Alec Boye, President, Mail Processing Associates ·
Most transactional mail vendors will quote you a price per piece. Few of them can hand your security team a SOC 2 Type 2 report, a HIPAA business associate agreement, a documented control set, and an audit packet your CISO can review without flagging the vendor as a third-party risk. That gap is the difference between a print-and-mail commodity and a compliance-grade mail operation.
Mail Processing Associates (MPA) is SOC 2 Type 2 certified (Vanta-managed, audited annually) and HIPAA-compliant. We process more than 10 million pieces a year out of a single Lakeland, Florida production facility, serve businesses in all 50 states, and run transactional programs for healthcare systems, financial services, utility cooperatives, insurance carriers, property managers, and government agencies. Our 35 years in print and mail mean the operational details that auditors examine - access logging, data destruction, change control, vendor management, incident response - are baked into how we already run the floor, not bolted on as a sales talking point.
This page is the compliance hub for that work. It explains what SOC 2 is, what SOC 2 Type 2 specifically means for transactional mail, how the Trust Services Criteria translate to the print and mail operation, and what to ask any vendor (including MPA) before sending them protected data.
What SOC 2 is and why it matters for transactional mail
SOC 2 is an auditing framework defined by the AICPA (American Institute of Certified Public Accountants) under its Trust Services Criteria. The framework was published in its current form in TSP Section 100 and is the standard most enterprise security teams use when evaluating a vendor that touches their customer data. The full criteria document is publicly available from the AICPA at aicpa-cima.com.
A SOC 2 audit examines five categories of controls (the "Trust Services Criteria"): Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is required for every SOC 2 report. The other four are optional and chosen based on what the vendor actually does.
For a SOC 2 transactional mail vendor handling regulated documents - statements, invoices, explanation of benefits notices, account notices, payment reminders, tax forms, regulatory disclosures - the relevant criteria are typically Security plus Confidentiality, often Processing Integrity, and sometimes Privacy when the vendor processes personally identifiable information at scale.
The reason SOC 2 matters specifically for transactional mail is that the data flowing into the print operation is some of the most sensitive a business holds. A healthcare patient statement file contains protected health information. A bank statement file contains account balances and full account numbers. A mortgage servicer file contains loan numbers and payment history.
A utility billing file contains addresses and usage data. A government tax notice file contains Social Security numbers or tax identifiers. If any of that data leaks, gets emailed to the wrong recipient, gets retained beyond the contractual window, or gets handled by a worker who never had a background check, the breach lands on the data owner, not the print vendor.
SOC 2 Type 2 is the framework that lets a buyer prove, with independent auditor attestation, that their print and mail vendor has the controls in place to prevent those failures and that the controls were observed operating effectively over an audit period rather than designed correctly on paper. If a vendor cannot hand you a Type 2 report, your security team has to assume the worst about every control they cannot test directly.
Which compliance frameworks apply to which transactional documents
| Document type | SOC 1 | SOC 2 | HIPAA | Other |
|---|---|---|---|---|
| Healthcare patient statements | No | Yes | Yes | State health privacy law |
| Explanation of benefits notices | No | Yes | Yes | State health privacy law |
| Bank account statements | Yes | Yes | No | GLBA |
| Brokerage and investment statements | Yes | Yes | No | SEC Rule 17a-4 |
| Mortgage servicer notices | Yes | Yes | No | GLBA, CFPB |
| Utility billing | No | Yes | No | State privacy law |
| Insurance policy notices | Sometimes | Yes | Sometimes | State insurance code |
| Property management statements | No | Yes | No | State landlord-tenant law |
| Government tax notices | No | Yes | No | Agency-specific |
| Marketing mail to enterprise lists | No | Yes | No | CCPA, GDPR if applicable |
The table is a starting point, not a substitute for your compliance team's review. The right framework set depends on the data classification, the customer industry, and any state-level regulation that applies. SOC 2 is the baseline that covers data security for almost every category above; SOC 1 layers on for documents that affect financial reporting; HIPAA layers on for protected health information.
