Shutterfly Business Solutions

Updated security standards for transactional mail

Transactional mail and security go hand in hand. The contents of a mailing must always be protected. Even a small data breach can diminish brand credibility and customer loyalty.  What’s more, a breach can cost a small fortune to correct or rectify.

In 2023, the data privacy standards for transactional mail have stayed intact. What has changed is the security protocols at Shutterfly Business Solutions. 

We handle millions of transactional mail pieces yearly for financial, healthcare, and insurance clients. Our services include printing and mailing invoices, explanation of benefits, account statements, and beyond. As you’d expect, those mailings’ contents encompass personal identifiable information (PII) and personal health information (PHI). In other words, it’s critical data. That’s why we continue making improvements that increase security. 

How does Shutterfly Business Solutions keep your transactional mail secure? We take a layered approach. Today, we’ll review the data safety standards Shutterfly Business Solutions meets, the certifications we have achieved, and what we are doing in the future to ensure your data is safe in our care.

What is SOC 2 compliance and why does it matter?

SOC stands for System and Organization Controls, as defined by the American Institute of Certified Public Accountants. Ultimately, SOC is a suite of specific reports created during an audit. 

You might be wondering what accountants have to do with security. The answer is quite a lot. 

So you are not confused, SOC 1 reports focus on financial controls. What we are focusing on is SOC 2. It addresses data availability, security, processing integrity, confidentiality, and privacy. At its core, SOC 2 is an audit of systems and protocols. For many, SOC 2 is the go-to choice for demonstrating cybersecurity and privacy capabilities. 

During a SOC 2 audit, Shutterfly Business Solutions details its security systems and policies to a third-party auditor. Afterwards, the auditor creates a report that deems Shutterfly Business Solutions SOC 2 compliant. 

Insisting that your transactional mail partner be SOC 2 compliant is an easy-to-reference safeguard against data breaches and information leaks.

What’s new — Shutterfly Business Solutions improves its SOC 2 compliance

Shutterfly Business Solutions’ primary transactional mail production facility has always been SOC 2 compliant. Recently, we made significant changes to expand and improve our methods. 

Previously, only a portion of our production floor was SOC 2 compliant. Now, our entire facility, from the front lobby to the back wall of the production area, is SOC 2 compliant. 

Why did we do this? The changes give us more space, opportunity, and staff flexibility to meet our partner’s needs. It wasn’t easy — or inexpensive. We invested heavily in increased staff training and made procedural and facility changes to better serve the needs of transactional mail customers. That kind of action is how  Shutterfly Business Solutions became a trusted partner with more than two decades of meeting the highest expectations and a track record of handling billions of successful communications.

What is HIPAA compliance for transactional mail

Healthcare was among our first industry partners and remains one of our largest. If you work with healthcare data, you must meet all Health Insurance Portability and Accountability Act (HIPAA) standards. Compliance is not an option, and there is no other alternative. 

HIPAA is the United States of America law that regulates how personally identifiable information maintained by healthcare companies should be protected. For transactional direct mail, that includes limiting uses and disclosures that can be made without an individual’s authorization. 

If a company is SOC 2 compliant, they also meet HIPAA requirements. 

What are HITRUST certified companies for transactional mail?

Beyond SOC 2 and HIPAA compliance is HITRUST Certification. It is (for many) the ultimate level of data security and privacy standards. 

HITRUST is a common security frame (CSF) for scalable risk management. Developed by the non-profit HITRUST Alliance, it provides a set of controls that improve the security and privacy of information. HITRUST certification accounts for many factors, including:

  • Access control
  • Data protection
  • Incident management
  • Risk management

To build a deeper knowledge of HITRUST certification, please visit their website

Being HITRUST certified means organizations maintain standards compliance against data and privacy breaches efficiently and consistently. The HITRUST CSF leverages nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including:

  • International Organization for Standardization (ISO)
  • National Institute of Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • General Data Protection Regulation (GDPR)

 The HITRUST CSF standardizes those requirements, providing clarity and consistency. It also reduces the burden of compliance.

