Certified & Irreversible Data Destruction

Certified Data Destruction for UK Businesses

Controller-level secure erase (Purge), logical sanitisation (Clear), or certified physical destruction (Destroy) for enterprise IT assets, aligned with NIST SP 800-88 Rev.2 and NCSC guidance.

Per Chain-Of-Custody ID, 5% of sanitised data-bearing devices are sampled for forensic recovery attempts using professional tooling. Any failure triggers immediate containment and remediation.

Last reviewed: 11 July 2026

Industrial HDD shredding compliant with DIN 66399 H-5 standards
What Enterprise Teams Get

Reliability and Compliance You Can Hold Us To

No marketing fog. Here is exactly what happens to your data-bearing media and the evidence you receive.

1. We show up on schedule

Booked collection slots and a named point of contact. On-site or off-site destruction planned around your access windows — no drives left in limbo.

2. Certified enterprise destruction

Every device is processed to NIST SP 800-88 Rev.2 or physically destroyed, aligned with GDPR and current NCSC secure sanitisation guidance. One Certificate of Destruction (CoD) per Chain-Of-Custody order, with all devices and methods, plus full chain-of-custody traceability.

3. We pay for residual value

Drives and devices that pass verification and retain resale value can be recovered, with a transparent value share back to you. See asset recovery & buyback.

UK chain of custody. No offshore brokering.

Every device is logged by serial number, transported under chain of custody by our Environment Agency registered carrier, and processed at our licensed UK facility in Mitcham — never sold on to an untracked offshore broker. Any device that fails sanitisation or verification is diverted to controlled physical destruction. For the full enterprise workflow, see what actually happens to your servers.

Certifications & Compliance

Compliance You Can Verify

We lead with paperwork, not promises. Every registration below is independently checkable, and every project is delivered against recognised UK standards.

CredentialReferenceIssued / recognised byWhat it proves
Waste Carrier RegistrationCBDU351026Environment AgencyLegal authority to transport and carry controlled waste and end-of-life IT across the UK.
WEEE Treatment Exemption (T11)EXP/UP3043JDEnvironment AgencyAuthorised to treat waste electrical and electronic equipment for reuse and recycling.
ICO Data Protection RegistrationZB787416Information Commissioner's OfficeRegistered to process personal data in line with UK GDPR and the Data Protection Act 2018.
Cyber EssentialsCertifiedIASME (NCSC scheme)Independently verified baseline cyber-security controls protecting your data while in our custody.
ADR 1.3 Dangerous Goods Awareness (Driver Training)CertifiedEcoStar (Dangerous Goods Training Online)Collection drivers are trained to handle and transport equipment containing lithium batteries (UN3481, Class 9) in line with ADR dangerous goods rules.

Standards we work to

  • NIST SP 800-88 Rev.2Media sanitisation standard governing secure erase and physical destruction.
  • NCSC Secure Sanitisation GuidanceCurrent UK government guidance on secure sanitisation and disposal of storage media (replaces the withdrawn HMG IA Standard 5).
  • UK GDPR & Data Protection Act 2018Legal basis for evidenced, auditable destruction of personal data.
  • WEEE RegulationsEnvironmental compliance for waste electrical and electronic equipment.

Need our paperwork for an RFP or audit?

We can supply our registrations, insurance certificates, and sample destruction outputs as part of your supplier due diligence.

Why It Matters

The Risk of Retired Hardware

Residual Data Remains

Deleting or formatting isn’t enough—data can often be recovered using simple tools.

Costly Data Breaches

UK businesses lose on average £3M+ per breach from compromised end-of-life devices.

Compliance Obligations

GDPR and sector-specific regulations demand verifiable, certified data destruction.

Methods, Sampling, and Certification Details

We classify each asset by device type, apply the correct erasure tier, verify outcomes through forensic sampling, and issue one Certificate of Destruction (CoD) per Chain-Of-Custody order.

  • 1

    Erasure Tiers

    Tier 1: On-device verified sanitisation
    Tier 2: Controlled lab sanitisation
    Tier 3: High-assurance specialist sanitisation

  • 2

    Sampling and Verification

    Select 5% of sanitised devices per Chain-Of-Custody ID.
    Attempt data recovery using professional tooling.
    Record assessment outcomes for audit evidence.

  • 3

    Certification

    After processing and verification, we issue One Certificate of Destruction (CoD) per Chain-Of-Custody order.
    Your CoD includes all devices, serial numbers, and applied methods in a single audit-ready document.