The five Trust Services Criteria translated to the print floor
The AICPA's Trust Services Criteria are written for the technology and service industry broadly. Here is what each criterion means for a SOC 2 transactional mail operation specifically.
Security (the common criteria, required for every SOC 2 report)
Security is the foundation. It includes logical and physical access controls, network security, change management, risk assessment, vendor management, and the system that ties all of those together. For a print and mail vendor, Security covers everything from who has a badge to who has a database login.
In practice for MPA: every workforce member completes an annual security training program, every system login is multi-factor authenticated, every server and workstation runs endpoint monitoring, every secure file gateway is logged.
Every privileged action is logged and reviewed, every physical entry into the production area requires a badge, and every visitor is escorted. The Vanta-managed control set is the daily evidence layer, with continuous control monitoring across cloud infrastructure, identity providers, and endpoints feeding into the annual audit.
Availability
Availability covers whether the system is available for operation and use as committed or agreed. For a transactional mail vendor running recurring billing cycles, availability translates to: do the press, the inserter, the data gateway, and the BMEU induction window all stay up enough to hit the cycle calendar.
In practice for MPA: production presses (Xerox Iridesse, Xerox Versant, Xerox Nuvera) are maintained under active service contracts with quarterly preventive maintenance. The inserter line has a documented uptime target and a documented backup plan when a unit goes down. The data gateway runs in a monitored hosting environment. The cycle calendar is built with buffer time so a single mechanical day does not slip the BMEU drop. Our turnaround windows for First-Class mail run 3 to 5 business days, with the cycle calendar built around that target.
Processing Integrity
Processing Integrity covers whether system processing is complete, valid, accurate, timely, and authorized. For a transactional mail vendor, this is the criterion that auditors test hardest because it is the criterion most likely to cause a customer-facing failure.
In practice for MPA: every file received is hashed on arrival and the hash is logged. Record counts are reconciled at each stage (intake count, post-NCOA count, post-composition count, post-press count, post-insert count, BMEU manifest count). Read-and-match barcoding at the inserter ensures every recipient gets their own pages and only their own pages, with the read-event logged to the piece-level audit.
Returned mail is captured against the original record. NCOA processing typically delivers approximately a 94% match rate on B2C lists with 98.5% deliverability after hygiene, and the match-rate report ships back to the customer with every cycle. Any anomaly (count mismatch, barcode misread, file format change) triggers an incident ticket that has to be resolved before the cycle ships.
Confidentiality
Confidentiality covers whether information designated as confidential is protected as committed or agreed. For a transactional mail vendor, this is the criterion that maps most cleanly to the data flowing into the print operation.
In practice for MPA: data in transit is encrypted (TLS 1.2 or higher on the SFTP and secure file gateway). Data at rest is encrypted on the production environment. Access to source data is restricted to the operators who need it for the active job and logged at the file level.
After the cycle ships and the contractual retention window closes, source data is securely destroyed and the destruction event is logged. Backup data follows the same retention rules. Where a customer's data classification requires a tighter control (for example, a financial services customer that requires data residency or a healthcare customer that requires a specific destruction interval), the control is documented as a customer-specific carve-out in the SOC 2 environment.
Privacy
Privacy covers whether personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives. Privacy is the criterion most affected by external regulation. For a healthcare vendor, Privacy overlaps with HIPAA. For a financial services vendor, Privacy overlaps with the Gramm-Leach-Bliley Act (GLBA). For a vendor handling California or EU residents, Privacy overlaps with CCPA or GDPR.
In practice for MPA: personally identifiable information is treated as confidential by default. Access is restricted to operators with a job-related need. Records are retained only for the contractual window.
