Pick a Local ITAD Partner
Choosing the wrong IT asset disposal partner turns a routine refresh cycle into a reputational and compliance event. For a CFO, the real question is not who can collect equipment fastest, it is who can prove security, compliance, and outcomes under audit.
By the end of this guide you will be able to shortlist providers, run a gated due diligence process, and compare quotes on an apples-to-apples basis. You will also have a practical checklist you can copy into an RFP, plus a clear view of what evidence belongs in your audit pack.
Note for South Africa:
- Assume devices may contain personal information and align end-of-life handling to POPIA security safeguards and deletion or destruction expectations
- E-waste responsibilities are increasingly visible, ask for transparent downstream recyclers and proof of lawful processing
- Local logistics matter, plan for secure transport across provinces and realistic scheduling during load shedding
At a glance:
- Start with outcomes, audit pack, POPIA risk reduction, clear chain of custody, and predictable reporting
- Require a sanitisation method per data class, and specify evidence, not promises
- Use pass or fail gates first, then score short listed bidders on service, price, and recoveries
- Compare quotes using the same unit of measure, same certificate set, and the same disposition categories
Key takeaways:
- Chain of custody and verifiable sanitisation are the core controls, not the pickup date
- POPIA-aligned deletion or destruction should be contractually defined and evidenced per serial number
- Environmental claims must be backed by downstream transparency and documents you can audit
What a CFO should get from a local ITAD partner
Think of ITAD as a governed disposal process, not a courier service. Your output should be an auditable record that every asset moved from in-use to final disposition with defined controls at each handover. You also want predictable recoveries where resale is appropriate, without compromising data security.
A good local partner should make it easier to answer basic audit questions. Who touched the device, when, where was it stored, what happened to the data, and what happened to the hardware. If those answers depend on emails and spreadsheets, you do not have a process, you have a story.
- Risk reduction, reduced exposure to data leakage, theft, and informal e-waste handling
- Auditability, serial-level tracking, signed handovers, and certificates tied to your asset register
- Operational simplicity, consistent pickups, packaging, staging, and reporting templates
- Financial outcomes, fair market remarketing options, transparent fees, and clear revenue share terms
If you need a baseline view of what corporate ITAD services typically include, start with your internal stakeholders, then review your disposal service requirements against what is described on your own service pages like Corporate IT asset disposal and Professional services.
Early decision table, choose the right route per asset
Before you evaluate vendors, lock down your decision logic. The same policy should apply whether the asset is a laptop, a server drive, a switch, or a mining rig control PC. The table below keeps the choices simple and forces a documented rationale.
| Disposition route | When it fits | Minimum evidence to require | Common CFO risk |
|---|---|---|---|
| Redeploy internally | Still supported, low risk role | Wipe record, reissue log | Shadow inventory, missing approvals |
| Resale or remarketing | Working asset with value | Serial-level sanitisation proof, sale report | Data residue and brand risk |
| Parts harvesting | Partial value, controlled environment | Drive destruction proof, parts disposition list | Untracked parts leaving site |
| Recycle as e-waste | End of life, no economical resale | Downstream recycler details, weight and category report | Greenwashing and illegal dumping |
| Physical destruction | High sensitivity, failed media | Certificate tied to serial, destruction method | Overpaying when purge is enough |
Once the route is clear, the vendor conversation becomes measurable. You can ask for evidence per route, and you can price each route as a defined service line.
Compliance baseline in South Africa
Two compliance threads affect almost every IT refresh cycle in South Africa. First, personal information needs reasonable security safeguards and appropriate retention and disposal practices. Second, e-waste handling is under increasing scrutiny, and CFOs are expected to show responsible downstream processing.
This article is not legal advice. The practical point is that your procurement pack should map compliance obligations into vendor deliverables, contract clauses, and audit evidence.
