CERTIFICATIONS · VENDOR SELECTION

Three Logos on Every ITAD Website. Here's What Each One Means.

R2v3, e-Stewards, and NAID AAA get treated as interchangeable seals of approval. They aren't — they're run by different bodies, audit different things, and answer different questions. What each covers, where they differ, and how to verify one in five minutes.

By Brian Boynton Published 9 min read

TL;DR

R2v3 (run by SERI) and e-Stewards (run by the Basel Action Network) are whole-facility responsible-recycling standards with different philosophies — flexible-but-accountable vs. prescriptive, Basel-aligned. NAID AAA (run by i-SIGMA) certifies the data-destruction operation itself, with scheduled and unannounced audits. They answer different questions, and serious processors hold more than one.

  • R2v3: responsible reuse and recycling with process-specific appendices and downstream accountability.
  • e-Stewards: the strictest export posture — built on Basel Convention compliance — and it requires NAID AAA plus ISO 14001 or RIOS as components.
  • NAID AAA: operational data-destruction controls — personnel, processes, custody — verified by announced and unannounced audits.
  • Verify by number, not logo: each program publishes a directory of certified facilities.

01 / THE MAPThree standards, three governing bodies, three questions

The fastest way to un-blur the logos is to name what question each one answers:

The three certifications at a glance
 R2v3e-StewardsNAID AAA
Run bySERI (Sustainable Electronics Recycling International)Basel Action Network (BAN)i-SIGMA (the information destruction industry association)
The question it answersIs this facility a responsible electronics reuse & recycling operation, with accountable downstreams?Is this facility environmentally and socially rigorous — including Basel-aligned export behavior?Does this operation destroy data under audited security controls?
ScopeWhole facility & process flow, with appendices per activity (data sanitization, test & repair, brokering, etc.)Whole facility & downstream chain, with prescriptive requirementsThe destruction operation itself: people, process, custody, verification
Audit modelAccredited third-party certification bodies, surveillance auditsAccredited third-party certification bodiesScheduled and unannounced audits
Current formR2v3 (2020), successor to R2:2013Version 4.1 (published February 2022)NAID AAA (continuously maintained)

History in one line each: R2 emerged from an EPA-convened multi-stakeholder process in the late 2000s, and SERI now administers its third generation, R2v3. e-Stewards was created in 2009 by BAN — the watchdog group whose investigations of exported e-waste made “responsible recycling” a market demand in the first place. NAID AAA comes from the information-destruction industry's association (NAID, now part of i-SIGMA) and predates both in its focus on destruction operations.

02 / R2v3R2v3: flexible framework, accountable downstreams

R2v3 is the most widely held of the three and the one most enterprise RFPs name first. Its core mechanics:

  • Core + appendices. Every certified facility meets a common core (legal compliance, EHS management, data security fundamentals, tracking throughput); specific activities — data sanitization, test and repair, specialty electronics reuse, materials recovery, brokering — each add a dedicated appendix with its own requirements. Reading which appendices a facility is certified for tells you what it's actually authorized to do.
  • Downstream accountability. R2v3 requires facilities to qualify and document the downstream vendors that receive their material — the anti-pattern it exists to kill is “certified front door, mystery back door.”
  • Focus materials. Materials of concern (mercury devices, batteries, CRT glass, and the like) get managed under a hierarchy of responsible options with documented flows.
  • Data security. R2v3's data appendix aligns sanitization with recognized standards (the NIST 800-88 family) and requires verifiable processes — strong, though data destruction is one appendix among several rather than the standard's whole reason for existing.

Philosophically, R2v3 is a flexible standard: it defines outcomes and accountability and lets operations demonstrate conformance in ways that fit their model. Critics frame that as softer than e-Stewards' prescriptions; defenders frame it as why R2v3 scaled to the majority of the certified market.

03 / E-STEWARDSe-Stewards: the prescriptive, Basel-anchored standard

e-Stewards is best understood through its parentage: BAN built the program to make its Basel Convention position enforceable by market pressure. The standard's distinguishing features:

  • Export posture. e-Stewards requires conformance with the Basel Convention's rules on transboundary movement of hazardous e-waste regardless of where the facility sits — the practical effect is a prohibition on exporting hazardous electronic waste from developed to developing countries. This is the sharpest single difference from R2v3, which permits documented, controlled exports in more circumstances.
  • Composite requirements. The current Version 4.1 (published February 22, 2022) is built on an environmental management system — certified facilities must hold ISO 14001 or RIOS — and, since mid-2022, must hold NAID AAA for data security. In other words, one of the three logos in this comparison literally contains another.
  • Prescriptive uniformity. Where R2v3 flexes to the operation, e-Stewards prescribes: consistent rules across facilities, with social criteria (e.g., prohibitions on prison and coerced labor) alongside the environmental ones.