Suppressions for opt-outs, do-not-mail flags, and electronic delivery preferences are applied before composition rather than after press. Customer-specific privacy obligations (HIPAA, GLBA, FERPA for student data, state-level privacy frameworks) are documented in the BAA, MSA, or customer-specific addendum and audited against the customer's framework as well as the SOC 2 baseline.
SOC 2 Type 1 vs Type 2 - and why Type 2 is what you actually want
A SOC 2 Type 1 report describes a service organization's system and the suitability of the design of controls at a single point in time. A SOC 2 Type 2 report describes the same thing plus the operating effectiveness of those controls over a defined audit period, typically 3 to 12 months.
The difference matters because controls that are designed correctly on paper do not always operate correctly under production conditions. A Type 1 report tells you the vendor wrote a policy. A Type 2 report tells you an independent auditor observed the policy being followed during a real audit window, across staff changes, equipment cycles, and high-volume periods.
For SOC 2 transactional mail specifically, the gap between Type 1 and Type 2 is the gap between "the vendor says they hash every file on receipt" and "the auditor sampled X files across the audit window and confirmed the hash was recorded for each one." Your security team can tell the difference, and any enterprise procurement process worth respecting will require Type 2 for a vendor handling regulated documents.
| Attribute | SOC 2 Type 1 | SOC 2 Type 2 |
|---|---|---|
| Audit scope | Design of controls at a point in time | Design and operating effectiveness over time |
| Audit window | Single date | Typically 3 to 12 months |
| Evidence standard | Policy and design review | Sampled testing across the audit window |
| Repeated tests | No | Yes (multiple samples per control) |
| What it proves | Controls were designed correctly | Controls were followed in production |
| Vendor review value | Limited | Standard for enterprise procurement |
| MPA status | Superseded by Type 2 | Current and audited annually |
MPA holds a SOC 2 Type 2 report. The audit period and the auditor are documented in the report. The report is available under NDA for security review. We do not market a Type 1 report as if it were Type 2, and we do not list "SOC 2 audit in progress" as a credential.
SOC 1, SOC 2, and HIPAA - which one you need
The three frameworks get confused because they overlap. Here is the practical breakdown for a buyer evaluating a transactional mail vendor.
SOC 1 is a financial reporting framework. It applies when the vendor's controls affect the customer's financial statements. For a transactional mail vendor, SOC 1 is the right framework if the data being printed is a financial record that will be used to support the customer's audited financials - for example, a bank statement, a brokerage statement, an investor disclosure, or an explanation of benefits where the vendor's processing is part of the customer's financial control set.
SOC 2 is an information security framework. It applies when the vendor handles sensitive data on the customer's behalf. For a transactional mail vendor, SOC 2 is the right framework for almost every regulated document, including most of the categories listed above.
HIPAA is a federal healthcare data regulation. It applies when the vendor handles protected health information (PHI) on behalf of a covered entity. For a transactional mail vendor, HIPAA is the right framework for healthcare patient statements, explanation of benefits notices, appointment reminders, medical bill summaries, and any other document with patient-identifiable health data. HIPAA requires a Business Associate Agreement (BAA) between the covered entity and the vendor and is separate from SOC 2.
A vendor handling both financial records and healthcare data should hold all three: SOC 1 for the financial controls, SOC 2 for the security controls, and HIPAA compliance plus a BAA for the healthcare controls. A vendor handling only one category may need only one framework. The mistake to avoid is treating a vendor's SOC 2 as a substitute for HIPAA compliance or vice versa - they cover different scope.
MPA holds SOC 2 Type 2 and is HIPAA-compliant under a BAA template that can execute in days rather than months. For customers whose financial control set requires SOC 1, we coordinate with our auditor to map relevant Processing Integrity controls into SOC 1 scope on a customer-specific basis.
