Vendor Selection · Certifications · Pricing · Contracts

The ITAD Buyer's Guide: Choosing a Disposition Vendor You Can Defend in an Audit

Every ITAD vendor has trucks, a website, and the word “secure.” What separates them is the quality of the evidence they leave behind — and that's only visible if you know where to look. This guide is the full selection process: certifications decoded, pricing models compared honestly, the sixty-second test that sorts the field, and the contract terms that make diligence enforceable.

Reading time: ~24 min Updated: June 12, 2026 Author: Brian Boynton Pairs with: The Vault's DDQ & RFP templates

TL;DR

Choose an ITAD vendor the way you would choose an audit firm, not a freight carrier — you are buying the quality of defensible evidence, with logistics attached.

  • Certifications each cover one slice: NAID AAA (the destruction operation), R2v3 (recycling and downstream accountability), ISO (management systems) — none covers everything.
  • Every pricing model creates incentives; "free" pickup is the most expensive option in the industry.
  • The one-document test: ask for a sample certificate of destruction first — it sorts the field in sixty seconds.
  • Lock diligence into the contract — audit rights, serialized certificates, and downstream accountability.
Section 01

What you're actually buying

An ITAD vendor isn't a hauler with paperwork. It is an extension of your evidence chain: whatever your auditor, assessor, regulator, or breach-response counsel eventually asks about retired equipment, the answer will be built from your vendor's records. You are buying the quality of those records, with logistics attached.

That framing changes the evaluation. Trucks, pricing, and pickup speed are commodities; nearly everyone in the industry has them. The differentiators are the things you only test when something goes wrong: whether certificates reconcile to serials, whether custody documentation has gaps, whether the downstream chain is disclosed and audited, whether insurance is real, and whether the vendor's incident posture protects you or just them.

This guide is the full selection process — certifications decoded, pricing models compared honestly, the due-diligence sequence, contract terms, red flags, and a scoring framework — written so a procurement team can run it without becoming destruction experts first.

Bottom line

Evaluate ITAD vendors the way you'd evaluate an audit firm, not a freight carrier. The deliverable is defensible evidence; everything else is how it arrives.

Section 02

Certifications, decoded

Certification logos are the industry's shorthand — and they're frequently misread. Each one certifies a specific slice of the operation; none certifies everything. Here's what each actually covers:

CertificationWhat it certifiesWhat it doesn't
NAID AAAThe destruction operation: vetted and screened personnel, audited procedures, verified destruction methods per media type, unannounced audits. Endorsements specify which media (hard drives, SSDs, etc.).Downstream recycling, environmental handling, or what happens to materials after destruction.
R2v3The recycling and reuse chain: data security requirements, downstream vendor accountability through every tier, focus-materials handling, environmental and worker safety management.The destruction operation's procedures in the NAID sense; R2v3 is a recycling standard with data appendices, not a destruction audit regime.
e-StewardsAn alternative recycling standard with strict export prohibitions; favored by some sustainability-driven buyers.Same gap as R2v3 on the destruction-operation side.
ISO 14001 / 45001Environmental and occupational-safety management systems — the existence of a managed process.Anything specific about data destruction quality. Useful supporting signal, never sufficient alone.
State registrations (e.g., PA DEP)Lawful operation as a processor/recycler in the jurisdiction.Quality of anything. It's a license, not an endorsement.

The pattern to demand: NAID AAA plus R2v3 (or e-Stewards) together — one standard auditing the destruction, one governing the downstream. A vendor holding only a recycling certification has an unaudited destruction operation; a vendor holding only NAID has an unaccountable downstream. Then verify rather than trust: certifications are searchable in the issuing bodies' public directories, and current certificates should arrive with the proposal. Expired, "in process," and "equivalent" are all spelled no.

Section 03

Pricing models — and what each one incentivizes

ITAD pricing confuses buyers because the money flows both directions: you pay for services, and equipment value flows back. Every model is a different split of that two-way flow, and each creates its own incentives.