POPIA requirements that impact device end-of-life
Even if your organisation does not think of old laptops as records, they often contain personal information. POPIA places duties around safeguarding personal information and managing retention, deletion, or destruction. For procurement, you want these duties reflected in the scope of work and in the way evidence is produced.
At policy level, retention rules influence when you are allowed to keep data and when you should destroy, delete, or de-identify. A practical reference point is POPIA Section 14, which includes the idea that destruction or deletion should prevent reconstruction in an intelligible form, and this is directly relevant to ITAD sanitisation requirements via POPIA Section 14 retention and destruction.
At control level, POPIA Section 19 speaks to reasonable technical and organisational measures. That typically translates into controlled access, chain of custody, verification of safeguards, and continuous improvement, which you can reflect in your ITAD SLA and onboarding controls via POPIA security safeguards obligations.
For internal governance, keep your information officer, privacy, and security teams in the loop. If your internal process needs a formal mechanism for deletion or destruction requests, the regulator resources and forms are published by the Information Regulator via Information Regulator POPIA forms.
E-waste and EPR in South Africa
Extended Producer Responsibility is part of the South African framework under NEMWA. It affects how electrical and electronic equipment waste streams are managed, and it has pushed more organisations to ask tougher questions about downstream processing. While EPR obligations often sit with producers, corporate buyers still carry ESG and reputational exposure if e-waste is mismanaged.
Use government and DFFE sources to frame your requirements. DFFE explains registration and compliance expectations for the EPR framework via DFFE EPR registration and compliance. For plain language context, the government media statement summarises EPR roll-out and covered waste streams via government statement on EPR waste regulations.
If you need to cite the underlying instrument for your internal policy pack, a consolidated text of the EPR Regulations is available via Extended Producer Responsibility Regulations, 2020 Government Notice 1184. For practical recycling directory support, eWASA provides a where-to-recycle resource and describes its PRO role via eWASA accredited recyclers.
- Ask vendors to disclose downstream facilities by name and location, not just the word recycling
- Require weight and category reporting for e-waste, aligned to your ESG reporting needs
- Require proof of lawful processing and subcontractor controls, especially for cross-province logistics
Data security and sanitisation standards to require
Data sanitisation is where most ITAD failures happen. Vendors may promise wiping, but cannot show verification, or they treat every drive the same regardless of risk. As a CFO, you want a policy-linked method selection and evidence that would stand up in an incident review.
Use a recognised framework to avoid vendor-specific language. NIST publishes media sanitisation guidance that is widely used to structure clear, purge, and destroy decisions. NIST also announced SP 800-88 Revision 2 in September 2025, which is useful to cite if you want the most current revision in your procurement documents via NIST SP 800-88 Revision 2 update.
- Wipe, usually software-based clearing for lower sensitivity and for redeploy or resale, only if verified
- Purge, stronger methods for higher sensitivity and certain media types, often combined with encryption-based approaches where appropriate
- Destroy, physical destruction for the highest risk media or where wiping cannot be validated
Do not let a certificate of destruction be the only artifact. You want a serial-level report that shows what method was applied to which media, by whom, and when, plus the verification outcome.
Mapping your data classification to sanitisation methods
The fastest way to reduce risk is to stop making sanitisation a per-batch argument. Create a simple mapping between your data classes and approved sanitisation routes, then require the ITAD partner to follow that mapping and report exceptions.
A workable mapping can be documented in a one-page appendix. You can base the language on NIST SP 800-88 concepts, then translate it into operational instructions for your fleet. If you need the baseline publication page for NIST guidance, use NIST SP 800-88 media sanitization guidance.
- Public or low sensitivity, verified wipe, reuse and resale allowed with approvals
- Confidential, purge or verified wipe with stronger controls, resale only if policy allows
- Highly confidential, destroy media, consider full device destruction if policy mandates
- Unknown content, treat as higher risk until proven otherwise
Include special cases. SSDs, mobile devices, self-encrypting drives, and encrypted volumes can change the appropriate technique. Your vendor should be able to explain how they adapt, and what evidence they produce, without relying on marketing language.