A practical SOC 2 transactional mail vendor checklist
Before you send a regulated data file to any vendor, the procurement-side checklist for SOC 2 transactional mail is straightforward. Use this table when running a vendor review.
| Question to ask | What a credible answer looks like |
|---|---|
| Do you hold a current SOC 2 Type 2 report? | Yes, audited annually, bridge letter available, full report under NDA |
| Who is the auditor? | A named CPA firm experienced in service-organization controls |
| What Trust Services Criteria are in scope? | At minimum Security plus Confidentiality; ideally Processing Integrity |
| What subservice organizations do you rely on? | Disclosed list (cloud, identity, endpoint monitoring) with carve-out method |
| Do you carry cyber liability insurance? | Yes, certificate available under NDA |
| What is your data retention and destruction schedule? | Defined retention window, logged destruction events |
| What is your incident response time? | Documented breach notification window matching contractual SLA |
| Do you support a Business Associate Agreement? | Yes, BAA template available where HIPAA applies |
| Where is the work physically performed? | Single named facility (or named list of facilities, no off-shore) |
| Can your security team join a working call? | Yes, named contact in operations |
If a vendor cannot give a clean answer to most of the rows above, the procurement risk shifts to your team. The right vendor will hand the answers over without friction.
How MPA runs a SOC 2 transactional mail cycle
The control set is what an auditor reviews. The workflow is what you actually buy. Here is how a SOC 2 transactional mail cycle runs on the MPA floor, in operator-visible steps. Each step has documented controls, operator initials, and a timestamp captured in the production system.
1. Secure data intake
Your file arrives through one of three paths: a SFTP drop on our hosted gateway, a secure file portal upload, or a direct database extract on a customer-provisioned schedule. File hashes are recorded on arrival and reconciled against the expected count. Access to the intake area is restricted to the assigned operators for that customer program. The intake event is logged at the file level with the operator identifier.
2. Data validation and NCOA processing
The file runs against the USPS National Change of Address (NCOA) 48-month mover file under the USPS-authorized NCOAlink licensee service. CASS-certified address validation runs in the same pass. The result set is reconciled against the input count; flagged records (undeliverable, foreign, duplicate, suppression match) are quarantined for review per the customer's program rules. NCOA processing typically delivers approximately a 94% match rate on B2C lists with 98.5% deliverability after hygiene. The validation report is filed with the cycle audit.
3. Composition and proof generation
Your design template is mapped to your data columns. We pull a representative sample of records (typically 5 to 10 spanning your population's edge cases) and produce hard proofs. Your authorized approver signs off on the actual variable behavior, not just the layout. Proof approval is captured electronically and logged with the cycle.
4. Press run on production digital
The approved job moves to the Xerox Iridesse, Xerox Versant, or Xerox Nuvera production presses, running up to 120 pages per minute color. Statement work running into the hundreds of thousands of pages is sequenced to keep operator counts and post-press inserter feed in sync. Press operator initials and shift timestamps are captured per pallet.
5. Inserting and matching
Multi-page statements move directly from press to the inserting line. Each statement is matched to its corresponding remittance stub and any inserts. Read-and-match barcoding confirms every recipient gets their own pages and only their own pages. Mismatches halt the line and are resolved before the cycle continues. The match log is reconciled against the input file at cycle close.
6. Presort and tray prep
Mail is presorted in-house to the rate tier the job qualifies for (typically 5-Digit Auto, AADC, or Mixed AADC for First-Class Presort under USPS Notice 123), then trayed and tagged for direct USPS Business Mail Entry Unit (BMEU) induction.
7. BMEU induction
MPA holds a USPS Business Mail Entry Unit (BMEU) permit and presorts in-house, then inducts trays directly at the BMEU rather than dropping at a destination delivery unit. The induction receipt is captured and filed with the cycle.
8. Tracking, reporting, and destruction
Intelligent Mail barcodes feed scan events back to the internal dashboard. Customers receive a delivery report showing scan rate, drop date, and estimated in-home window. After the retention period specified in the contract, statement source data is securely destroyed and the destruction event is logged. Backups follow the same retention schedule. The destruction log is retained per the SOC 2 control set.