Honest disclosure, since this page is published by an ITAD provider: CyberCrunch holds R2v3, NAID AAA, RIOS, and PA DEP permits — not e-Stewards. Plenty of excellent processors make the same choice (the overlap with R2v3 + NAID AAA + RIOS is substantial and the certification stack is expensive to duplicate), and plenty of excellent processors choose e-Stewards instead or as well. What matters for a buyer is that the certifications a vendor claims are real, current, and scoped to the services you're buying — which is the verification section below.

04 / NAID AAANAID AAA: the destruction operation, audited — sometimes unannounced

NAID AAA is narrower and deeper than the other two: it certifies the information destruction operation, whatever the media — drives, tapes, paper, and beyond. Its requirements are operational to the point of being granular:

  • Personnel controls: background screening and drug testing of the people who touch data-bearing material.
  • Process controls: defined destruction methods and particle/output specifications by media and endorsement, written procedures, and verification.
  • Custody controls: access control, transport security, and documented chain of custody through destruction.
  • The audit model that sets it apart: facilities are subject to scheduled and unannounced audits — the certification is designed around the idea that a destruction operation should be inspection-ready on any given Tuesday, not just renewal week.

NAID AAA is the certification most directly aimed at the question a security or compliance officer is actually asking — “will the data be destroyed, provably, by controlled people in a controlled process?” It's also why e-Stewards chose to incorporate it outright and why sophisticated buyers treat R2v3 + NAID AAA together as the pragmatic baseline: environmental and downstream accountability from one, destruction-operation rigor from the other. (CyberCrunch has held NAID AAA since 2012.)

05 / VERIFYVerify by number, then match the certification to your risk

Every one of these programs publishes a directory of certified facilities — SERI's for R2v3, e-Stewards' for its processors, i-SIGMA's for NAID AAA. Verification is a five-minute exercise: get the certificate number and facility name from the vendor, find them in the issuing body's directory, and confirm the scope covers the services and the specific facility you're using. A logo on a website is a graphic; a directory entry is a fact. (The 30-second version of this argument is our Logo Test episode; the two-minute structured version is the due-diligence scorecard.)

Choosing what to require comes down to your dominant risk:

  • Data risk dominant (regulated data, CMMC/HIPAA/GLBA scope): require NAID AAA on the destruction operation, with R2v3 or e-Stewards covering the facility and downstream.
  • Environmental/ESG risk dominant (public sustainability commitments, export sensitivity): weigh e-Stewards' Basel posture or R2v3's documented downstream accountability, and ask for the downstream documentation either way.
  • Both — which is most enterprises: the combination is the answer, not a coin flip between logos. Our vendor due-diligence guide gives the full evidence checklist to run against any candidate.

Certification FAQ

Which one is “best”?

They answer different questions. NAID AAA is deepest on destruction operations; e-Stewards is strictest on exports and environmental prescription; R2v3 is the most widely held whole-facility standard with strong downstream accountability. For most enterprise buyers the practical requirement is a combination — commonly R2v3 plus NAID AAA — not a single winner.

Does e-Stewards really include NAID AAA?

Yes. e-Stewards Version 4.1 requires certified processors to hold NAID AAA for data security (in force since mid-2022), alongside ISO 14001 or RIOS as the environmental management system. An e-Stewards processor therefore holds NAID AAA by definition; the reverse is not true.

What happened to R2:2013?

Superseded. SERI released R2v3 in 2020 as the standard's third generation, and the industry transitioned off R2:2013 in the years after — current, valid R2 certification means R2v3. Marketing that still says “R2:2013” is a due-diligence flag; check SERI's directory.

Where does RIOS fit — is it a competitor?

No — RIOS is an integrated quality/environmental/health-and-safety management system standard for recyclers, playing the role ISO 9001/14001/45001 play. e-Stewards even accepts it as its EMS component. A processor holding RIOS alongside R2v3 and NAID AAA is stacking a management system under its certifications, not collecting a rival logo.

How do I verify a certification in practice?

Get the certificate, its number, and the certified facility address; confirm the listing in the issuing body's public directory (SERI, e-Stewards, i-SIGMA); check it's current, scoped to the services you're buying, and issued for the facility processing your material. Certification is per site — “our other location is certified” is not coverage.