A cloud-based Hybrid Mail hub for users to upload, print and post mailings directly from their device or via bulk transfer.
Quick to set up, fully configurable, allowing organisations to define user options such as templates, enclosures, postal service and transform documents for delivery via email and SMS.


  • Same day mailing of communications with no minimum quantity
  • Documents produced for less than the cost of a stamp
  • Delivered and hosted by auditable UK ISO270001 organisations
  • Highly secure GDPR Compliant system, continuously pen tested
  • Real-time Management Information. Traceability to document level
  • Simple & secure data transfer: HTTPS, Print Driver, SFTP, API
  • Digital delivery options available through Secure Email or SMS
  • Quick set-up and user training process (live within 72 hours)
  • Automate workflows for repetitive documents and approval management
  • Email, telephone and live chat support with 100% approval rating


  • Deliver immediate ROI – cost savings between 50% and 95%
  • IT Light, no software changes needed to buyers’ systems
  • Pay-as-you-go, no minimum or maximum volumes and postage optimisation.
  • Improve productivity – save 3-5 minutes staff time per document
  • Reduce waste – print letterheads, documents and enclosures on-demand
  • Streamline and standardise multi-channel communications with one platform
  • Supports your digital transformation agenda and transition to paperless
  • MI reporting and audit history of all documents sent
  • Enclosures library, can support large mailpacks with multiple inserts
  • Customisable user profiles, restricted mailing permissions and budget control


£0.03 to £0.54 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

3 8 5 9 4 1 6 9 9 7 7 0 8 9 6


Telephone: 01246 543011

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Hybrid Mail provides a production service extension to any document producing software. The API service allows a link between any existing document output/printing services.
No software needed to work, a standalone service that clients upload to manually via the interface through printdriver, SFTP, API or via Health & Social Network.
Cloud deployment model
Private cloud
Service constraints
There are no constraints, service is not limited to specific hardware of software configurations.Hybrid Mail is web based so any user simply needs a device with internet connection and a compliant browser to access.
System requirements
  • Internet access and a compliant web-browser
  • Documents uploaded must be in word or PDF format

User support

Email or online ticketing support
Email or online ticketing
Support response times
We provide a support email address that will automatically generate a ticket and response to the originator confirming receipt and ticket number. The request will be acknowledged within 5 minutes. The issue will be triaged, and the priority set, within 15 minutes and a resolution timescale fed back to the originator. The response times are the same at weekends. Any comments added to the ticket will automatically be sent back to the originator who can reply via email.

A full transcript is sent to the originator on resolution .

This service is available - 8.30 – 5.30 Monday – Friday.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
We use Zendesk Chat which has been fully tested as part of the WCAG 2.1 AA accreditation.
Onsite support
Onsite support
Support levels
You will be provided with a dedicated technical account manager who will be responsible for ongoing support and maintenance service updates. All support is provided by an experienced, UK based team. In addition, a service support desk is manned at Datagraphic between 8.30a.m. to 5.30pm. Monday to Friday.

We provide support in a range of different methods and levels at no additional cost. We offer core training for typical every day users and advanced training for ‘super users’.
A Live Web Chat system is available within business hours to answer any queries users. There are tool tips on the site during the upload process on key areas that users may need additional support. We have a ticketed support email address, as well as a dedicated telephone number for users to call.
We host remote support using TeamViewer software in order to see the user’s screen and guide them with any issues they may face.
There is an off-line indexed PDF user guide available for reference.
We can also support users with a Webex demo of the system where we can walk through steps taken by the users in necessary detail.
Where required we provide on-site support and training.
Support available to third parties