Every stage above maps to one or more SOC 2 control activities. The mapping is documented in the audit packet and is what your security team will review during vendor onboarding.
What is in MPA's SOC 2 audit packet
When your security team starts a vendor review, they will ask for documentation. Here is what MPA provides under NDA.
The current SOC 2 Type 2 report, including the auditor's opinion, the system description, the relevant Trust Services Criteria, the control activities, and the testing results across the audit period. The bridge letter covering the period between the audit cutoff and the current date. The HIPAA Business Associate Agreement template. The list of subservice organizations relied on (cloud infrastructure, identity provider, endpoint monitoring) and the carve-out method (typically inclusive or carve-out depending on the subservice). The data flow diagram for the customer's specific program. The retention and destruction schedule. The incident response plan. The change management policy. The vendor risk management policy.
Most enterprise vendor reviews close inside 30 days when the buyer's security team has a clean packet to work from. We have run vendor reviews with hospital systems, regional financial services firms, and Fortune-class manufacturing customers; the SOC 2 packet is the artifact that moves those reviews from a stalled questionnaire to a completed file.
Industries MPA serves under SOC 2
We run SOC 2 transactional mail programs for several regulated verticals. The framework applies the same way; the customer-specific controls and additional regulatory frameworks differ.
Healthcare
Patient statements, explanation of benefits notices, appointment reminders, medical bill summaries, and Medicare and Medicaid program correspondence. Healthcare programs run under SOC 2 plus HIPAA compliance plus a BAA. We hold a dedicated HIPAA patient statement printing and mailing capability and serve healthcare systems through the healthcare industry hub.
Financial services
Account statements, brokerage statements, mortgage notices, loan documents, regulatory disclosures, and 1099 tax forms. Financial services programs typically require SOC 2 plus, where the document feeds into the customer's audited financial controls, SOC 1 mapping. Several MPA programs run under GLBA-mapped privacy controls in addition to the SOC 2 baseline.
Utility and energy
Utility billing, account notices, rate change notifications, payment plan documentation, and shutoff warnings. Utility programs typically run under SOC 2 plus state-specific privacy frameworks for residential customer data. Recurring monthly cycles ranging from 5,000 to 500,000 pieces per cycle are routine.
Insurance
Policy declarations, renewal notices, premium notices, claim correspondence, and regulatory disclosures. Insurance programs run under SOC 2 plus the carrier's state-specific privacy framework, with high-volume Annual Enrollment Period programs typically running every fall.
Property management and HOA
Monthly statements, special assessments, annual financial summaries, and notice mail to residents. Property management programs are often the entry point for an organization that wants SOC 2-grade mail handling for sensitive resident financial data.
Government and public sector
Tax notices, court correspondence, public agency statements, and regulatory mail. Government programs run under SOC 2 plus agency-specific data handling rules and often the Florida State Term Contract (STC) 80141800 for Florida state agencies. Our government industry hub documents the procurement-side detail. MPA also holds Florida State Mail Contract status.
Why MPA - the differentiators that matter at the vendor-review stage
Every transactional mail vendor will tell you they take security seriously. The question for a security review is what they can actually show. Here is the differentiator stack for MPA against the commodity print and mail vendor.
Single-facility operation. Every step of the workflow runs from one Lakeland, Florida production facility (a single Lakeland, Florida production facility - one roof, one team, all 50 states). No third-party print vendor touches the data. No off-site bindery handles the work after press. No off-shore data processing. The full data-to-mail chain stays under the SOC 2 control set we run.
SOC 2 Type 2 plus HIPAA plus state contract. Most regional print shops hold none of the three. National vendors typically hold one or two. We hold SOC 2 Type 2 certified (Vanta-managed, audited annually), HIPAA-compliant operations with a fast BAA, and Florida State Mail Contract status. The Veteran-Owned Small Business certification is the additional procurement signal.
