Skip to main content

What is a Certificate of Destruction?

What a COD contains, when it is issued, and why auditors ask to see one.

Quick answer

A Certificate of Destruction (COD) is a serialized document certifying that specific storage media were sanitized or physically destroyed. It lists each drive by serial number along with the destruction method, verification status, and processing date, and is signed by the provider. Trace issues a Certificate of Destruction on every job at no charge.

What's on a Certificate of Destruction

A data destruction certificate is only as useful as its detail. A batch-level statement ("all drives were destroyed") won't survive an audit; a proper COD identifies each device individually. A complete certificate includes:

  • A unique certificate number — the document itself is serialized and referenceable.
  • Your organization name and the job or pickup reference it covers.
  • Drive serial numbers — every storage device listed individually.
  • The method used per device — verified overwrite, SSD secure erase, shred, or crush.
  • Verification status — confirmation that each wipe was checked, not just run.
  • Processing and issue dates — when the media were sanitized or destroyed.
  • An authorized signature from the provider taking responsibility for the work.

You can see the exact format in our sample Certificate of Destruction.

Why it matters for compliance

The COD is your proof of proper disposal. If your organization is audited — or if a data incident is ever traced to retired equipment — the certificate demonstrates that specific media were sanitized or destroyed on a specific date by a specific method. It serves as supporting documentation under frameworks such as HIPAA, SOX, GLBA, and FACTA, and it lets you close out storage devices on your internal asset register line by line rather than on faith.

A COD documents what happened to the media at the point of destruction. It pairs with chain-of-custody documentation, which records who handled the equipment between your dock and that point — auditors typically want both.

When is a COD issued, and what does it cost?

A Certificate of Destruction is issued after processing is complete — once every drive in the job has been wiped with verification or physically destroyed. It should never cost extra: documentation is the point of ITAD, not an upsell. Providers that charge separately for certificates, or that issue only batch-level statements without serial numbers, are leaving you without usable audit evidence.

How Trace handles this

Trace issues a serialized Certificate of Destruction on every job, free — whether your drives were wiped (standard wipes with verification, aligned to NAID AAA / i-SIGMA specifications, at no charge) or physically destroyed from $15 per drive. Each drive is serialized at intake, so the certificate lists every device with its method, verification status, and processing date. It is delivered electronically alongside chain-of-custody documentation and a per-asset Trace Report, and all records are retained for seven years, available on request at no charge if you are ever audited.

Schedule a Free Pickup

Related answers

Schedule a Pickup