Vendor due diligence checklist, gates first, then scoring
Run ITAD selection like a controlled supplier onboarding, not like a facilities contract. Start with non-negotiable gates that eliminate high-risk bidders early. Then score the short list on measurable criteria such as reporting quality, turnaround times, service coverage, and commercial terms.
Use the checklist below as a CFO-ready template. Convert it into an RFP appendix and require bidders to attach evidence for each item. If you want help packaging this into a procurement pack, use your internal team first, and consider contacting us via Contact us.
Pass or fail gates
- Contract clarity, written scope covering collection, storage, sanitisation, remarketing, recycling, and subcontractors
- Serial-level tracking, asset ID or serial captured at pickup, and maintained through to final disposition
- Chain of custody, documented handovers, sealed transport options, and controlled storage access
- Sanitisation evidence, method and verification results per device or per drive, aligned to your policy
- Certificates, certificate of data destruction and certificate of recycling or disposal where relevant, tied to serials
- Subcontractor disclosure, named downstream partners and clear controls over who does what
- Insurance, proof of insurance, with cover relevant to transit, storage, and liability for incidents
- Site security, physical security controls at storage and processing sites, plus visitor control and CCTV where applicable
Scored criteria, weight to your risk profile
- Coverage and logistics, provinces served, pickup lead times, secure packaging, and collection scheduling under load shedding constraints
- Reporting, file formats, data fields, turnaround time, and reconciliation support for your asset register
- Service transparency, facility access for audits, ability to witness destruction, and clarity on downstream processing
- Commercial terms, fee structure, resale revenue share, minimum batch sizes, and clear dispute handling
- Customer references, referenceability in similar risk profiles, finance-friendly documentation quality
Chain of custody fields you should see in reports
Ask for a sample report before you sign. If the vendor cannot show you a real template, you will become their template. The report should reconcile to your fixed asset register and to your security evidence.
- Asset tag and manufacturer serial number
- Device type and category, for example laptop, desktop, server, networking, storage
- Pickup date, location, and signed handover names
- Container or seal ID for transport, where used
- Arrival date at facility and storage location reference
- Sanitisation method, tool or process reference, and verification result
- Disposition outcome, redeploy, resale, parts, recycle, destroy
- Certificate IDs linked to the asset line item
Commercial model, pickups, reporting, remarketing options
Most quote comparisons fail because they mix different service levels. One bid includes serial-level wiping, secure storage, and remarketing, another only includes collection and bulk recycling. If you do not normalise scope, you cannot compare price.
Ask vendors to quote in line items and to separate fees from recoveries. For remarketing, require a documented method for pricing and a statement of how data security is protected during functional testing and resale preparation. If a partner offers to buy equipment outright, make sure you can reconcile the asset list to the payment schedule.
- Pickup and logistics, standard vs expedited, packaging supplied, and any call-out charges
- Processing, per unit sanitisation, per drive destruction, and exception handling
- Storage, secure holding time included, and fees for extended storage
- Reporting, standard report set vs custom data fields, plus turnaround times
- Remarketing, revenue share, minimum grade definitions, and dispute process for returned items
If your business also disposes of specialist equipment, such as mining rigs or related control systems, treat them like any other endpoint. Ensure serial-level tracking and sanitisation decisions align with policy. If you are also buying new hardware, keep procurement and disposal connected via Shop so refresh cycles and end-of-life processes stay aligned.
Internal controls and governance, what should be in the audit pack
ITAD should be embedded into your internal control environment. That means approvals, segregation of duties, asset register updates, and consistent evidence. It also means your finance team can defend the decision to scrap, donate, or resell, and can show what happened to proceeds.
Tax outcomes vary by fact pattern, and you should confirm treatment with your tax advisors. For internal awareness, SARS references the scrapping allowance concept under section 11(o) and recoupment concepts under section 8(4)(a) in its guidance via SARS scrapping allowance section 11(o).
