies operational controls through independent testing over time. NIST CSF is a widely adopted set of guideline and best practices designed to manage and reduce cybersecurity risk. Together, they provide complementary assurance. SOC 2 proves controls work in practice while NIST CSF organizes cybersecurity actions to address risks. Requiring both is a reasonable standard.
What if my current vendor cannot answer these questions?
If your vendor deflects, provides generic answers, or cannot produce documentation for multiple questions in this checklist, that is a material risk indicator. It does not necessarily mean a breach has occurred, but it does mean you cannot verify that appropriate controls are in place, and that is itself a compliance gap. Use the scoring framework to document the deficiencies and present them to your procurement team as part of a structured vendor review.
Can I use this checklist for annual vendor re-evaluation?
Yes. These questions are designed for both initial vendor selection and ongoing due diligence. Annual re-evaluation should verify that SOC 2 reports remain current, that any changes to production facilities or personnel policies have been documented, and that destruction certificates from the prior year’s engagements are on file.
