10 Questions to Ask Your Electronics Recycler Before Handing Over Your Data

10 Questions to Ask Your Electronics Recycler Before Handing Over Your Data

When your organization retires IT equipment, the vendor you choose to handle those devices makes a decision that affects your data security, regulatory compliance, environmental responsibility, and bottom line. The problem is that the electronics recycling industry is not monolithic. The gap between a modern IT asset disposition partner and a legacy recycler is enormous — and the consequences of choosing the wrong one can be severe.

This guide gives you 10 specific questions to ask any electronics recycler before you hand over a single device. The answers will quickly reveal whether you are working with a security-first ITAD partner or a legacy operation that may be putting your organization at risk.

Question 1: What data destruction standard do you follow?

**Why it matters:** The data destruction standard your vendor follows determines whether your data is actually unrecoverable — or just appears to be.

**What you want to hear:** NIST Special Publication 800-88 Revision 1 (Guidelines for Media Sanitization). This is the current federal standard published by the National Institute of Standards and Technology. It covers all modern storage technologies including traditional hard drives, solid-state drives, NVMe drives, flash storage, and encrypted media. NIST 800-88 defines three levels of sanitization — Clear, Purge, and Destroy — with specific procedures for each media type.

**Red flag:** If your vendor cites DoD 5220.22M (Department of Defense standard), that is a serious warning sign. This standard was designed for magnetic media in the 1990s and was officially superseded by NIST 800-88 over a decade ago. It is completely ineffective on modern solid-state drives, NVMe storage, and flash memory. Any vendor still relying on DoD standards is using methods that cannot reliably destroy data on the storage technologies that dominate today's IT environments.

**The bottom line:** The standard your vendor follows is not a minor technical detail. It is the foundation of whether your data destruction program actually works. Outdated standards leave gaps that modern forensic tools can exploit.

Question 2: Do you verify 100% of devices, or perform random audits?

**Why it matters:** Verification is what separates documented data destruction from a hope-based security strategy.

**What you want to hear:** Every single device is verified after sanitization, with the verification results logged against the device serial number. No exceptions, no sampling, no random spot-checks. The vendor should be able to explain their specific verification process — what tools they use, what they check for, and how failures are handled.

**Red flag:** If your vendor performs random audits or spot-checks — verifying only a percentage of devices — every unverified device is a potential data breach. Some vendors rely on visual confirmation (a technician looks at the screen and decides the wipe worked) or physical stickers placed on machines after processing. Neither method provides the documented proof that compliance auditors require.

**The bottom line:** If your vendor is not verifying 100% of devices, you are accepting a level of risk that no compliance framework considers adequate. Ask for the specific verification rate and method. If they hesitate or cannot give you a clear answer, that tells you everything you need to know.

Question 3: Where are my devices physically processed?

**Why it matters:** The physical location where your devices are processed determines which laws protect your data and how much oversight you have.

**What you want to hear:** All processing occurs at a specific, named facility that you can visit and audit. Ideally, this facility is local — within your state or region — so you can maintain direct oversight and your data remains under U.S. legal jurisdiction throughout the entire process.

**Red flag:** If your vendor ships devices to multiple locations, uses third-party subcontractors for processing, or — most critically — ships equipment to international markets, your data may end up in jurisdictions where U.S. data protection laws do not apply. Some vendors operate as brokers, collecting equipment and then distributing it to a network of downstream processors. Each handoff in that chain is a point where chain-of-custody can break down.

**The bottom line:** Ask for the specific address where your devices will be processed. If the answer is vague, involves multiple locations, or includes international shipping, your organization loses control of its data the moment those devices leave your building.

Question 4: What is your process for SSDs, NVMe drives, and encrypted storage?

**Why it matters:** Solid-state drives now dominate enterprise storage, but many recyclers still use processes designed exclusively for traditional hard drives.