Data privacy risks of returned transactional mail

What happens when sensitive information can’t be delivered? It’s an important question. 

At Shutterfly Business Solutions, all mail lists are cross-referenced with the National Change of Address (NCOA) database. It keeps track of permanent changes of addresses for individuals, families, and businesses. 

Next, we cross-reference the mail list again with the Coding Accuracy Support System (CASS). Powered by the United States Postal Service, CASS evaluates the accuracy of software that corrects and matches street addresses.

Those two steps ensure very few pieces of transactional mail go undelivered. Still, every system has flaws. That’s why Shutterfly Business Solutions has a third layer of protection. 

We add Intelligent bar codes (IBC) to all transactional mail pieces. Contained within the IBC is a service-type ID. This clever addition instructs the United States Post Office on what to do with any undelivered mail. Often, the service type ID will provide the return address for undelivered mail, which is usually a secure mail destruction facility. After that, Shutterfly Business Solutions notifies our partner and USPS about the invalid address so corrections to the mailing list can be made. 

The chain of custody — secure data handling and archiving

For transactional mail, the chain of custody defines who holds data, what data is held, when they hold it, and where. It’s a critical framework that helps mitigate data breaches and identify where issues occur.

The chain of custody is unique to our partners’ workflows and protocols. The exact details are kept private, including how data is received, used, and archived. However, there are some general concepts about the chain across our partnerships.

First, no data is ever archived at a Shutterfly Business Solutions facility. It can be stored in several places, just not with us physically. No hacker or thief will ever find a drive with PII or PHI archived on it at a Shutterfly Business Solutions location.

Second, most PII and PHI data is only in our hands for about 1 hour. We pull it, print it, and remove it from our systems rapidly to minimize the risk of breaches. 

Third, should our transactional mail facility ever go out of operation, Shutterfly Business Solutions has predetermined contingency plans in place (failover). We redirect your transactional mail production to another facility with the same or higher security standards. Our planning creates minimal delays within transactional mail operations. 

Know the hallmarks of secure transactional mail

SOC 2, HIPAA, and HITRUST cover most needs for transactional mail. Some industries with extremely specific types of mailings need unique forms of compliance and certification. For example, mailing credit cards requires a company to be PCI DSS (Payment Card Industry Data Security Standard) compliant. 

Shutterfly Business Solutions can meet all of your security needs for transactional mail. We can handle nearly all forms ourselves, or, in certain situations, turn to our hand-picked and diligently vetted partner network. 

Ultimately, the tenants of a secure transactional mail program include:

  • Appropriate certifications or compliance to set standards
  • Undelivered mail protocols
  • Defined chain of custody
  • Secure archiving protocols
  • Failover planning

Account for all of the above, and you’ll have established a secure and reliable transactional mail program. 

Improve your results with Shutterfly Business Solutions for transactional mail

Transactional Mail presents a powerful opportunity for your brand. When optimized, it creates a competitive business edge that builds trust, security, and confidence. 

Powerful as it is, transactional mail is just one solution. Shutterfly Business Solutions has thousands ready to share. Using our expertise, scalability, nationwide presence, and massive Shutterfly platform will maximize your communications. Let’s discuss how Shutterfly Business Solutions can improve your overall engagement needs in business gifting, direct mail, transactional mail, greeting cards, and books

Capitalize on Shutterfly Business Solution resources and workflows to solve your communication challenges.

Related Content

Tap into Shutterfly Expertise

Ask us how Shutterfly Business Solutions can improve your messaging channels. You’ll get the resources to solve any communication challenge. 

Related Content


Return employees to the office with business gifting incentives


Automate your marketing processes to optimize staffing

Accomplish more with Shutterfly Business Solutions.

Let’s discuss how Shutterfly Business Solutions can improve your communications. It’s incredible how many resources we’ll draw upon to solve complex challenges.