Onboarding and offboarding

Getting started
We have extensive experience of successfully implementing Hybrid Mail into a wide range of different sizes, complexity and background of organisations over the past 8 years. To support this we provide onsite training, online training and user documentation. We begin with an online demo of the service to stakeholders where we will walk them through all the aspects of the service in detail and discuss with them where they foresee any internal issues or areas that need specific focus. We will then work with the stakeholders to draw up a training plan that best suits their employees.
Various methods that have been successful in the past have been on-line demonstrations to groups of users, “train the trainer” whereby we would train certain employees within the customer’s organisation to then train your own employees, on-site workshops where we would spend time with each department in detail and go through the system and learn their challenges, PDF user guides and videos, online web chat and TeamViewer sessions with individual users.
We will ensure that all users are comfortable with the system before making live uploads.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Datagraphic comply fully with the GDPR’s right to data portability.
To extract data at the end of the contract, Datagraphic will always work closely with Data Controllers to supply their data back to them, when required, in an appropriate and mutually acceptable format. This will be handled in coordination with the technical account manager.
Datagraphic specialise in Data transformation and manipulation. This speciality lies at the heart of our ability to provide secure multimedia / format communication solutions.
Datagraphic pride themselves on their ability to interpret and represent data in a multitude of formats.
As such Datagraphic are able to provide assurances that respective data can always be returned, when required in a format as required by a Data Controller.
End-of-contract process
The secure return of any Client data and the disposal of data that is not required is included in the price. Through a dedicated single point of contact, Datagraphic work closely with Clients from the initial transfer meeting. The transfer plan will cover the following areas in respect of both parties; • The allocation of personnel to assist in the transition of services • Reporting channels • Liaison between Datagraphic and new provider • Responsibilities for approval of transfer project documentation • Escalation procedures In addition, both parties will agree that the transfer plan shall cover each party’s responsibilities for the provision of services; • Up to and on the termination date • During any parallel provision of services • During the hand back period after the termination date Responsibilities and obligations during transfer of; • Operational documents, including customer records, artwork and addresses • Purchasable relevant surplus stock. Datagraphic advise clients of the status throughout the process until the transfer.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Our Hybrid Mail service can be accessed and used on mobile devices. The differences between the mobile and desktop service is the print driver cannot be used on mobile devices, so the mobile version is restricted to PDF upload only.
It has been fully tested on Android and iOS devices.

Administrators can also access the Hybrid Mail service and carry out all tasks that are available to them on the desktop service.
Service interface
Description of service interface
The Hybrid Mail portal has an Administrator user level which will allow the creation of users on an individual basis, or a bulk creation by uploading a csv file.
Administrators can also maintain the users, change access rights, reset passwords, reallocate departments.
Administrators can also create departments with a cost code that will pull through in all reports. Administrators are also able to upload digital resources to the portal and fine tune the access rights to specific departments and/or users.
Administrators have access to the reporting area where they can download csv reports and data from the Dashboard.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Conducted on cross section of users during the initial development and is regularly tested.
What users can and can't do using the API
Submission of PDF data via the API will allow your operating system to interface directly with our Hybrid Mail system.
To set up, users can perform most posting and tracking actions via the API service for completely automated production. Documents can be uploaded to the system via the API and a document status retrieved for any uploaded document giving a real time update on where the document is within production. Statuses can be requested by individual references or as a batch.
Users can also perform actions via the API and make changes such as diverting or deleting documents and requesting a list of documents that have been returned by the postal carrier as an invalid address for audit purposes. Additionally, users can request the postage details of any document to assist with billing queries. There are limitations on how users can set up or make changes through the API which are defined by our security protocol and policies.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
The service can be customised to meet buyer requirements. Our Hybrid Mail portals can be configured to incorporate various bespoke settings such as portal names, URL, pricing methods and the digital resource storage area.

During setup we can customise the portal look and feel with company logo, header and footer colours, menu bars, tables, text and backgrounds and font and text size. We can also set background images to appear both on the home page and in the upload steps seen by the users if required.

There are options for customisation of the upload process such as defaulting settings, applying permissions or budgets to specific users or departments and allocating digital letterheads and enclosures from the document library to specific departments.

Buyers can choose how a document is printed in colour/ mono, simplex/ duplex and on what stock. This includes white paper, letterhead stock and customised envelopes. Buyers can also request to send out a secure email or SMS, providing a close loop multi-channel experience for buyer’s recipients.

If required automatic validations can be placed against letters for specific document types or users and items can be rejected against quality parameters that are bespoke to each buyer.


Independence of resources
Our Hybrid Mail system is designed to load balance to ensure that users are not affected by overall high demand on the service. We operate a multi server platform to cater for this. We have a separate server for the front end, which is where the users would interface when uploaded, a separate server for the automation system that runs the processing of the uploads and creates print output and meta data and another database server that handles all of the logging, tracking and archive of the system.


Service usage metrics
Metrics types
We provide Administrators with access to a Dashboard on the portal that shows them MI in graph and pie chart format based on their print specifications. This can be altered by date range and specified by number of letters, number of orders or by price.

