Data Security

Data Security and Chain of Custody

Every device IT Revalue processes goes through certified data sanitization before it is remarketed or recycled. This is not a factory reset. It is a documented, standards-aligned process that produces an auditable record your organization can retain for compliance.

Data security obligations don't end when a device leaves your facility. They end when you have documented proof that the data on it is unrecoverable. IT Revalue's process produces that proof for every device, individually, as part of every engagement. IT Revalue is the ITAD brand of PN California, which has provided certified equipment buyback and disposition services since 2001.

01

Why a Factory Reset Is Not Enough

A factory reset restores a device to default settings. It doesn't guarantee data is unrecoverable, and it doesn't remove cloud account locks. Devices with incomplete sanitization can expose personal information. Account locks prevent remarketing entirely. Neither outcome works for organizations with data compliance obligations.

NIST SP 800-88 defines sanitization as rendering data access infeasible through verified overwriting or physical destruction. A factory reset doesn't meet that standard. Forensic recovery tools can retrieve data from factory-reset devices, particularly on solid-state drives where overwriting behavior depends on firmware. NIST SP 800-88 requires verified logical sanitization for any device cleared for reuse.

02

Specialized Device Auditing Software

IT Revalue uses specialized device auditing software that wipes each device and archives an erasure record in a secure database at time of processing. Every unit gets a verifiable, timestamped record, not a batch-level summary.

The erasure record includes the device serial number, the sanitization method applied, the processing date and time, and a pass/fail verification result. That per-device record is what populates the certificate of data destruction. Because records are generated automatically at time of sanitization rather than manually logged after the fact, the audit trail can't be retroactively altered or reconstructed.

03

NIST SP 800-88 Compliance

NIST SP 800-88 (Guidelines for Media Sanitization) is the federal standard governing data sanitization for IT equipment. It defines three categories: Clear, Purge, and Destroy. IT Revalue's logical sanitization process aligns with the Purge standard, rendering data recovery infeasible even with laboratory-grade forensic tools.

Purge applies to devices being remarketed or reused outside the originating organization. It requires overwriting at a level that defeats forensic recovery, not just user-level data removal. Physical drives that can't be sanitized to this standard due to damage or drive type are routed to certified physical destruction.

04

NIST SP 800-88

NIST SP 800-88 governs logical data sanitization for electronics cleared for reuse. Compliance requires verified overwriting, documented processes, and third-party audit oversight. The PN California operation behind IT Revalue meets these requirements.

NIST SP 800-88 establishes sanitization as a condition of remarketing eligibility, not a post-processing option. Any device that doesn't meet these requirements cannot be cleared for reuse. For organizations whose compliance requirements specifically reference media sanitization standards, that distinction matters.

05

Certificates of Data Destruction

Certificates of data destruction are available on request for every engagement. Each certificate documents which devices were sanitized, the method applied, the processing date, and the erasure record reference.

For organizations subject to HIPAA, GLBA, FERPA, or similar regulations, the certificate is the third-party verification needed to close out disposition in internal records and respond to audits. Certificates reference individual device serial numbers, not lot-level summaries.

06

Chain-of-Custody Documentation

Chain of custody starts when equipment is collected and continues through intake, evaluation, sanitization, and final disposition. Every device is tracked individually. The record runs from collection through final outcome, whether that is remarketing or certified recycling.

The chain-of-custody record documents who collected the equipment, when, from which location, what each device evaluated to, how it was sanitized, and where it ultimately went. For organizations that need to demonstrate responsible disposition to regulators, clients, or internal audit functions, this is the documentation trail a general recycler cannot produce.

Request a Buyback Quote

Get documented, standards-aligned data destruction with every engagement. Submit your equipment list for a no-obligation buyback offer.