The Complete Corporate ITAD RFP Checklist
Choosing the wrong IT Asset Disposition (ITAD) vendor is not just a procurement misstep, it is a compliance and reputational risk. In South Africa, where POPIA enforcement is active and e-waste legislation carries real liability, a poorly structured RFP can expose your organisation to data breaches, regulatory fines, and environmental penalties.
This checklist gives procurement managers, IT asset managers, and compliance officers a structured, section-by-section framework to evaluate ITAD vendors. By the end, you will know exactly what questions to ask, what documents to demand, and which red flags to walk away from.
Note for South Africa:
- POPIA (Act 4 of 2013) requires that personal data on decommissioned hardware is securely destroyed. Your ITAD vendor acts as an "operator" under POPIA and must sign a written operator agreement before taking custody of any asset.
- The National Environmental Management: Waste Act (NEMWA) and EPR regulations (GN R1184, 2020) govern e-waste disposal. Non-compliant disposal can create liability for the waste generator, not only the vendor.
- Load shedding can affect on-site and off-site ITAD operations. Factor operational continuity and SLA provisions into your vendor discussions.
At a glance:
- This checklist covers five domains: vendor credentials, data security, chain of custody, environmental compliance, and commercial terms.
- Each section includes specific questions to direct at prospective vendors, with a Yes / Partial / No scoring column.
- South African legislation (POPIA, NEMWA, EPR) shapes several mandatory requirements in the checklist.
- Red flags and a vendor scoring guide are included at the end to support a defensible procurement decision.
Key takeaways:
- ISO 27001 alone is not sufficient. Ask for R2v3 or e-Stewards certification alongside it.
- A Certificate of Data Destruction must reference individual asset serial numbers and the specific sanitisation method used.
- Your organisation retains POPIA accountability even after disposal. The operator agreement is non-negotiable.
What Is an ITAD RFP and Why Does It Matter
An ITAD RFP (Request for Proposal) is the formal document your organisation issues to shortlist and evaluate IT Asset Disposition vendors. As Gartner defines it, ITAD encompasses data destruction, remarketing, recycling, and logistics for obsolete or unwanted IT equipment. A structured RFP forces vendors to respond to your specific compliance, security, and commercial requirements rather than presenting a generic pitch.
Without a structured RFP, procurement teams often compare vendors on price alone. This approach misses the risks that sit beneath the surface: residual data on decommissioned drives, informal recycling channels, and missing audit documentation.
The Hidden Risks of Choosing the Wrong ITAD Vendor
The consequences of a poor ITAD selection are concrete. Residual personal data recovered from resold or improperly destroyed hardware can trigger a POPIA investigation. The Information Regulator of South Africa has enforcement powers including administrative fines and criminal referrals. Separately, if your disposed assets enter the informal e-waste economy, your organisation may share liability under NEMWA.
A well-constructed RFP transfers much of this risk back onto the vendor through contractual commitments, certification requirements, and documented accountability.
| Risk Area | What Can Go Wrong | RFP Control |
|---|---|---|
| Data Security | Residual data recovered from disposed drives | Require NIST 800-88 method and serial-level certificates |
| POPIA Liability | No operator agreement signed before asset transfer | Mandate written POPIA operator agreement |
| E-Waste Compliance | Assets enter informal recycling channels | Require NEMWA waste licence and EPR registration |
| Audit Trail | No documentation if assets are disputed or traced | Require chain-of-custody records per asset |
| Value Recovery | Resale proceeds not returned or poorly reported | Require itemised value recovery reporting |
Section 1 – Vendor Credentials and Compliance
This section establishes whether the vendor is operating within a recognised, audited framework. Certifications are not marketing badges. They represent third-party verification of processes that directly affect your compliance posture.
Key Questions on Certifications, Licences, and Local Regulatory Alignment
Use the Yes / Partial / No column to score each response during proposal evaluation.