ModelHow it worksWatch for
Per-device / per-service feeFixed fees per asset processed, by service (destruction, wipe, logistics). Predictable, easy to budget.Whether remarketing proceeds come back to you at all, and at what share.
Per-poundWeight-based pricing, common for scrap-heavy loads.Treats a loaded server and a bag of cables identically; invites value leakage on remarketable assets.
Value-share / revenue splitVendor remarkets viable equipment; proceeds split per an agreed percentage, often offsetting service fees. Net cost can reach zero or positive.Settlement transparency: per-asset resale reporting, audit rights on pricing, and how non-functional units are decided and documented.
"Free" pickupNo invoice; the vendor monetizes the equipment.Everything. No paperwork, no certifications, and your data subsidizing the model. The most expensive price in the industry.

The structural question to ask of any model: where does equipment value go, and how is that visible to me? A fee-only vendor remarketing your assets silently is charging you twice. A value-share vendor with vague settlement reporting is a fee-only vendor with better marketing. The honest configurations all share one trait — per-asset settlement statements you can reconcile.

Comparing proposals: normalize to net program cost — fees minus credible recovery — over a year of your actual volume and mix, not the headline per-drive rate. A higher destruction fee with real settlement transparency routinely beats a cheap rate with no value return.

Section 04

The one-document test

Before the RFP, before the site visit, before a single reference call: ask every candidate for a sample certificate of destruction. One document, sixty seconds of review, and most of the field self-sorts.

What the sample must show: each device identified by serial number (and ideally make/model), the sanitization or destruction method named against NIST 800-88, verification that the operation succeeded, and the operator, facility, and date. That's a certificate your auditor can reconcile against inventory.

What disqualifies: aggregate descriptions ("one lot of assorted hard drives — destroyed"), missing method or verification language, or a vendor that needs days to produce a sample of its own standard deliverable. An aggregate certificate cannot answer the only question that ever matters later — was this specific device destroyed? — which makes it a receipt, not evidence.

Bottom line

The sample certificate is the cheapest due-diligence step that exists, and the most predictive. Run it first and spend your real evaluation effort only on vendors that pass.

Section 05

The due-diligence questionnaire

For vendors that survive the one-document test, the DDQ does the systematic work: forty questions across seven categories, sent in writing, answered in writing, kept on file.

The categories and what each is really probing: certifications and insurance (is the foundation real and current); data security and destruction (methods per media type, verification, flash-rated particle size, facility controls); chain of custody (seals, manifests, carrier vetting, intake reconciliation, discrepancy handling); reporting (the certificate fields, delivery timelines, API capability, record retention); downstream and environmental (disclosure, audit cadence, reuse-versus-recycle rates); commercial (the pricing-model questions from Section 3); and compliance posture (BAA willingness, incident notification timelines, regulated-industry references).

Written answers matter beyond the content: they become contract exhibits. A vendor's DDQ response attached to the agreement converts marketing claims into commitments. The Vault's forty-question DDQ is ready to send as-is — and a vendor's reaction to receiving it is itself a data point.

Section 06

The site visit: what to look for in person

Paper diligence verifies claims; the facility visit verifies culture. An hour on the floor tells you things no questionnaire can.

  • Access control at the door, not just in the brochure. Are you badged, escorted, logged? A facility that waves visitors through treats your media the same way.
  • The intake area. Watch a load being received: are assets scanned and serialized at the dock, reconciled against the manifest, with discrepancies flagged on the spot? Intake is where evidence is born or lost.
  • Dwell-time discipline. Ask how long media sits between intake and destruction, then look around — caged, organized, labeled queues versus pallets of loose drives aging in a corner.
  • Media segregation. Drives awaiting destruction physically separated and secured from general material flow, with access limited and logged.
  • The destruction line itself. Verify the shred output particle size, ask how flash media is handled differently, and watch whether serial capture happens before destruction systematically or sporadically.
  • People signals. Badged staff, screening practices, and floor employees who can answer "what happens if a serial doesn't match the manifest?" without fetching a manager.

If a visit isn't practical, a live video walkthrough following this same list is an acceptable substitute — and refusal of both is an answer.