**What you want to hear:** The vendor should describe a specific, documented process for solid-state media that differs from their hard drive process. For SSDs and NVMe drives, proper sanitization requires manufacturer-specific secure erase commands, cryptographic erase for self-encrypting drives, or physical destruction. The vendor should be able to explain how they handle drives where secure erase commands fail or are not supported.

**Red flag:** If your vendor only mentions degaussing (which has zero effect on solid-state media), only references hard drives in their documentation, or cannot clearly articulate their SSD-specific process, they may not be destroying data on your solid-state storage at all. Some vendors' entire data destruction infrastructure was built when hard drives were the only storage technology — and they have never updated their processes for the SSD era.

**The bottom line:** With SSDs in virtually every modern laptop, desktop, and server, a vendor that cannot handle solid-state media is a vendor that cannot protect your data. Period.

Question 5: What documentation do I receive after destruction?

**Why it matters:** Documentation is what proves to auditors, regulators, and your own leadership that data was properly destroyed.

**What you want to hear:** A Certificate of Destruction for every device, listing the individual serial number or asset tag, the specific sanitization method used (referencing NIST 800-88 Clear, Purge, or Destroy), the date of destruction, verification results, and the certifications of the facility that performed the work. You should also receive a chain-of-custody record documenting the transfer from your facility to theirs.

**Red flag:** Generic batch certificates that list a total count of devices without individual serial numbers. Certificates that do not reference a specific sanitization standard. Missing chain-of-custody documentation. Any vendor that treats documentation as an afterthought rather than a core deliverable is not operating at a professional ITAD level.

**The bottom line:** If your vendor cannot produce individual, serial-number-level documentation for every device, you cannot prove to an auditor that any specific device was properly destroyed. That gap is exactly what regulators look for during compliance reviews.

Question 6: What certifications do you hold, and are they current?

**Why it matters:** Third-party certifications are the only independent verification that a vendor's processes meet recognized standards.

**What you want to hear:** R2v3 (the current version of the Responsible Recycling standard), ISO 9001 (quality management), ISO 14001 (environmental management), and ISO 45001 (occupational health and safety). The vendor should be able to provide certificate numbers, expiration dates, and the name of their certifying body. All certifications should be current and actively maintained through annual surveillance audits.

**Red flag:** Vendors still referencing R2:2013 (the previous version, now superseded by R2v3). Missing ISO certifications. Expired or lapsed certifications. Certifications from unaccredited registrars. Any vendor that cannot immediately produce current certification documentation is either not certified or not maintaining their certifications — both of which mean they are not being independently audited.

**The bottom line:** Certifications are not just marketing badges. They represent ongoing, independent auditing of a vendor's processes. If a vendor's certifications are outdated or missing, no one is verifying that they actually do what they claim.

Question 7: Is your primary business IT asset disposition — or something else?

**Why it matters:** A vendor's core business model determines their priorities, and those priorities directly affect how they handle your data and assets.

**What you want to hear:** The vendor's primary business is IT asset disposition — the secure, documented retirement of IT equipment with a focus on data protection, compliance, and value recovery. Data destruction is a core competency, not a side service.

**Red flag:** If the vendor's primary business is scrap metal recovery, they are fundamentally motivated to shred everything for raw material value — destroying the resale value of working equipment and treating data destruction as a necessary step before the shredder, not a security-focused service. If the vendor's primary business is international commodity brokering, they are motivated to move volume to overseas buyers at the lowest cost — which means your data-bearing devices may end up in markets where you have no legal protection.

**The bottom line:** Understand what business you are actually hiring. A scrap metal operation with a data destruction service is not the same as an ITAD partner with scrap metal as a downstream output. The priorities are reversed, and so are the risks.

Question 8: Do you ship any equipment internationally?

**Why it matters:** International shipping of data-bearing devices is one of the highest-risk practices in the electronics recycling industry.

**What you want to hear:** No. All equipment is processed domestically, and any remarketing of wiped, verified devices occurs through domestic channels. The vendor should be able to clearly state that no data-bearing devices leave the country.

