In short
Every ITAD vendor claims to be certified and secure. Due diligence is the work of turning that claim into something you can verify: accredited certifications, a scope that covers your activity, chain of custody, and documentation that survives an audit.
Prefer to read it?
Full transcript · How to Vet an ITAD Vendor | Read the Credentials, Verify the Proof
Anyone can claim it. Every ITAD vendor will tell you they are certified, secure, and compliant. The difference between a vendor you can trust with retired data-bearing equipment and one you cannot is not what they say — it is whether they can prove it, on the record and on demand. Proof is what survives an audit.
A simple framework moves you from claim to evidence in four stages. First, the claim: words like "certified" and "secure" are free and, on their own, unverified. Second, the certification: a real, accredited third-party audit against a published standard, carrying a certificate number you can look up. Third, chain of custody: whether the vendor can track every device, every step, from your loading dock to final disposition. Fourth, the documentation: paperwork that stands up when a regulator or auditor asks you to prove what happened.
There are four kinds of evidence worth asking for, and a trustworthy vendor hands them over without friction. Accredited certifications — such as R2v3, NAID AAA, and RIOS — are issued by accredited bodies after an audit, not self-declared. Project certificates and reports, including a Certificate of Data Destruction and a Certificate of Recycling, document what happened on your specific engagement. An insurance certificate, in standard ACORD form, shows the named insured, the coverage lines, the limits, and whether carriers are A-rated. And public registries — i-SIGMA for NAID, SERI for R2, and state permit databases — let you confirm a credential yourself rather than taking it on faith.
It helps to understand what a certification actually proves. An accredited certification means an independent body inspected the vendor against a published standard and re-checks them on a schedule; that recurring, third-party scrutiny is the part a claim can never supply. Just as important, a certification only covers what its scope says it covers, so read the scope rather than the badge and confirm the activities you care about — logical data sanitization, physical destruction, downstream recycling — are actually named. As a worked example, CyberCrunch holds R2v3 (through SERI), RIOS, and NAID AAA certification (held since 2012), and uses NIST 800-88 methods for media sanitization; each of those is something a buyer can independently verify.
The contrast between a claim and proof is the heart of due diligence. The claim — "we're certified, secure, and compliant" — is reassuring and impossible to check on its own. The proof is a cert number you can look up in a public registry, a scope that names your activity, and certificates issued for your specific project. One costs nothing to say; the other leaves a trail.
Finally, ask what documentation survives an audit. Strong vendors issue a Certificate of Data Destruction and a Certificate of Recycling on every project, and can provide a serialized, device-level destruction report on request as an opt-in when chain-of-custody audits call for it. Before you sign, run four questions on any vendor: Is the certification real and verifiable? Does its scope cover your work? Can they prove chain of custody? And will the paperwork survive an audit? To see the framework applied to a single vendor, the CyberCrunch credentials packet collects the certificates, certificate numbers, and coverage in one place.