Section 07

Contract terms that matter

The agreement is where due-diligence findings either become enforceable or evaporate. Seven terms carry most of the protective weight:

  • Scope and standards. Services defined against NIST 800-88 by name, with serialized per-device reporting as a deliverable, not a courtesy.
  • Chain of custody obligations. Sealed transport, signed manifests, intake reconciliation, and discrepancy notification within a defined number of hours.
  • Liability and indemnity. Indemnification for data incidents arising from the vendor's custody, with liability caps that bear some relationship to breach economics — a cap at "fees paid" on a program whose failure mode is a seven-figure incident is a cap in name only. Negotiate a higher or uncapped tier for data-breach liability specifically.
  • Insurance as a covenant. Required coverage types and limits (general, E&O, cyber/privacy, pollution where relevant), with certificates delivered annually and your organization as additional insured where appropriate.
  • Downstream disclosure and audit rights. Current downstream list on request, notice of changes, and your right to audit (or rely on certification audits) at reasonable intervals.
  • Incident response. Notification timeline measured in hours/days that leaves room for your own regulatory clocks, cooperation obligations, and cost responsibility.
  • Regulatory addenda. BAA for healthcare, data-protection terms as needed, and the vendor's DDQ responses attached as an exhibit.

For competitive procurement, the Vault's RFP template carries this structure pre-built, mandatory requirements included.

Section 08

Red flags, in the wild

Most bad outcomes telegraph themselves during the sale. The recurring patterns:

Pattern 01

"Free, and we handle everything"

No invoice, no questions about your data, vague answers about certification, and enthusiasm that scales with the equipment's resale value. The business model is your assets; the data rides along as a bonus.

Lesson: in ITAD, "free" means you're paying with the one asset you can't afford to spend.

Pattern 02

The certification shimmer

The website shows logos; the proposal says "certified processes." Pressed for certificates, the answers arrive as "our downstream partner holds R2v3" and "NAID membership" — which is a trade association join, not the AAA certification audit.

Lesson: verify certificates in the issuing bodies' directories, in the vendor's exact legal name, for the facility that will process your media.

Pattern 03

The settlement fog

A value-share pitch promises generous splits. Quarter after quarter, statements arrive as lump sums: units "tested non-functional" at surprising rates, resale prices unverifiable, no per-asset line items, audit rights absent from the contract.

Lesson: value share without per-asset settlement transparency is a discount on paper and a leak in practice.

Pattern 04

Paperwork on a delay

Pickups run smoothly; certificates trail by months, arrive in changing formats, or require chasing. Then an auditor samples five serials, and the reconciliation that should take minutes takes weeks.

Lesson: certificate delivery time is a contract SLA, not a hope. Slow evidence is weak evidence.

Section 09

Scoring the field

With diligence complete, force the comparison into numbers. A weighted matrix keeps the decision anchored to what you're actually buying — evidence quality first.

CriterionSuggested weightWhat scores high
Data security & evidence quality35%NAID AAA + R2v3 verified; serialized certificates standard; flash-rated destruction; clean sample documents
Chain of custody & logistics20%Sealed/tracked transport, documented intake reconciliation, coverage matching your site map, mail-back capability
Commercial & value recovery20%Transparent model, per-asset settlement, credible net-cost math on your real mix
Reporting & integration15%Defined certificate SLAs, portal/API delivery, ITAM integration, long retention
Downstream & environmental10%Disclosed and audited downstream, reuse-first rates, ESG-usable reporting

Adjust weights to your drivers — a CMMC-bound contractor may push evidence quality higher; a sustainability-led program may lift the downstream weight. Score independently across the evaluation team, then argue about the deltas: the disagreements are where the real findings live.

Section 10

Switching vendors without dropping the chain

Incumbent inertia is real: "they're fine" has kept many mediocre vendors employed for a decade. Switching is simpler than feared if the evidence chain is managed across the seam.

