VETTING AN ITAD VENDOR
CLAIMS vs EVIDENCE · READ THE CREDENTIALS
VERIFY · ACCREDITATION · SCOPE · CHAIN OF CUSTODY
// PROOF SURVIVES AN AUDIT
VETTING AN ITAD VENDOR
CLAIMS vs EVIDENCE · READ THE CREDENTIALS
VERIFY · ACCREDITATION · SCOPE · CHAIN OF CUSTODY
// PROOF SURVIVES AN AUDIT
// VETTING AN ITAD VENDOR
SCENE 01 / 08
← VIDEO LIBRARY Resource Hub
MUSIC ON
HOW TO VET AN ITAD VENDOR

Anyone can claim it.
Proof is what survives an audit.

Every ITAD vendor says they are "certified and secure." The difference between a vendor you can trust and one you cannot is whether they can prove it — on the record, on demand.

CLAIMS vs EVIDENCE · READ THE CREDENTIALS · VERIFY THE PROOF
// A DUE-DILIGENCE WALKTHROUGH · WHAT TO ASK FOR AND HOW TO CHECK IT
THE FRAMEWORK

Four questions. One vetting framework.

Due diligence is not about trusting a logo. It is about moving from what a vendor says to what a vendor can show. Four stages take you there.

01
The Claim
Anyone can say "certified, secure, compliant." Words are free and unverified.
02
The Certification
A real audit by an accredited third party — with a cert number you can verify.
03
Chain of Custody
Can they track every device, every step, from your dock to final disposition?
04
The Documentation
Paperwork that stands up when a regulator or auditor asks you to prove it.
WHAT TO ASK FOR

Four kinds of evidence you can actually check.

A trustworthy vendor hands these over without friction. If a request for evidence is met with hesitation, that is your answer.

Accredited Certifications
R2v3, NAID AAA, RIOS — issued by accredited bodies after an audit, not self-declared.
// THIRD-PARTY AUDITED
Certificates & Reports
Certificate of Data Destruction and Certificate of Recycling — per project, on the record.
// PER PROJECT
Insurance Certificate
An ACORD COI showing named insured, coverage lines, limits, and A-rated carriers.
// NAMED INSURED · LIMITS
Public Registries
i-SIGMA, SERI, and state permit databases let you confirm a credential yourself.
// LOOK IT UP YOURSELF
WHAT A CERTIFICATION ACTUALLY PROVES

A certification is an audit. Not a logo you print.

An accredited certification means an independent body inspected the vendor against a published standard — and re-checks them on a schedule. That is the part a claim can never give you.

Read the scope, not just the badge.
A certification only covers what its scope says it covers. Confirm the activities you care about — data sanitization, physical destruction, downstream recycling — are named in the certificate. Below are the credentials CyberCrunch holds, shown as a worked example of what to verify.
R2v3SERI · ACCREDITED
RIOSCERTIFIED
NAID AAAi-SIGMA · SINCE 2012
NIST 800-88METHOD
CLAIM vs PROOF

A claim costs nothing.
Proof leaves a trail.

The same sentence can be empty or backed. The difference is whether there is something on the other end you can independently confirm.

// WHAT ANYONE CAN SAY
The Claim
"We're certified, secure, and compliant. Your data is safe with us." Reassuring — and impossible to check on its own.
Say it
Promise
Move on
// NOTHING TO VERIFY
// WHAT YOU CAN VERIFY
The Proof
A cert number you look up in a public registry. A scope that names your activity. Certificates issued for your specific project.
Cert #
Registry
Records
// VERIFIABLE · ON THE RECORD
DOCUMENTATION THAT SURVIVES AN AUDIT

When the auditor asks,
this is what you hand over.

Certificates on every project; a serialized record when you need device-level proof. Ask which documents are standard and which are available on request.

// EVERY PROJECT
C
CYBERCRUNCH · NAID AAA
Certificate of Data Destruction
Certifies data-bearing media destroyed using NIST 800-88 methods under NAID AAA protocols.
NAID AAA
NIST 800-88
DESTROYED
// EVERY PROJECT
C
CYBERCRUNCH · R2v3
Certificate of Recycling
Certifies materials handled in accordance with EPA, R2v3, and PA DEP requirements.
R2v3
EPA · PA DEP
RECYCLED
// ON REQUEST
C
CYBERCRUNCH · SERIALIZED
Serialized Destruction Report
Device-level detail — type, serial, drive serial, disposition — available as an opt-in for chain-of-custody audits.
PER-DEVICE
OPT-IN
ON REQUEST
THE CHECKLIST

Four questions. Ask every vendor.