- Does the vendor hold a current ISO/IEC 27001 certification and can they provide a copy, including the name of the accredited certification body?
- Does the vendor hold R2v3 certification and can the certificate number be verified against the SERI certified facility directory?
- Does the vendor hold e-Stewards certification, which restricts the export of hazardous e-waste to developing countries?
- Are the vendor's certifications issued by a body accredited by the South African Bureau of Standards (SABS) or a recognised international accreditation body?
- Does the vendor hold a valid waste management licence under NEMWA (Act 59 of 2008) for the categories of e-waste they will handle?
- Is the vendor a registered member of the e-Waste Association of South Africa (eWASA) or registered with an approved Producer Responsibility Organisation (PRO)?
- How long has the vendor operated in the South African ITAD market, and can they provide local client references?
Note: ISO 27001 certifies a vendor's information security management system. It does not certify specific data destruction techniques. Always require it alongside a technical standard such as NIST SP 800-88.
Section 2 – Data Security and Sanitisation Standards
Data destruction is the highest-risk element of any ITAD engagement. The method used must match the media type, and every destruction event must be documented at the individual asset level. Privacy law guidance from the IAPP confirms that organisations remain accountable for data destruction even after outsourcing the task.
What to Ask About Data Destruction Methods and POPIA Accountability
- Does the vendor follow NIST SP 800-88 Rev 1 as their primary sanitisation standard, and do they apply the correct method (Clear, Purge, or Destroy) per media type?
- How does the vendor handle SSDs and NVMe drives, given that multi-pass overwrite methods are not effective on flash storage?
- Will the vendor provide a Certificate of Data Destruction that references the individual serial number of each asset, the sanitisation method applied, the technician responsible, and the date of destruction?
- Will the vendor sign a POPIA-compliant operator agreement (in line with Sections 20 to 22 of POPIA) before taking physical custody of any asset?
- Does the vendor carry professional indemnity or cyber liability insurance that covers data breach resulting from improper sanitisation?
- Is data sanitisation performed on-site at your premises, off-site at the vendor's facility, or both? What security controls apply during transit?
- Does the vendor use audited, software-based wiping tools or certified degaussers, and can they supply tool reports as supporting evidence?
Our corporate IT asset disposal service is built around documented data destruction processes with full certificate issuance. If you are evaluating providers, this is the standard to benchmark against.
Section 3 – Chain of Custody and Audit Trail Requirements
An unbroken chain of custody is your evidence that each asset was handled correctly from the moment it left your premises. Without it, you cannot demonstrate due diligence to an auditor, insurer, or regulator.
Minimum Documentation You Should Expect From Any ITAD Vendor
- Does the vendor produce an itemised asset manifest at the point of collection, listing serial numbers, asset types, and condition?
- Are assets tracked individually from collection through processing to final disposition (destruction, resale, or recycling)?
- Does the vendor provide a final disposition report that maps each asset to its outcome?
- Are collection vehicles GPS-tracked, and is the vehicle manifest signed by both the vendor representative and your nominated staff member?
- Can the vendor provide audit logs on request, including technician IDs and timestamps for each processing step?
- How long does the vendor retain chain-of-custody records, and in what format are they stored?
For public-sector organisations, audit trail documentation is also relevant to PFMA (Public Finance Management Act) and National Treasury SCM regulations, which require verifiable records of asset disposal decisions and proceeds.
Section 4 – Environmental and E-Waste Compliance
South Africa has a formal legislative framework for e-waste disposal. Organisations that generate e-waste, including decommissioned IT equipment, carry responsibility for ensuring it is handled by compliant downstream partners.
South Africa-Specific Waste Legislation and Producer Responsibility Obligations
The National Environmental Management: Waste Act (NEMWA, Act 59 of 2008) and the Extended Producer Responsibility regulations (GN R1184 of November 2020) are the primary instruments. Non-compliant disposal can expose your organisation to liability under NEMWA, independent of the vendor's own obligations.