Administrators can download a csv report that will provide detailed data within the date range specified for each upload made to their Hybrid Mail portal.
The report will include the serial number of the upload, total number of documents, total price, department code, the user, customer/account reference, the status of the order and timestamp.
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
• Physical access strictly controlled. Proximity-based access control system in operation. Staff access levels are role-based and granted on principal of least privilege.
• Variety of encryption methods used based appropriateness of each relevant to situation.
• Database fields for web-facing systems are encrypted, where feasible.
• Company laptops & phones encrypted at system level, removing the risk of loss of confidentiality from lost or stolen laptops.
• Anti-Virus/Anti-Malware software in place throughout
• Heavily restricted Internet access. Only Business required and approved websites from our production networks.
• Vulnerable endpoints, USB, CDs and Wi-Fi etc, are disabled through software.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can export tracking information on their uploaded documents using data filters. The tracking export contains information on addresses, number of pages, postage status, production status and production reference. To assist with audit tracking reports can be customised to include a limitless number of unique references such as Customer or Account number.
Additionally, copies of uploaded letters can be exported in PDF format.
Users can also export reports of documents that have been returned by the postal carrier as an invalid address for audit purposes as well as MI data from the analytics dashboard for any given data range.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • JPEG
  • PNG
  • SVG
Data import formats
Other data import formats
  • PDF
  • RTF

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
• All Hybrid Mail related information that crosses public networks is encrypted.

• All Internet connectivity and file transfer with Hybrid Mail is encrypted via https using up-to-date https certificates.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Inbound Data is immediately and automatically moved into Datagraphic’s core network. Once Data arrives on the core network, it is isolated through logical and physical access controls. This ensures Data is only accessible to those who require access.
Automation workflows process the data files and the output of these workflows is then printed. Automation ensures that manual intervention is limited to exceptional circumstances.
The job is then automatically added to the Production Control System which ensures:
• Accountability at all stages of production
• Visibility and traceability of all jobs
• Real-time updates at every stage with automated status reporting

Availability and resilience

Guaranteed availability
The service is available 24/7/365 days of the year on dedicated servers with a 99.7% uptime SLA. Users are always pre-notified of any down-time and we can agree service credits in the unlikely event of not meeting guaranteed levels of availability.
Approach to resilience
Datagraphic have developed controls to address threats to the following business continuity scenarios:
• Server Hardware Failure
• Internet Connectivity Failure
• Network Failure
• Cooling Failure
• Electrical Supply Failure
• Production Device Failure
• Key Staff Unavailability

We continually invest to ensure critical systems and processes are resilient to failure. Investments to date include backup information processing facilities, associated technology and the skills required to enable resilience in the event of Business Continuity invocation.
Wherever feasible we’ve eliminated single points of failure, examples include:

• Eliminating single points of failure from IT Infrastructure
• Fully virtualising IT Infrastructure
• Daily system level backups of IT systems
• Multiple, diverse, Internet connections
• High Availability, High Capacity Network
• Two separate server rooms at main site
• Data rooms with resilient climate control systems
• Business-critical systems replicated to disparate hardware
• On-site maintenance staff that routinely service and maintain equipment
• On-site spares for all critical systems
• Critical systems protected from power loss by UPS
• On-site diesel generator keeps core services running during mains power failure
• Cross training key staff and recording procedural details
Outage reporting
Email alerts are sent prior to any scheduled downtime.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication
We operate a Domain wide password policy that enforces minimum complexity rules.
Remote access is provisioned via a 2 factor VPN mechanism that relies on the following 2 factors:
• Something you have: A valid unique TLS certificate specifically created for each user
• Something you know: A valid and unique user account and associated complex domain password for your active user account

Remote access is limited to a small subset of trained and trusted staff, access is only possible through company provided system level encrypted laptops used specifically for remote access
Access restrictions in management interfaces and support channels
We aim to disable all non-essential services on web facing systems.
Internet facing application servers are configured on a standard build. This is a ‘hardened’ build that has undergone penetration testing and security review.
• Default passwords for system accounts are changed
• Default system accounts are disabled where possible

