ITAD vendor due diligence: a checklist for Singapore enterprise buyers.
Choosing an ITAD vendor is a security decision, not just a cost decision. You're handing that vendor your company's retired equipment — and potentially years of historical data on the storage media inside. This explainer walks through what to ask prospective vendors, why specific certification claims should be questioned, how to verify answers, and what red flags signal a risky partner.
ITAD vendor risk: what goes wrong
Bad ITAD vendor scenarios we see:
- Vendor claims 'certified destruction' but the Certificate is a template — same text for every customer, no per-device detail. Device data may not actually be destroyed.
- Vendor quotes a great price, but outsources destruction to an unlicensed sub (you're liable if the sub loses the box in transit or botches the data wipe).
- Vendor holds your equipment for 'processing' for 6+ months without issuing a Certificate. Meanwhile, the gear sits in a warehouse with zero chain-of-custody control.
- Vendor claims NIST 800-88 compliance but can't produce a documented procedure or operator training records. Compliance is lip service.
- Vendor shares buyback residual proceeds at a 'market rate,' but the rate is stale — they're quoting monthly, not daily or hourly. You leave money on the table.
Vendor due diligence is your defense against these scenarios. Spend 2–3 hours vetting the vendor upfront. You'll save headaches and risk later.
Nine questions to ask every ITAD vendor
Here are the nine non-negotiable questions to pose during vendor evaluation. Red or green flags are noted.
- 1. How long have you been in ITAD? · GREEN: 5+ years, Singapore-based, named clients (banks, data centres). RED: <2 years, startup, no client references. Experience matters.
- 2. Who are 3 current Singapore clients we can reference? · GREEN: named companies (public sector or large corporates OK), contact names + direct numbers. RED: vague ('various banks'), referral only, or reluctance to share. Will they vouch for you?
- 3. What is your destruction facility location and method? · GREEN: named address (e.g., '123 Jurong East Street, Building A'), confirmed NIST 800-88 methods, facility tour offered. RED: vague ('off-site facility'), 'we subcontract,' no tour option.
- 4. Who performs the actual destruction — your staff or a sub-vendor? · GREEN: own staff, operator names on Certificate, you can interview them. RED: 'outsourced to partner,' unclear chain of responsibility, sub-vendor is not named.
- 5. Show me a sample Certificate of Destruction from a real past project. · GREEN: per-serial detail, method per device, operator name, witness name, facility address, signatures. RED: template with blanks, batch-only (no serials), no witness, signed by company stamp only.
- 6. What insurance do you carry for loss/damage in transit? · GREEN: minimum 2–5M SGD, named policy, can provide cert. RED: 'we're careful,' no insurance, or vague 'industry standard' coverage. Loss happens; insurance is mandatory.
- 7. How do you price buyback residual value? · GREEN: hourly or daily market feeds, quote valid for 4–48 hours, transparent methodology. RED: static pricing, monthly updates, 'we'll pay fair value' (vague), no price guarantee post-quote.
- 8. What happens if a device fails post-pickup (unexpected VRAM error, etc.)? · GREEN: 'we absorb the loss up to [amount]' or 'we adjust price proportionally at pickup.' RED: 'you're liable for misrepresentation,' 'no refund,' or silent. Risk allocation is critical.
- 9. Can you sign an NDA covering disposal of our data? · GREEN: yes, counter-signed, or they have a standard template. RED: 'we don't do NDAs,' or extremely one-sided terms. Trust is earned via documented commitment.
Why certification claims need scrutiny
Claim: 'Facility-level destruction-industry credentials'
QUESTION: Ask to see current credentials from the facility (issuer, number, expiry date). If they can't produce it, verify their claim independently. Note: Singapore has few facilities holding destruction-industry certifications.
Claim: 'Information security standards certified'
QUESTION: Certified where? The facility? The parent company? Ask for the audit report (issuer, scope, expiry date). Some vendors have corporate-level security certification but the local ITAD facility isn't in scope. Red flag.
Claim: 'We follow NIST 800-88'
QUESTION: Do you have a documented procedure? Training records for operators? Ask to see the SOP (Standard Operating Procedure). If they fumble, they're following NIST in spirit, not fact.
Claim: 'Licensed waste handler'
QUESTION: What's your licence number and expiry? Verify directly with relevant authorities (NEA, if Singapore-based). Some vendors have minimal licensing (general waste collector) but market themselves as 'e-waste specialists.' Check the fine print.
ITAD vendor RFQ checklist
When you send an RFQ (Request for Quote) to prospective vendors, include these line items. Their responses reveal competence.
