ITAD vendor due-diligence checklist.
A 25-question due-diligence questionnaire to vet any prospective ITAD vendor for your Canada enterprise. Covers insurance, destruction methodology, evidence pack, references, audit rights, sub-contractor structure, retention. Use it on us, use it on our competitors — same questions either way.
5 questions — coverage and limits
- ♦ 1. What transit-insurance cover do you carry per load? Provide certificate.
- ♦ 2. What professional-indemnity / errors-and-omissions cover do you carry, and what's the aggregate limit?
- ♦ 3. What public-liability cover do you carry?
- ♦ 4. Are sub-contractors covered under your insurance, or do they carry separate cover?
- ♦ 5. What's the per-incident liability cap in your standard contract terms?
5 questions — what gets destroyed how
- ♦ 6. What standards do you cite on the Certificate of Destruction? (Look for NIST SP 800-88 Rev. 1 + IEEE 2883-2022 explicitly.)
- ♦ 7. What method do you apply to SSDs / NVMe drives by default? (Should be NIST 800-88 Purge via cryptographic erase, not single-pass overwrite.)
- ♦ 8. How do you handle backup tape? (Should be Destroy via degauss-then-shred for high-classification.)
- ♦ 9. Do you support on-site destruction at customer premises? Two formats — mobile shred and witnessed-wipe?
- ♦ 10. Is two-operator + witness sign-off standard or extra-charge? (Should be standard.)
5 questions — what documentation you receive
- ♦ 11. What's in the per-job Certificate of Destruction? Show a sanitised sample with realistic format.
- ♦ 12. Per-asset wipe-log or shred-batch-ID — captured live or reconstructed?
- ♦ 13. Locked-transit log with GPS evidence — provided as standard?
- ♦ 14. Downstream-recipient log — where does any residual material go, and is the recipient named?
- ♦ 15. What format is the evidence pack delivered in? (PDF + PDF/A archival both delivered?)
5 questions — what claims, what evidence
- ♦ 16. List facility certifications you hold today, with issuer + certificate number + expiry date for each. (If a vendor can't list these on a single page, the credentials probably aren't current.)
- ♦ 17. PIPEDA Schedule 1, Principle 4.7 (Safeguards) alignment — describe in 50 words how your destruction documentation supports a customer's Section 24 evidence file.
- ♦ 18. OSFI B-13-aware citation — included on the Certificate by default for FI customers? (Should be yes for any vendor serving banks.)
- ♦ 19. Where does residual material go? Name the downstream party.
- ♦ 20. What credentials do you NOT yet hold but plan to acquire? (An honest answer is a positive signal — every legitimate vendor has a forward-credential roadmap.)
3 questions — who else has used this vendor
- ♦ 21. Provide 3 references at SG-based enterprise customers — comparable scope to ours — willing to take a 15-minute reference call.
- ♦ 22. How long has the vendor entity been operating in Canada? Provide registered company name, CRA Business Number, year established.
- ♦ 23. List any enforcement, regulatory, or material customer complaints in the last 5 years. (An honest 'no' is the expected answer; a vendor unwilling to commit to this is a red flag.)
2 questions — what you keep on file
- ♦ 24. What audit rights does your standard contract provide? (Customer + customer's regulator, on reasonable notice, at customer's cost.)
- ♦ 25. How long do you retain your counter-signed copy of the Certificate? (Should match or exceed the customer's data-retention period — typically 5-7 years minimum.)
Apply it consistently across all candidate vendors.
Send the same 25 questions to all candidate vendors. Compare the answers side-by-side. The vendor that answers crisply, with named individuals and documented evidence, is structurally better positioned than the vendor that responds with marketing copy.
Pay particular attention to the questions about credentials they DON'T hold (Q20) and material customer complaints (Q23). Vendors willing to be honest about gaps are typically the ones whose stated credentials hold up to actual scrutiny.
Apply the checklist to Maxicom too. We answer in writing within 1 business day, no exceptions. Email purchase@maxicom.ca with the subject 'DDQ' and the checklist.
Maxicom Canada — frequently asked
Can I use this checklist on Maxicom Canada?
Yes — we encourage it. We answer in writing within 1 business day with named-individual signatures, documented evidence, and references. Send the 25 questions to purchase@maxicom.ca with subject 'DDQ' and we'll respond per question with full transparency.