- Does the vendor hold a current waste management licence under NEMWA for the categories of electrical and electronic equipment they handle?
- Is the vendor registered with a DFFE-approved Producer Responsibility Organisation (PRO) for e-waste, and can they provide proof of current registration?
- Does the vendor have documented downstream controls to ensure that assets do not enter the informal e-waste economy?
- Can the vendor provide recycling certificates or downstream vendor manifests for materials that cannot be resold?
- Does the vendor prohibit the export of hazardous e-waste components to countries that lack equivalent environmental controls?
- Does the vendor's environmental policy align with the goals of South Africa's National Waste Management Strategy?
South Africa has a significant informal e-waste recycling sector. A credible ITAD vendor must demonstrate that no assets exit the formal chain into informal channels, as this creates both a data security risk and a NEMWA compliance exposure for your organisation.
Section 5 – Commercial Terms, Reporting, and Value Recovery
ITAD is not purely a cost. Many decommissioned assets retain resale value, and a well-structured commercial agreement ensures your organisation benefits from this. Value recovery should be a scored element in your RFP, not an afterthought.
- Does the vendor offer a value recovery or remarketing service, and how are resale proceeds calculated and reported to your organisation?
- Is pricing quoted on a per-asset, per-kilogram, or per-project basis, and are transport and logistics costs included or itemised separately?
- Are all commercial terms quoted in South African rand, and is pricing fixed or subject to currency or commodity adjustments?
- What is the vendor's turnaround time from collection to final disposition report, and how is this affected by load shedding or other operational disruptions?
- Does the vendor provide regular reporting (monthly or quarterly) on asset volumes, value recovered, and environmental metrics for ESG reporting purposes?
- What are the contractual consequences if the vendor fails to meet agreed SLAs, data destruction timelines, or reporting requirements?
If you are looking to understand the broader range of professional IT services available to corporate clients in South Africa, our services page covers the full scope.
Red Flags to Watch for in ITAD Vendor Responses
A vendor's response to your RFP reveals as much as the credentials they submit. Watch for the following warning signs.
- The vendor cannot provide a current, verifiable certification certificate with a named accreditation body.
- Data destruction is described in general terms only, with no reference to NIST SP 800-88 or equivalent per-media-type methodology.
- Certificates of Data Destruction are offered as batch documents rather than per-asset records with individual serial numbers.
- The vendor is unwilling to sign a POPIA-compliant operator agreement before collection.
- No waste management licence or EPR registration can be produced on request.
- Value recovery proceeds are described vaguely, with no transparent calculation or reporting commitment.
How to Score and Compare Vendor Proposals
Use a simple scoring matrix to make your evaluation defensible. Assign each RFP section a weighting that reflects your organisation's priorities, and score each vendor response as Yes (full marks), Partial (half marks), or No (zero).
| RFP Section | Suggested Weighting | Scoring |
|---|---|---|
| Vendor Credentials and Compliance | 25% | Yes / Partial / No per question |
| Data Security and Sanitisation | 30% | Yes / Partial / No per question |
| Chain of Custody and Audit Trail | 20% | Yes / Partial / No per question |
| Environmental and E-Waste Compliance | 15% | Yes / Partial / No per question |
| Commercial Terms and Value Recovery | 10% | Yes / Partial / No per question |
Weightings should be adjusted based on your sector. A financial services organisation may weight data security higher. A listed company with ESG reporting obligations may weight environmental compliance more heavily. Public-sector entities should apply PFMA-aligned criteria to the commercial terms section.
Common Mistakes When Evaluating ITAD Vendors
- Selecting a vendor based on price alone, without verifying certifications or compliance posture.
- Accepting a Certificate of Data Destruction that lists batch asset counts rather than individual serial numbers.
- Failing to execute a POPIA operator agreement before the vendor takes physical possession of any hardware.
- Not verifying that the vendor's certifications are current and issued by an accredited body.