- ♦ Company registration: name, registration number with ACRA, facility address, years in operation.
- ♦ Insurance: policy number, coverage amount (min. 2M SGD), expiry date, copy of insurance certificate.
- ♦ Destruction method: NIST 800-88 method per device type, documented SOP, operator training records.
- ♦ Certificate of Destruction: sample from a real past project (anonymize the client name if needed), showing per-serial detail.
- ♦ References: 3 current Singapore clients with contact names and phone numbers.
- ♦ Residual-value pricing: methodology, frequency of updates, quote-validity period.
- ♦ Service Level Agreement (SLA): pickup timeline, destruction timeline, Certificate issuance timeline.
- ♦ Sub-contracting: confirm all destruction is in-house; if any sub-contracting, name the sub-vendor and confirm same standards apply.
- ♦ NDA: can you sign our NDA, or do you have a template?
- ♦ Insurance and indemnity: in case of loss/damage during transport or failed destruction, who is liable? Provide liability clause.
Green flags vs red flags in vendor responses
When you get RFQ responses back, look for these signals.
- GREEN flags: · Detailed written RFQ response. Specific SLA dates (e.g., 'Certificate within 5 business days'). Named facility location. Sample Certificate with per-serial detail. Insurance certificate attached. References provided with direct phone numbers. Willing to sign your NDA.
- RED flags: · One-page boilerplate response. Vague timelines ('we'll do it soon'). No named facility. Sample Certificate is a generic template. No insurance cert. References are email-only, not direct contact. Unwilling to sign NDA or demands unreasonable legal terms.
- YELLOW flags (proceed with caution): · Good responses but delayed in returning RFQ (may signal disorganization). References exist but reluctant to provide direct phone (use email instead — less direct). Willing to sign NDA but demands mutual indemnity for both parties (negotiate this).
Pilot project before full commitment
After vetting, recommend a pilot project before signing a master contract.
Pilot scope: Send the vendor 20–50 units (spare equipment, old kit). Request the same level of documentation as you would on a full project.
Evaluate the pilot: Did they pick up on time? Was the Certificate issued promptly and in detail? Did the residual value pricing match their quoted methodology? Can you contact the facility and verify the destruction happened?
Decision gate: If the pilot is flawless, scale up to a full project. If there are issues (late Certificate, vague method, over-promised buyback), walk away and try the next vendor. A 50-unit pilot costs you S$500–1,000. A bad full 1,000-unit project costs you S$10k+ in risk, late timelines, and audit headaches.
Read next
Work with Maxicom
Submit your asset list and we'll respond with detailed pricing and SLA commitment.
Read more →ITAD Service
End-to-end IT asset disposition with buyback, destruction, and compliance reporting.
Read more →Contact Us
Ask us the nine due-diligence questions — we're happy to answer.
Read more →Maxicom Singapore — frequently asked
What's a reasonable timeline to expect from an ITAD vendor? If they promise 24-hour pickup, is that realistic?
Realistic timelines: quote in 2–4 hours, pickup within 5–10 business days, Certificate within 5 business days of pickup. A vendor promising 24-hour pickup for every request is either (a) lying, (b) has massive idle capacity (inefficient), or (c) is cutting corners on quality. Reasonable vendors schedule pickups based on consolidation — batch multiple jobs to optimize logistics. Expect 5–10 days standard; request faster turnaround for genuine urgency, and expect a premium.
We're a public company and must comply with a procurement policy requiring 3 vendor quotes. How do we vet all 3 fairly?
Use the RFQ template + nine-question checklist consistently for all 3 vendors. Score responses numerically: Insurance quality (0–10 points), Certificate detail (0–10), References credibility (0–10), SLA timeline (0–10), Pricing competitiveness (0–10), red/yellow flags (-5 points each). The vendor with the highest score isn't always the cheapest — consider total risk-adjusted value. If all 3 vendors are weak (poor Certificates, no insurance), escalate to procurement: 'No vendor meets our minimum standards; recommend wider sourcing or extended timeline.'
A vendor claims to follow destruction-industry standards but has no formal credentials. Is that OK?
It's possible they're competent without formal credentials. Destruction-industry certifications require a third-party audit and are expensive; not all vendors hold them. A credentialed vendor may be competent, and an un-credentialed vendor may also be competent — credentials alone don't guarantee quality. Instead, ask for their documented Standard Operating Procedure (SOP) and operator training records. If those are solid and references check out, you can work with them. To your auditors, call them 'NIST 800-88 aligned' based on their documented methods, not on credentials.