Healthcare networks, financial services brands, and franchise enterprises run on DirectMail.io. The security posture supports that reality: independently audited SOC 2 Type 2 infrastructure, BAA execution as part of standard onboarding for HIPAA-covered customers, CCPA/CPRA right-to-delete propagation across active campaigns, and the kind of audit logging and access scoping that enterprise procurement teams expect.
DirectMail.io maintains SOC 2 Type 2 certification covering security, availability, processing integrity, confidentiality, and privacy. The attestation report is available to enterprise customers and prospects under NDA.
For healthcare customers handling Protected Health Information (PHI), DirectMail.io supports execution of a Business Associate Agreement (BAA) as part of standard onboarding. Platform configuration includes PGP-encrypted ingest, scoped access controls, audit logging, and retention policies that align with HIPAA requirements.
Consumer privacy requests propagate to active campaigns and underlying recipient lists. Per-record suppression flows through the platform, and identity-resolution audiences respect deletion requests across coordinated channels.
For European customers, DirectMail.io supports standard contractual clauses (SCCs) and the data subject rights documented in our Privacy Policy. Data is processed in the United States; cross-border transfer mechanisms are in place where applicable.
All transfers use TLS 1.2+ in transit. Data at rest is encrypted using AES-256 across the platform infrastructure, including the SFTP layer and the database tier.
Account credentials and SFTP keypairs are scoped per account or per program. No credential is shared across accounts, and access logs are maintained for every authentication event.
Every API call, dashboard action, and platform configuration change writes to an audit log with timestamp, calling key, and response payload. Audit logs are retained for the platform retention period and available for compliance review.
For healthcare, financial services, and other regulated verticals, the platform supports PGP-encrypted SFTP for list ingest. The platform manages keys per account and supports standard rotation cadence.
A current list of subprocessors is maintained and made available to customers under NDA. Material changes to the subprocessor list are notified to customers in advance per the Master Services Agreement.
In the event of a security incident affecting customer data, DirectMail.io notifies affected customers within 24 hours of becoming aware of the incident, per Section 3.10 of the Terms of Service. Coordinated investigation and remediation follow.
DirectMail.io commissions an annual cybersecurity audit covering technical safeguards, breach response procedures, and vendor due diligence — required by the CPPA regulations effective January 1, 2026 for businesses processing sensitive personal information at scale. Audit reports are available to enterprise customers under NDA on request.
Every new use case involving identity resolution, automated decision-making, or other high-risk processing receives a documented risk assessment before launch — naming the risks, the mitigations, and the legal basis for processing. Risk assessments are reviewed annually and on material changes to the use case.
Where DirectMail.io's platform automates decisions about consumers (eligibility, pricing, offers shown), pre-use notices and opt-out paths are provided per the CPPA's ADMT rules. The platform supports cross-session opt-out propagation: an opt-out registered anonymously persists when the same identity later authenticates.
Browser-level GPC signals are recognized as a valid opt-out request across all DirectMail.io pixel and tracking products. Visitors sending GPC are excluded from identity resolution, retargeting feeds, and any "sharing" under CCPA's definition.
DirectMail.io operates as a data processor under signed DPA — not a third-party recipient. The legal posture matters for CIPA wiretap exposure, CCPA "sharing" classification, and downstream liability allocation. DPA execution is part of standard onboarding.
Consumer rights requests under CCPA, CPRA, VCDPA (Virginia), CPA (Colorado), and similar state laws are processed within the regulatory deadlines — typically 45 days. Resolved identity records have an audit-tracked deletion workflow that propagates upstream and downstream of the platform.
Short answers. For vendor security review packets, contact security@directmail.io.
Yes. DirectMail.io maintains SOC 2 Type 2 certification, audited annually by an independent third-party auditor. The certification covers the security, availability, processing integrity, confidentiality, and privacy trust service criteria. The attestation report is available to enterprise customers and qualified prospects under a mutual non-disclosure agreement.
Yes. For healthcare customers handling Protected Health Information, DirectMail.io supports execution of a Business Associate Agreement as part of standard onboarding. The platform infrastructure, encryption practices, access controls, and audit logging are configured to align with HIPAA requirements. BAA execution typically completes during the contracting phase before production data ingest begins.
Contact us at security@directmail.io with your company name, the names and titles of the reviewers, and confirmation that you can execute a mutual NDA. The report is shared securely under NDA. The platform infrastructure team can also schedule a security review call to walk through specific controls relevant to your evaluation.
Customer data is logically segregated at every layer of the platform. Account credentials, SFTP keypairs, dashboard access, API keys, and database queries all enforce per-account scoping. There is no shared-tenant data store; per-account isolation is the default posture, not an upgrade tier.
Per Section 4.1 of the Terms of Service, customer data retains for 90 days after contract termination to support data retrieval requests. After the 90-day window, customer data is deleted from the platform. The retention period and deletion process are auditable through the platform logging layer.
DirectMail.io maintains a current list of subprocessors used to deliver the platform services (cloud infrastructure, postal data partners, identity-resolution providers, payment processors). The list is made available to customers under NDA. Material changes to the subprocessor list are notified to customers in advance per the governing Master Services Agreement, with the option to object before the change takes effect.
For enterprise security reviews, DirectMail.io provides: (1) the SOC 2 Type 2 attestation report under NDA, (2) responses to standard security questionnaires (SIG, CAIQ, custom), (3) a security review call with the platform infrastructure team, (4) the subprocessors list, and (5) BAA, DPA, and SCC documentation as applicable. Most enterprise reviews complete within 2-3 weeks of intake.
Email security@directmail.io with your company, the reviewers, and an NDA-ready posture. We’ll send the SOC 2 report and schedule the security review call.
On 100K pieces, the wrong pre-sort tier costs ~$6,000. The 2026 Postal Cost Optimization Cheat Sheet shows the 7 levers that cut postage 18-32%.
One PDF. We'll email you when we ship a new resource — unsubscribe in one click.