What certifications should I look for in a data destruction vendor?

Look for NAID AAA certification for data destruction—this is the highest level of certification requiring annual unannounced audits, employee background checks, and documented security protocols. For environmental compliance, look for R2 certification. STS maintains both NAID AAA and R2 certifications, providing third-party verification of both data security and responsible recycling practices.

What documentation should I receive after data destruction?

You should receive: certificates of destruction with serial numbers for all data-bearing devices, destruction method documentation (meeting NIST 800-88 guidelines), date and time of destruction, chain of custody records, and the vendor's certification credentials. This documentation package supports audit requirements for HIPAA, PCI DSS, SOX, GLBA, and other regulations.

How long should we retain destruction certificates?

Retention requirements vary by regulation: HIPAA requires 6 years, PCI DSS requires at least 1 year, SOX requires 7 years. Best practice is to retain destruction certificates for at least 7 years or indefinitely. STS provides both physical and digital copies for easy long-term storage and retrieval during audits.

What's the difference between NAID AAA and NAID A certification?

NAID AAA certification requires annual unannounced audits—auditors can arrive at any time to verify compliance. NAID A certification only requires scheduled audits where the vendor knows when auditors will arrive. AAA certification provides stronger assurance because vendors must maintain compliance continuously, not just during scheduled audit windows.

Do you provide a Business Associate Agreement for HIPAA?

Yes, STS executes Business Associate Agreements with healthcare organizations and any entity handling PHI. The BAA documents our responsibilities for handling and destroying protected health information, our security protocols, and breach notification procedures. We provide BAAs before handling any equipment that may contain patient data.

Can destruction be witnessed for audit purposes?

Yes, STS offers on-site destruction where mobile shredding equipment comes to your facility. You or your audit team can witness the physical destruction of hard drives. This provides documented proof that data was destroyed before equipment left your premises—ideal for organizations with strict security policies.

What vendor due diligence materials do you provide?

STS provides a complete vendor due diligence package including: NAID AAA certification credentials, R2 certification credentials, certificate of insurance, company background and history, security protocols documentation, employee background check policies, and sample certificates of destruction. Contact us to request your due diligence package.

How does physical destruction compare to software wiping?

Physical destruction provides absolute certainty that data cannot be recovered—the storage media is reduced to fragments. Software wiping can leave forensic traces that advanced techniques might recover. For compliance purposes, physical destruction is the gold standard and eliminates any risk of data recovery. Most regulations accept physical destruction as meeting disposal requirements.

Are you a compliance officer researching data destruction vendors?

STS Electronic Recycling provides NAID AAA certified data destruction with complete audit documentation. We offer vendor due diligence packages, certificates of destruction with serial number tracking, chain of custody documentation, and on-site destruction options. Contact us to discuss your compliance requirements and request our vendor qualification materials.

Compliance Officer Data Destruction Guide | Vendor Due Diligence | STS

Compliance Officer Data Destruction Guide

Q: How do I verify a vendor's NAID AAA certification?

NAID AAA certification can be verified directly through i-SIGMA (formerly NAID) at isigmaonline.org. Enter the vendor name to confirm current certification status. Certification can be suspended if a vendor fails an audit, so verification should be part of your ongoing vendor management process, not just initial qualification.

Evaluating data destruction vendors? STS provides NAID AAA certified destruction with complete audit documentation. Certificates of destruction, chain of custody records, and vendor credentials for your compliance files.

✓NAID AAA Certified (Verifiable)

✓Complete Audit Documentation

✓Vendor Due Diligence Package

Compliance Officers & Risk Managers

(800) 767-8798 Call Now Got Questions? Email Us

Free Quote Now!

Vendor Qualification

Data Destruction Vendor Due Diligence

What compliance officers should verify before selecting a data destruction vendor.

NAID AAA Certification

The highest level of data destruction certification. Requires annual unannounced audits, employee background checks, and documented security protocols.

Verify at: isigmaonline.org

R2 Certification

Responsible Recycling certification ensures environmental compliance. Required for organizations with sustainability requirements or EPA oversight.

Verify at: sustainableelectronics.org

Insurance & Bonding

Verify adequate liability insurance and bonding. Protects your organization if a breach occurs due to vendor negligence.

Request: Certificate of Insurance

Certification Levels

NAID AAA vs. NAID A: What's the Difference?

Not all NAID certifications are equal. Understanding the difference is critical for vendor selection and audit defensibility.

NAID AAA

✓ Unannounced audits
✓ Year-round compliance
✓ Highest assurance level

NAID A

○ Scheduled audits only
○ Advance notice given
○ Lower assurance level

STS maintains NAID AAA certification—the highest level with unannounced audits.

NAID AAA certification verification for compliance officer vendor due diligence

Audit Documentation

What Documentation Should You Receive?

Complete documentation is essential for audit defensibility. Here's what STS provides.

Certificate of Destruction

Serial numbers, destruction method, date, vendor credentials

Chain of Custody

Pickup through destruction with signatures and timestamps

Asset Inventory

Complete device listing with make, model, serial number

Vendor Credentials

NAID AAA, R2 certifications, insurance documentation

Multi-Regulation Compliant

ONE VENDOR. ALL REGULATIONS.

STS destruction documentation meets requirements across all major regulatory frameworks.

HIPAA

Healthcare

PCI DSS

Payment Card

GLBA

Financial

SOX

Public Companies

Data destruction documentation retention requirements for compliance audits

How Long to Retain Destruction Records?

Different regulations have different retention requirements. Here's what compliance officers need to know.

HIPAA6 years
PCI DSS1+ year
SOX7 years
GLBAVaries
Best Practice7+ years or indefinitely

STS provides both physical and digital copies of all destruction documentation for easy long-term storage and retrieval.

Common Questions

Compliance Officer FAQ

Answers to common vendor qualification questions

How do I verify NAID certification?

Visit isigmaonline.org and search for the vendor name. This confirms current certification status. Certification can be suspended—verify as part of ongoing vendor management, not just initial qualification.

Can destruction be witnessed?

Yes, STS offers on-site destruction. Mobile shredding equipment comes to your facility, allowing you or your audit team to witness physical destruction of hard drives on-site.

Do you provide a BAA for HIPAA?

Yes, STS executes Business Associate Agreements with healthcare organizations. The BAA documents our responsibilities for PHI handling, security protocols, and breach notification.

What due diligence materials can I get?

STS provides a complete vendor qualification package: NAID AAA and R2 credentials, certificate of insurance, security protocols, background check policies, and sample destruction certificates.

Compliance Officer? Request Our Vendor Package.

STS Electronic Recycling provides NAID AAA certified data destruction with complete audit documentation. Request our vendor due diligence package to support your qualification process.

Request Vendor Package Call (800) 767-8798

NAID AAA Certified

Verifiable at isigmaonline.org

Complete Documentation

Audit-ready records

Multi-Regulation

HIPAA, PCI, SOX, GLBA