The sequence: close out the incumbent cleanly — final pickups completed, all outstanding certificates delivered and reconciled, settlement statements settled, and a written confirmation that no customer media remains in their custody. Retrieve your full records archive while the relationship is warm; certificates are much harder to obtain from a former vendor. Then run the new vendor's first engagement as a deliberately observed pilot: one site, full chain-of-custody documentation, certificates reconciled to the manifest line by line, settlement statement reviewed against the contract. The pilot is where proposal claims meet your dock.

One overlap rule: never let retired assets accumulate during the transition. A vendor gap of one quarter quietly rebuilds the storeroom backlog that a good program exists to prevent.

Section 11

National, regional, or local: sizing the partner

The market has three shapes, and the honest answer is that each fits someone.

National incumbents bring global footprints and enterprise account machinery — a fit for multinationals that need one contract across continents, priced accordingly, with service that can feel like a queue. Local haulers bring price and proximity, and the certification/evidence gaps this guide spends most of its pages screening for. The certified mid-market — regional processors with national reach — is where evidence rigor and actual responsiveness most often coexist: certified facilities, serialized reporting as standard, and account relationships where your program is a priority rather than a rounding error.

The test that cuts through tiering: run every candidate, regardless of size, through the same one-document test, DDQ, and scoring matrix. Logos and footprints are inputs; the matrix is the decision. A vendor of any size that produces reconcilable evidence, discloses its downstream, and shows you per-asset settlement is a better partner than a famous one that doesn't.

Section 12

Frequently asked questions

How many vendors should we evaluate?

Three to five into the DDQ stage is the practical sweet spot — enough for genuine comparison, few enough to do real diligence on each. Use the one-document certificate test to cut the long list down cheaply before investing evaluation effort.

Is a NAID 'member' the same as NAID AAA certified?

No, and the distinction is exploited constantly. Membership in the trade association requires joining; NAID AAA certification requires passing scheduled and unannounced audits of the destruction operation. Verify AAA certification status in the public directory under the vendor's exact legal name.

Should data destruction and recycling be separate vendors?

It can work, but every additional custody transfer is another seam in the evidence chain and another contract to police. A single vendor holding both NAID AAA and R2v3 keeps destruction and downstream accountability under one agreement and one reconciliation. Split the functions only when you have a specific reason and the appetite to manage two chains.

What's a reasonable certificate delivery SLA?

Days to a few weeks after destruction, defined in the contract. Same-engagement delivery is increasingly standard among well-run operators, especially with portal or API delivery. Months is a red flag regardless of explanation.

Our volumes are small — will good vendors even want us?

Yes. Mail-back programs and scheduled milk-run logistics make small and distributed volumes economical for certified operators, and a small program with clean evidence is an easy account to serve. Don't let modest volume talk you into an uncertified hauler; the evidence requirements don't scale down with your device count.

Can we just rely on our VAR or MSP's disposal offering?

Ask who actually performs the destruction — most channel offerings are white-labeled certified operators, which is fine if you can see through to the certifications, the certificates, and the downstream. Apply the same one-document test and DDQ to the performing party. If the channel partner can't tell you who that is, that's your answer.

Section 13

Where CyberCrunch fits

This guide hands you the scoring matrix knowing full well we'll be measured by it. Deliberately so — Section 9's criteria describe what CyberCrunch was built to win on: evidence quality first, transparent economics second, and service that remembers your name.

CyberCrunch · Nationwide ITAD & Certified Data Destruction

Run the one-document test on us first.

CyberCrunch is a NAID AAA and R2v3 certified ITAD operator serving all 50 states — serialized certificates of destruction as standard, documented chain of custody from your dock, disclosed downstream partners, per-asset value-share settlement reporting, witnessed destruction options, and mail-back programs for distributed fleets. Headquartered in Greensburg, PA. Ask us for the sample certificate; we'll send it the same day.

NAID AAAR2v3RIOSPA DEPALL 50 STATES

This guide is provided for general informational purposes as of June 2026 and is not legal or procurement advice. Certification scopes and program details belong to their respective issuing bodies (i-SIGMA/NAID, SERI/R2, e-Stewards, ISO); verify current status directly. Have counsel review all contract language before use.