Devices proceeding to reuse also receive full IP removal. When a sanitised asset is destined for refurbishment, resale, or donation, we apply an additional de-branding workflow: asset labels and physical branding are removed, the OS is factory-reset, cloud and MDM accounts are unlinked, and BIOS credentials are cleared — ensuring no customer identity or configuration leaves our facility on a recovered device.
Sample Certificate of Destruction (CoD)
UK Environment Agency Licensed
Carrier Licence: CBDU351026 T11 Exemption: EXP/UP3043JD

Our Verifiable Destruction Workflow

Every asset follows a capability-led process aligned with NIST SP 800-88 Rev.2, from intake to final certification.

1. Intake

Assets recorded for serial-level traceability.

2. Check

Firmware & FTL analysis determines sanitisation method.

3. Action

NIST SP 800-88 Rev.2 compliant erasure or physical destruction.

4. Audit

Forensic recovery on a 5% audit sample to validate success.

5. Certify

One Certificate of Destruction (CoD) per Chain-Of-Custody order, listing all devices and methods.

Meets GDPR and ISO 27001 standards. Reports archived for our 18-year business history.

Coverage

Media We Handle

We erase or physically destroy all common forms of digital media. Nothing leaves your organisation in a recoverable state.

HDDs & SSDs

Complete erasure or shredding of all spinning and solid-state drives.

Backup Tapes

Secure destruction of legacy LTO and DAT backup media.

Optical Media

Shredding and disposal of CDs, DVDs, and Blu-ray discs.

Mobile Devices

Certified erasure or destruction of smartphones and tablets.

Compliance & Certification

Every erasure and destruction process is fully documented and issued as One Certificate of Destruction (CoD) per Chain-Of-Custody order, with secure archive retention.

  • Compliant with GDPR data protection requirements
  • Processes aligned with ISO 27001 information security standards
  • Reports suitable for submission to NHS, MOD, and financial regulatory audits
  • One Certificate of Destruction (CoD) per Chain-Of-Custody order, containing all assets and methods
  • Where supported, firmware-level sanitisation (NVMe Sanitize or ATA Secure Erase) is used as the primary method. Devices that cannot support verifiable purge-level sanitisation are physically destroyed.

SSD Sanitisation Technical Explanation (For Auditors & IT Professionals)

Flash-based solid-state drives cannot be reliably sanitised using simple overwriting. Peer-reviewed research (Wei et al., UCSD, 2011) confirms that SSDs retain digital remnants even after many overwrite passes due to controller behaviour and the internal architecture of flash memory.

Key Facts

  • The Flash Translation Layer (FTL) remaps writes, leaving stale physical pages untouched. (See digital remnant examples and test results on pages 3–4 of Wei et al.)
  • Standard overwrite techniques leave 4–75% of file data intact. (See single-file overwrite results on page 7 of Wei et al.)
  • Some SSDs retained data even after 20 overwrite passes. (See Table 2 on page 5 of Wei et al.)
  • ATA Secure Erase may be incorrectly implemented on certain drives. Some reported a “successful” erase while all data remained intact. (See command failures on pages 4–5, Drive B, in Wei et al.)
  • SSDs using compression may ignore zero/one patterns, causing overwrites to have no effect on underlying flash cells.

Required Workflow for Verifiable SSD Data Removal

To achieve a verifiable and auditor-acceptable outcome, SSD processing follows a capability-led workflow:

  • Where supported, controller-level sanitisation (NVMe Sanitize or ATA Secure Erase) is used as the primary method to perform purge-level data removal.
  • Where purge-level sanitisation is unavailable and policy permits logical sanitisation, controller-level format or controlled logical overwrite may be applied to user-addressable storage, with verification checks performed at time of processing.
  • NVMe devices that do not support NVMe Sanitize, or any device that cannot be reliably sanitised and verified, are diverted to certified physical destruction.

This multi-stage process is the foundation of TFix's SSD sanitisation workflow, ensuring GDPR-compliant, NIST SP 800-88 Rev.2 and NCSC Secure Sanitisation Guidance aligned, audit-ready data sanitisation for all flash-based media.

Frequently Asked Questions

Key details about our secure data erasure and destruction services.

What media types can you process at enterprise scale?

We process HDDs, SSDs, NVMe media, backup tapes, optical media, servers, and mobile devices. Method selection is capability-led and mapped to your policy and regulatory requirements.