Minimum internal controls to document
- Approved disposal policy, including data classification and approved sanitisation routes
- Delegations of authority for write-offs, donations, and resale decisions
- Asset register reconciliation process, including serial verification at pickup
- Incident escalation path for missing assets, failed wipes, or chain of custody breaks
- Quarterly KPI review, for example turnaround time, exception rate, and certificate completeness
Audit pack template, ask the vendor to deliver this by default
- Signed pickup manifest and handover record
- Serial-level chain of custody report
- Sanitisation report with verification outcomes
- Certificates, destruction and recycling, linked to serial numbers
- Disposition summary, counts and weights by category
- Remarketing report, items sold, price basis, and revenue share calculation
- Subcontractor list and downstream facility disclosures
Store the audit pack in a controlled repository and reference the pack ID on the asset register update. This is the simplest way to make audits repeatable across sites and refresh cycles.
If you’re new
If you have not run a formal ITAD tender before, keep the first cycle tight. Focus on controls and repeatability, then extend scope as you learn.
- Start with one region or one business unit and standardise the reporting template
- Define your data classification and approved sanitisation routes before you invite quotes
- Require serial-level reporting, even if the batch is small
- Run a pilot pickup and validate the audit pack end to end
- Build a monthly exception review meeting with IT, security, and finance
If you have done this before
Experienced teams often inherit legacy vendors and legacy assumptions. A refresh is a good time to tighten controls and reduce reliance on trust-based relationships.
- Audit a sample of past batches for certificate completeness and serial matching
- Update contract language to reference your current policy and current standards
- Re-test logistics, especially if you have expanded across provinces or changed offices
- Re-price the scope using normalised line items, then benchmark service levels
- Review downstream disclosures for recycling, especially where subcontractors changed
Common mistakes
These issues show up repeatedly in incident reviews and internal audits. They are preventable if you design the process around evidence.
- Accepting a generic certificate that is not tied to serial numbers
- Letting devices leave site before the asset register is frozen and reconciled
- Mixing high-risk and low-risk assets in one batch without documented sanitisation rules
- Allowing undisclosed subcontractors to handle transport or processing
- Comparing quotes without normalising scope, reporting, and certificate requirements
- Assuming recycling equals compliant recycling without downstream transparency
Frequently asked questions
Do we always need physical destruction?
No. The right method depends on your data classification, media type, and your ability to verify sanitisation. Use a policy mapping and require evidence of wipe or purge verification, then reserve destruction for high-risk cases or un-verifiable media.
What should a certificate of destruction include?
At minimum it should be linked to your batch and ideally to each serial number or drive identifier. It should state the destruction method, date, and the responsible facility, and it should reconcile to the manifest and chain of custody report.
How do we handle remote sites and cross-province collections?
Design for secure staging, sealed containers where feasible, and signed handovers. Ask vendors to explain how they manage long-distance transport risks, storage, and scheduling disruptions during load shedding, and require the same reporting fields for every site.
Can we resell devices if they contained personal information?
Possibly, but only if your policy allows it and sanitisation is performed and verified to your required standard. Treat resale as a controlled process with serial-level proof, and ensure remarketing and functional testing do not create new data exposure.
What is the simplest way to make audits easier?
Standardise the evidence pack and force reconciliation. Every batch should produce the same set of documents, and every asset line item should end in a recorded disposition and a linked certificate or sanitisation record.
Short summary, what to do next
- Define disposition routes and sanitisation rules before you request quotes
- Use pass or fail gates for chain of custody, evidence, subcontractors, and insurance
- Score the short list on logistics, reporting quality, and commercial transparency
- Require a repeatable audit pack with serial-level evidence for every batch
- Keep governance tight with asset register reconciliation and exception reviews
About us explains how we approach secure tech handling, and our Insights page has more practical posts you can share with IT and compliance.
This is educational content, not financial advice.