- Overlooking downstream accountability, assuming the vendor's own recyclers are compliant without requiring evidence.
- Omitting SLA provisions for operational disruptions such as load shedding, which can affect collection and processing timelines.
If You Are New to ITAD Procurement
- Start with the vendor credentials section. If a vendor cannot produce current, verifiable certifications, the evaluation stops there.
- Read the POPIA operator agreement requirement carefully. Your legal or compliance team should review any agreement before signing.
- Ask for a sample Certificate of Data Destruction from the vendor before submitting your RFP. The format tells you a lot about their process maturity.
- Use the scoring matrix from the outset. It makes shortlisting easier and documents your decision for internal audit purposes.
- Speak to our team if you are unsure where to begin. You can contact us here for guidance on corporate IT asset disposal in South Africa.
If You Have Run an ITAD RFP Before
- Review whether your previous RFP included POPIA operator agreement requirements. Many older ITAD contracts predate full POPIA commencement and need updating.
- Check whether your current vendor's R2 or e-Stewards certification has been renewed. Certifications expire and renewal audits can reveal changes in facility practices.
- Add downstream accountability questions if your previous RFP focused only on the primary vendor. Subcontractor controls are a common gap.
- Revisit your value recovery reporting requirements. If you are not receiving itemised per-asset resale data, you may be leaving money and audit evidence on the table.
- Consider whether your ESG reporting now requires more granular environmental metrics from your ITAD vendor than your previous contract required.
Frequently asked questions
What certifications should I require from an ITAD vendor in South Africa?
At minimum, require ISO 27001 (information security management), R2v3 or e-Stewards (environmental and data security), and a valid NEMWA waste management licence. ISO 27001 alone is insufficient for ITAD purposes. Verify all certificates directly with the issuing accreditation body.
Does POPIA apply to decommissioned IT hardware?
Yes. If decommissioned hardware contains or previously contained personal information, POPIA obligations apply. Your ITAD vendor acts as an operator under POPIA. A written operator agreement must be in place before the vendor takes custody of any asset. The Information Regulator of South Africa is the enforcement authority.
What is the difference between R2v3 and e-Stewards certification?
Both are internationally recognised ITAD certifications requiring third-party audits. e-Stewards places stricter restrictions on the export of hazardous e-waste to developing nations, which is particularly relevant for South African organisations concerned about regional e-waste flows. R2v3 is more widely held globally. Requiring either or preferably both is a reasonable RFP position.
What must a Certificate of Data Destruction include?
A compliant certificate should reference the individual serial number of each asset, the sanitisation method applied (referenced to NIST SP 800-88 or equivalent), the name and credentials of the technician, the date of destruction, and the vendor's authorised signature. Batch certificates that list only asset counts are not adequate for POPIA or audit purposes.
Can my organisation be held liable if the ITAD vendor disposes of e-waste illegally?
Yes. Under NEMWA, the liability for improper disposal does not sit solely with the vendor. If your organisation generated the e-waste and engaged a non-compliant handler, you may share regulatory exposure. This is why the checklist requires vendors to produce waste management licences and EPR registration documentation before engagement. Our corporate IT asset disposal service operates within the full South African regulatory framework.
Summary
- Use this five-section checklist to evaluate ITAD vendors across credentials, data security, chain of custody, environmental compliance, and commercial terms.
- POPIA operator agreements and NIST SP 800-88-aligned Certificates of Data Destruction are non-negotiable requirements for South African organisations.
- ISO 27001 is a useful credential but must be accompanied by R2v3 or e-Stewards certification for ITAD engagements.
- Environmental liability under NEMWA can attach to your organisation if your vendor is non-compliant. Require waste licences and EPR registration as part of the RFP.
- Score vendor proposals using a weighted matrix to produce a defensible, auditable procurement decision. If you need support with corporate asset disposal, contact our team for a no-obligation discussion.
This is educational content, not financial advice.