Do you provide serial-level certification for audit?

One Certificate of Destruction (CoD) per Chain-Of-Custody order. Each order is documented in one serial-linked CoD listing all devices and applied methods, suitable for GDPR, ISO 27001, and internal audit records.

Which sanitisation and destruction methods do you use?

Depending on media capability and policy requirements, we apply controller-level purge, verified logical sanitisation where appropriate, or physical destruction. Every outcome is logged and evidenced.

What happens if a drive fails sanitisation or verification?

Any failed device is immediately diverted to controlled physical destruction. This enforces permanent data elimination and maintains compliance with GDPR and NIST SP 800-88 Rev.2.

What is the difference between sanitisation and physical destruction?

Sanitisation (Clear) removes data while preserving media for potential reuse. Purge and physical destruction are used where higher assurance is required; all outcomes are recorded on One Certificate of Destruction (CoD) per Chain-Of-Custody order.

How do you ensure SSD data is non-recoverable?

SSDs follow a capability-led workflow. Where supported, controller-level purge (NVMe Sanitize or ATA Secure Erase) is applied. Where purge is unavailable and policy permits, verified logical sanitisation is used. Devices that cannot be reliably sanitised are physically destroyed.

Do you provide certified data destruction for public sector and school organisations?

Yes. We provide the same certified erasure and physical destruction process, per-device Certificate of Destruction, and audit-ready documentation to councils, schools, colleges, and public bodies. See our public sector and education ITAD page for procurement-framework and social-value reporting details.

What is a Chain-Of-Custody ID and why does it matter?

Every collection is assigned a single Chain-Of-Custody ID that groups all devices processed under that order. It links your transfer documentation, sanitisation or destruction records, forensic sampling results, and final Certificate of Destruction, so every device can be traced back to one auditable order reference.

Is physical destruction always used, or is data erased first where possible?

Erasure is attempted first wherever it is capability-led and policy-permitted. Devices go through multiple independent erasure attempts across different connection methods before any escalation to physical destruction, so destruction is used only when reliable erasure genuinely cannot be completed.

How do you verify that erased drives have no recoverable data?

We sample 5% of sanitised data-bearing devices per Chain-Of-Custody ID and attempt professional-grade data recovery. A pass requires no mountable file system and no previewable or coherent user data. If any recoverable data is found, the entire batch is quarantined, related certificates are suspended from release, and management is notified immediately.

Offset Your Destruction Costs

The resale value of your decommissioned IT hardware could offset your data destruction costs.

Our Asset Recovery Service
New: Automated High-Speed SSD Erasure

Secure Data Destruction Pricing

Our automated SSD erasure workflow means we no longer charge a premium for SSDs.
One low rate for all loose drive types.

Standard

£10 / loose drive

No Minimum Quantity

For loose HDDs, SSDs, and Tapes.

  • HDD & SSD Included (No premium)
  • NIST SP 800-88 Rev.2 Purge/Clear
  • Price is per loose drive
  • Serial-level traceability
Best Value

Batch (100+)

£495 / 100 loose drives

Equivalent to £4.95 / unit

Volume discount for loose media.

  • Flat Rate for mixed media lots
  • Price is per loose drive
  • Consolidated Compliance Pack
  • Ideal for Data Centre / Office Clearouts
  • Fast-track processing
Insights

Related Articles

Helpful reads on common questions, real scenarios, and what to expect.

Proof

Related Case Studies

Real project outcomes from UK organisations we've worked with.

Fit Guidance

When this service is not the right fit

Not a consumer-device service

This workflow is designed for business assets, enterprise governance, and documented chain-of-custody rather than one-off household devices.

Not every drive needs physical shredding

If value recovery is possible and your policy allows verified erasure, full physical destruction may be unnecessarily expensive. See our eradication methods comparison.

Best when evidence matters

This page is for teams who need certificates, media-specific method choice, and audit-ready outputs rather than generic disposal.

ESG Planning

Need an environmental estimate for the wider hardware project?

If destruction is part of a broader device disposal programme, use the UK WEEE & Carbon Savings Calculator to estimate likely recycling impact alongside compliance outputs.

Request Certified Data Destruction & Erasure

We’ll confirm media type, compliance requirements, and processing method before scheduling.

One Certificate of Destruction (CoD) per Chain-Of-Custody order.

You May Also Need