**Red flag:** If the vendor maintains international buyer networks, ships to markets in regions with weak data protection enforcement, or cannot clearly confirm that your devices stay within U.S. borders, your data may end up in jurisdictions where you have zero legal recourse if something goes wrong. Some vendors proudly advertise their international buyer networks as a value proposition — but from a data security perspective, it is a liability.

**The bottom line:** Once a device with residual data crosses an international border, your organization's ability to enforce data protection standards drops to zero. Ask the question directly and accept only a clear, unambiguous answer.

Question 9: How do you handle value recovery, and what is your pricing model?

**Why it matters:** The way a vendor approaches value recovery reveals whether they are working in your interest or their own.

**What you want to hear:** The vendor offers transparent pricing with clear explanations of how value recovery works. For working equipment, data wiping preserves the device for domestic remarketing, returning higher value to your organization. The vendor should be able to explain their pricing structure, how residual value is calculated, and how proceeds are shared.

**Red flag:** Pay-per-pound commodity pricing that treats all electronics as raw material regardless of condition or value. Vendors that shred everything — including working equipment — because their business model is built on scrap metal recovery rather than ITAD. Vendors that offer suspiciously low pricing because they plan to flip your equipment to international buyers at commodity rates.

**The bottom line:** A legitimate ITAD partner maximizes the return on your retired assets through proper data sanitization and domestic remarketing. A scrap broker or international commodity dealer extracts value for themselves at the expense of your security and your budget.

Question 10: Can I visit your facility and observe the process?

**Why it matters:** Transparency is the ultimate test of a vendor's confidence in their own processes.

**What you want to hear:** Yes, absolutely. The vendor should welcome facility visits, offer tours of their processing area, and be willing to let you observe the data destruction process firsthand. A certified facility with nothing to hide will actively encourage client visits as a way to build trust and demonstrate their capabilities.

**Red flag:** Reluctance to allow facility visits. Restrictions on which areas you can see. Requirements for advance notice that seem designed to prepare rather than accommodate. Any vendor that does not want you to see how they operate is a vendor you should not trust with your data.

**The bottom line:** If you would not trust a restaurant that would not let you see the kitchen, you should not trust a data destruction vendor that would not let you see their facility.

Putting It All Together: A Scoring Framework

Use these 10 questions as a vendor evaluation scorecard. For each question, score your current vendor or prospective vendor on a simple scale: Green (fully satisfactory answer), Yellow (partial or vague answer), or Red (unsatisfactory or no answer).

Any vendor with even one Red score on questions 1 through 5 (data destruction standard, verification, processing location, SSD handling, documentation) represents a material risk to your organization. These are non-negotiable security fundamentals.

Vendors with multiple Yellow scores across questions 6 through 10 may be adequate for low-risk assets but should not be trusted with sensitive data or compliance-critical equipment.

A vendor that scores Green across all 10 questions is operating at the level your organization deserves.

How eLake Tech Solutions Answers These Questions

At eLake Tech Solutions, we welcome these questions because our answers demonstrate exactly why organizations across Michigan trust us with their most sensitive IT assets.

We follow NIST 800-88 Rev. 1 exclusively — not obsolete DoD standards. We verify 100% of devices with individual serial number tracking. All processing occurs at our certified facility in Livonia, Michigan — nothing is shipped overseas or subcontracted. We have documented, media-specific processes for SSDs, NVMe drives, encrypted storage, and every other modern storage technology. We provide individual Certificates of Destruction with serial numbers, sanitization methods, and verification results.

We hold R2v3, ISO 9001, ISO 14001, ISO 45001, and BBB A+ — all current and actively audited. Our primary business is IT asset disposition, not scrap metal or international brokering. We do not ship data-bearing devices internationally. We offer transparent pricing with domestic remarketing that returns maximum value to our clients. And our facility at 36931 Schoolcraft Rd in Livonia is open for visits any time during business hours.

If your current vendor cannot match these answers, call us at (734) 469-4111 or visit our Contact page. We will show you the difference a modern, security-first ITAD partner makes.