Default passwords for all hardware such as routers, firewalls and switches are changed.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other
Description of management access authentication
Management and administrative access is via the same interface. Only a limited subset of staff have management level access to Hybrid Mail and access can only be granted by the product team following validation checks.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Alcumus ISOQUAR (UKAS accredited)
ISO/IEC 27001 accreditation date
2008 and annually thereafter.
What the ISO/IEC 27001 doesn’t cover
Datagraphic is certified to the latest ISO 27001:2013 standard. An ISO 27001 certification has been held by Datagraphic every year since 2008.
The entire business is within the scope of the certification. The certificate is awarded by a UKAS approved accreditation body.
Datagraphic’s ISO 27001 reference number is: 2992.
At the heart of ISO 27001 lies the requirement for holistic Risk Assessment.
Based on Risk Assessments, controls have been implemented to reduce and mitigate risks associated with threats to the Confidentiality, Integrity and Availability of Information processing facilities.
• Confidentiality - ensuring that access to information is appropriately authorised
• Integrity - safeguarding the accuracy and completeness of information and processing methods
• Availability - ensuring that authorised users have access to information when they need it
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials
  • Cheque & Credit Clearing Company - C&CCC Standard 55
  • ISO 9001:2015
  • ISO 14001:2015
  • Xerox Premier Partner
  • NHS IG Toolkit

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our sites are developed to banking standards with all document data being processed, printed and hosted at secure UK ISO27001 accredited facilities. The minute-critical documents we send include sensitive personal and financial data, requiring robust and secure processes and infrastructure.

The information security policies and processes we follow include ISO 27001 audited security policies including (but not limited to): Information Security Policy, Physical Security & Asset Management Policy, Information Security Training and Awareness Policy, GDPR & Data Protection Policy, Compliance Statement, Business Continuity and Disaster Recovery Policy, Secure Systems Engineering Principals Policy, Recruitment and Screening Policies and organisational structure.

All Datagraphic employees are required to annually sign non-disclosure and confidentially agreements along with the Information Security Policy. This is done alongside Information Security Training to acquaint staff with company policies, their responsibilities relative to them and any security procedures relevant to their work. Employees are trained on our detailed incident management process and told to report any potential or suspected security events or suspected security weaknesses to the CISO or their line manager.

Clients are also given a copy of our reporting structure as part of the standard onboarding process with descriptions of event classification, escalation protocol and contact details.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
All change requests are recorded and reviewed by the relevant expert authorities and Business Process owners before, if appropriate being implemented. Risk Management, Back Out or Change Reversal plans are always considered before implementation of significant change requests.
We carefully choose when to implement change and how to then test that change has been successful. Our aim is to minimise disruption to our services when implementing change.
Change and version control mechanisms are in place and provided by a concurrent versioning system or “source safe”. This enables branching and concurrent development to occur in an efficient and safe manner.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
CST (Continuous Security Testing) is performed against Datagraphic’s entire internet facing digital estate. As opposed to a one-off assessment, CST is a continuous assessment of Datagraphic’s online assets. Regular vulnerability scanning is essential to maintaining a strong security posture.

Results are collated, and fixes prioritised by our Information Security function, prior to implementation by development teams. We then retest to ensure remediation.

Patches applied ASAP during set operational hours, with appropriate technical staff available to support implementation.

Datagraphic are informed of High vulnerabilities as a priority by our dedicated security experts. Lower impact vulnerabilities are supplied through a monthly report.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
To identify potential compromises, CST (Continuous Security Testing) is performed against Datagraphic’s entire internet facing digital estate. As opposed to a one-off assessment, CST is a continuous assessment of Datagraphic’s online assets, which is essential to maintaining a strong security posture.

When responding, results are collated, and fixes prioritised by our Information Security function, prior to implementation by development teams. We then retest to ensure remediation.

Patches are applied ASAP to vulnerabilities during set operational hours, with appropriate technical staff available to support implementation.

User account activity is monitored, abnormal activity is flagged and reviewed by our Information Security team.
Incident management type
Supplier-defined controls
Incident management approach
We have pre-defined processes for common events, and our Incident Management process includes:
• Contact Data-Controller: Communicate incident details to customer without delay.
• Breach Remediation: Implement suitable protective controls.
• Residual Risk Evaluation: Review controls implemented for potential residual risk.
• Contact 3rd Party Specialist: Depending on nature of breach, it may be necessary to involve 3rd Party Specialist Information Security consultants (in consultation with affected parties).

Users can contact their Account Manager, to report a potential or suspected breach, our CISO will be made aware.

An incident report will be completed and made available to the affected parties.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)


£0.03 to £0.54 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.