Security First

A Security-First Operation — Not a Bolted-On Policy.

Dove handles regulated, statutory, financial, and healthcare communications data every day. Our security program is independently assessed against the NIST Cybersecurity Framework 2.0 at Tier 3 (Managed) maturity — and built into how we operate, not delegated to a third-party MSP.

Request Security PacketSee Frameworks

Frameworks & Compliance Mappings

NIST CSF 2.0
Tier 3 — Independently Assessed
SOC 2
Aligned · Security & Availability
HIPAA
PHI-Aware Processing
PCI
Card-Adjacent Controls
GLBA / FCRA
Financial & Screening Mappings

Core Security Controls

Six Pillars of Our Posture

Independently assessed against NIST CSF 2.0 at Tier 3 (Managed) maturity, with the technical controls every enterprise security team expects — and a few that print-and-mail-specific environments demand.

NIST CSF 2.0 — Tier 3 Managed

Independently assessed against all five NIST functions (Govern, Identify, Protect, Detect, Respond, Recover). Tier 3 means risk-informed, managed, and improving — not ad-hoc.

Encryption At Rest & In Transit

AES-256 for data at rest; TLS 1.2+ in transit. SFTP and MFT for file movement, with optional PGP encryption layered on top of the transport channel.

Multi-Factor Authentication

MFA enforced on all administrative, remote, and privileged access paths. Hardware-token options available for high-sensitivity roles.

Periodic Penetration Testing

Independent third-party penetration testing on a recurring cadence — internal, external, and application-layer. Executive summaries available to clients under NDA.

Single Sign-On & Identity

SAML / OIDC SSO for internal applications. Role-based access control with least-privilege defaults. Quarterly access reviews with documented attestation.

Vulnerability Management

Continuous scanning, prioritized patching SLAs by severity, and SIEM-monitored telemetry across endpoints, network, and production systems.

Beyond the Network

Physical Security & Chain of Custody

We move paper. Cybersecurity protects the data; physical security and barcode integrity protect the document from print to envelope to mailbox.

Physical Security

  • RFID-controlled access at every facility entry point — including dock doors and the mailing floor
  • 24/7 video surveillance across production, finishing, mailing, and dock areas
  • Visitor escort and time-limited access logging; no unbadged movement inside production
  • Locked, monitored materials storage with restricted access by job
  • Owned trailers and direct USPS trailer induction — no third-party drop-shipper handoff
  • Climate-controlled production floor; segregated rooms for regulated jobs

Barcode-Driven Chain of Custody

  • Barcoded match between data record, printed document, and physical envelope
  • Camera-verified insertion confirms the right document went into the right envelope
  • Piece-level audit trail retained for each job — reconcilable on demand
  • Reject-and-reprint workflow keeps integrity defects out of the mailstream
  • Postal-grade IMb tracking for delivery confirmation
  • End-to-end traceability from data intake to USPS trailer induction

Data Lifecycle

From Intake to Destruction

Sensitive data has a lifecycle, not a single moment. Every stage is engineered to leave evidence and to leave nothing behind.

01

Intake

Encrypted SFTP / MFT with dedicated client landing zones, PGP-encrypted payloads, and integrity-checksum verification on every file.

02

Processing

Segregated environments per program. Role-based access with least-privilege defaults. Every transformation is logged and reconcilable.

03

Production

Barcode-matched print, insert, and mail. Camera-verified integrity. Owned logistics induction at USPS — no third-party drop-shipper gap.

04

Retention

Client-specified retention windows. Encrypted backups, access-controlled archives, and audit-ready evidence for each job.

05

Secure Destruction

Cryptographic erasure of digital artifacts; NAID-aligned shredding for physical materials. Certificate of destruction available on request.

Personnel Security

  • Background-checked staff across production, data, and administrative roles
  • Confidentiality agreements signed by every employee and contractor
  • Annual security & privacy awareness training, with role-specific tracks for data ops
  • Documented offboarding — access revoked on separation, materials reclaimed
  • In-house security and software teams sit on the same floor as operations

Vendor & Sub-Processor Risk

  • No MSP delegation — security and IT are owned and accountable inside Dove
  • Third-party reviews for any vendor touching client data — attestations on file
  • Maintained sub-processor inventory available to clients under NDA
  • Owned logistics: trailers, induction, and final-mile dispatch are Dove-operated
  • RapidRatings Gold Badge — Top 20% Supplier (financial health verified)

Resilience

Incident Response & Continuity

Incident Response

  • Documented incident response plan with named owners and escalation paths
  • Defined breach notification SLA aligned to contractual and statutory windows
  • SIEM-monitored environment with retained logs for forensic reconstruction
  • Periodic tabletop exercises across IT, operations, and executive teams

Business Continuity & DR

  • Documented business continuity and disaster recovery plan, reviewed annually
  • Backup power and redundant network on the production floor
  • Owned trailers and equipment cross-trained operators — capacity is portable, not single-threaded
  • Encrypted, geo-separated backups with tested restore procedures

Independently Recognized

Verified by Third Parties

NIST CSF Tier 3 — Independently Assessed
NIST CSF 2.0
Tier 3 Managed
RapidRatings Gold Badge — Top 20% Supplier
RapidRatings Gold
Top 20% Supplier · H1 2026
NMSDC Certified Minority Business Enterprise
NMSDC MBE
Certified Minority Business Enterprise

For Procurement, Security & Audit Teams

Request the Security Packet

A single bundle that answers most enterprise procurement and security review checklists in one go — delivered after a brief NDA, usually within one business day.

  • NIST CSF 2.0 independent-assessment attestation letter
  • SIG-Lite / CAIQ pre-fill (security questionnaire response)
  • Latest penetration test executive summary
  • Incident response and breach notification overview
  • Business continuity / disaster recovery summary
  • Sub-processor inventory (under NDA)
  • Insurance certificate (COI) on request
Request the Packet

How We Operate

More on Our Operating Approach

Dove Direct operations team meeting

Operating Model

Every stage of the production cycle in-house — one operational owner from data intake to USPS trailer.

Learn more
Enterprise rack server infrastructure powering Dove Direct operations

Technology & Infrastructure

Secure file transfer, automated workflow orchestration, and barcode-driven integrity controls.

Learn more
Dove Direct IT and infosec team member at his workstation

Data Operations

Secure intake, validation, NCOA/CASS, and rules-based processing for sensitive and regulated data.

Learn more