01
Is the certification real?
Accredited issuing body, a current cert number, verifiable in a public registry.
02
Does the scope cover your work?
Read the scope, not the badge — data sanitization, destruction, and recycling named.
03
Can they prove chain of custody?
Tracked from your dock to disposition; serialized detail available on request.
04
Will the paperwork survive an audit?
Certificates of Destruction and Recycling issued on every project, on the record.
PUT IT TO WORK

See how one vendor's
credentials check out.

Use the same framework on any vendor — then see it applied. The CyberCrunch credentials packet collects the certificates, cert numbers, and coverage in one place.

// READ THE GUIDE: /guides/itad-vendor-due-diligence-guide · VERIFY EVERY CLAIM

Disclaimer. Figures, projections, statistics, and examples shown in this video are for illustrative purposes only and do not constitute a guarantee or offer. Actual results vary based on factors specific to each engagement. Case studies reflect past client engagements and are not predictive of future outcomes. Compliance claims reference CyberCrunch's certifications and procedures at the time of publication — requirements applicable to your organization should be validated by your own legal, compliance, and procurement teams. Program terms, pricing, and service levels are governed by CyberCrunch Terms of Service, and our Privacy Policy applies. All rights reserved. Visit ccrcyber.com for more information.

❚❚ PAUSED · CLICK ANYWHERE TO RESUME
Read the transcript

In short

Every ITAD vendor claims to be certified and secure. Due diligence is the work of turning that claim into something you can verify: accredited certifications, a scope that covers your activity, chain of custody, and documentation that survives an audit.

Prefer to read it?

Full transcript · How to Vet an ITAD Vendor | Read the Credentials, Verify the Proof

Anyone can claim it. Every ITAD vendor will tell you they are certified, secure, and compliant. The difference between a vendor you can trust with retired data-bearing equipment and one you cannot is not what they say — it is whether they can prove it, on the record and on demand. Proof is what survives an audit.

A simple framework moves you from claim to evidence in four stages. First, the claim: words like "certified" and "secure" are free and, on their own, unverified. Second, the certification: a real, accredited third-party audit against a published standard, carrying a certificate number you can look up. Third, chain of custody: whether the vendor can track every device, every step, from your loading dock to final disposition. Fourth, the documentation: paperwork that stands up when a regulator or auditor asks you to prove what happened.

There are four kinds of evidence worth asking for, and a trustworthy vendor hands them over without friction. Accredited certifications — such as R2v3, NAID AAA, and RIOS — are issued by accredited bodies after an audit, not self-declared. Project certificates and reports, including a Certificate of Data Destruction and a Certificate of Recycling, document what happened on your specific engagement. An insurance certificate, in standard ACORD form, shows the named insured, the coverage lines, the limits, and whether carriers are A-rated. And public registries — i-SIGMA for NAID, SERI for R2, and state permit databases — let you confirm a credential yourself rather than taking it on faith.

It helps to understand what a certification actually proves. An accredited certification means an independent body inspected the vendor against a published standard and re-checks them on a schedule; that recurring, third-party scrutiny is the part a claim can never supply. Just as important, a certification only covers what its scope says it covers, so read the scope rather than the badge and confirm the activities you care about — logical data sanitization, physical destruction, downstream recycling — are actually named. As a worked example, CyberCrunch holds R2v3 (through SERI), RIOS, and NAID AAA certification (held since 2012), and uses NIST 800-88 methods for media sanitization; each of those is something a buyer can independently verify.

The contrast between a claim and proof is the heart of due diligence. The claim — "we're certified, secure, and compliant" — is reassuring and impossible to check on its own. The proof is a cert number you can look up in a public registry, a scope that names your activity, and certificates issued for your specific project. One costs nothing to say; the other leaves a trail.

Finally, ask what documentation survives an audit. Strong vendors issue a Certificate of Data Destruction and a Certificate of Recycling on every project, and can provide a serialized, device-level destruction report on request as an opt-in when chain-of-custody audits call for it. Before you sign, run four questions on any vendor: Is the certification real and verifiable? Does its scope cover your work? Can they prove chain of custody? And will the paperwork survive an audit? To see the framework applied to a single vendor, the CyberCrunch credentials packet collects the certificates, certificate numbers, and coverage in one place.