THE WORKBENCH · VENDOR REVIEW

The Vendor Due Diligence Scorecard

Ten questions about an ITAD vendor you're evaluating — answer them about any provider you're considering. You'll get a score, your gaps, and the exact evidence to request for each. Nothing here is recorded or sent anywhere.

What this scores — and what it doesn't. This scorecard covers an ITAD vendor's data-destruction and responsible-recycling credentials: certifications, permit, insurance, chain of custody, reporting, and contracts. It is meant to sit alongside your standard information-security vendor review (where attestations like SOC 2 and ISO 27001 are assessed) — not replace it. Every question below maps to a documentable credential you can request and verify at the source.
1. Holds an accredited responsible-recycling certification (R2 or e-Stewards), with data sanitization in scope.
2. Holds an audited operating-system certification — RIOS, or ISO 9001 + ISO 14001.
3. Holds NAID AAA secure-destruction certification, with endorsements for the media you're sending (HDD/SSD, physical and/or overwrite).
4. The processing facility holds a current state/environmental permit for e-waste processing.
5. Carries cyber / technology E&O insurance that responds to a data-handling failure, at a limit proportionate to your data.
6. Carries the supporting commercial lines — general liability, auto, cargo (your gear in transit), pollution, workers' comp.
7. Provides a provable chain of custody — vetted staff, photo-verified bill of lading, tracked transport, serialized intake.
8. Issues a Certificate of Data Destruction and a Certificate of Recycling for every project, tied to your shipment.
9. Can provide serialized, per-device destruction reporting (asset/serial, method, date) when you need it.
10. Will execute the contracts your data requires — service terms, plus a BAA (PHI) or DPA (regulated personal data).
0 / 100

How to read your score

Each "Yes" is one documentable credential the vendor can produce and you can verify at the source — a certificate number you can look up in an issuer's directory, a certificate of insurance you can read, a sample report you can inspect. A "No" or "Not sure" isn't a verdict on the vendor; it's a prompt to request a specific document before you decide. The gaps list below your score names exactly what to ask for, line by line.

This is deliberately a credentials scorecard, not a full vendor assessment. It doesn't cover the information-security attestations a security team evaluates separately — SOC 2, ISO 27001, and the like — which belong in your standard infosec review. Within its scope, a strong ITAD provider should be able to answer every line with a document. For the reasoning behind each criterion, read the Vendor Due Diligence guide; for a vendor that can evidence all ten in one file, the Compliance & Credentials Packet is the worked example.

CYBERCRUNCH · R2v3 · RIOS · NAID AAA · PA DEP

See what a complete file looks like.

The Compliance & Credentials Packet gathers every certificate, the permit, the insurance breakdown, and the chain-of-custody process in one audit-ready PDF — the same evidence this scorecard asks any vendor to produce.