35 years of operational depth. We have been running print and mail since 1989. The operational disciplines an auditor expects to see - shift turnover documentation, equipment maintenance logs, change control records, security incident playbooks - exist because we have been running multi-shift mail production long enough to have built them. We are not building a SOC 2 control set on top of a young shop.
Recurring-cycle expertise. Statement programs are recurring by definition. Our cycle calendars, exception handling, and reporting cadences are built for recurring monthly and quarterly work, not one-off campaigns. Most cycles drop into a regular cadence after the first cycle's setup window.
5.0 stars across 100+ verified Google reviews from working customers, with most reviews citing reliability and responsiveness rather than just price. That is the proxy for whether the operational reality matches the sales pitch.
Built-in postal optimization. Direct USPS BMEU induction, in-house presort, NCOA hygiene, and CASS validation are all standard - not add-on services billed at markup. The result is that your in-home dates are typically 1 to 2 days faster than competitors who drop at a destination delivery unit and your postage is fully optimized to the lowest rate tier the cycle qualifies for under USPS Notice 123.
Pricing and how to get a quote
Pricing for SOC 2 transactional mail at MPA depends on the cycle volume, the document complexity (single-page vs multi-page, single-feed vs match-up), the inserts per piece, the suppression and exception rules, and the cycle cadence. The variable that most affects unit cost is volume per cycle: a 1,500-piece monthly cycle prices very differently per piece than a 50,000-piece monthly cycle.
The table below shows the cost drivers we model in a SOC 2 transactional mail quote. Per-piece numbers depend on every row together; we will not quote a per-piece rate without seeing the program's specifics.
| Cost driver | Effect on per-piece cost |
|---|---|
| Cycle volume | Higher volume drives lower unit cost (fixed setup spreads across more pieces) |
| Pages per piece | Multi-page work raises composition and inserter cost |
| Match-up complexity | Read-and-match adds inserter time |
| Inserts per piece | Each insert adds material cost and inserter time |
| Cycle cadence | Recurring cycles amortize setup; one-off jobs do not |
| First-Class vs Marketing Mail | First-Class postage runs higher per piece but lands faster |
| Suppression and exception rules | Custom rules add data processing time |
| BAA or SOC 1 mapping needed | Adds first-cycle setup time, not ongoing per-piece cost |
| Reporting cadence | Standard reports included; custom dashboards quoted separately |
Rather than quote a generic per-piece range that misleads either way, we run a real cost build for your specific program. Send us a sample data file (or anonymized sample), the document template (or a sample of the existing piece), the cycle cadence, and the SOC 2 / HIPAA / SOC 1 requirements. We come back with a per-cycle and per-year cost, an in-home window estimate, a BAA template if HIPAA applies, and a current SOC 2 Type 2 report under NDA.
For high-volume programs, we also run a postal optimization review to confirm the cycle is hitting the best rate tier it can qualify for under the current USPS rate schedule.
Request a SOC 2 transactional mail quote or call us at 863-687-6945 to start the conversation.
Frequently asked questions
The bottom line for security and procurement teams
A SOC 2 Type 2 transactional mail vendor should be able to give you, on request: a current Type 2 report, a bridge letter, a system description, a control mapping, a HIPAA BAA where applicable, a data flow diagram, a retention and destruction schedule, an incident response plan, a subservice organization list, and a working contact who can answer questions about specific controls.
If a vendor cannot produce that packet, the procurement risk is not theoretical. The breach lands on you, not on them. The questionnaire fails in the audit cycle. The contract renewal stalls.
MPA can produce that packet, and the operational reality on the print floor matches the control set on paper because we have been running transactional mail for 35 years out of a single facility. Send us the program details and we will come back with a quote, a cycle calendar, and the audit packet your team needs to close the vendor review.
Start your SOC 2 vendor review
Send program specs, get the SOC 2 Type 2 audit packet under NDA, get a real cost build. Most reviews close inside 30 days.