Questions, answered.

We provide IT asset disposition (ITAD) services, focused on automated hardware inventory and verified data sanitization. We do not sell sanitization software — we perform the sanitization on your equipment and produce tamper-evident documentation.

A service of FitzgeraldTech LLC, based in Southlake, Texas.

Equipment is received and logged with a unique job ID. Each system boots into our discovery software, which catalogs every component automatically. Storage devices are sanitized per NIST 800-88r2 / IEEE 2883-2022, verified, and documented. You receive a tamper-evident report by email and via the customer portal.

Both tiers produce a tamper-evident, verifiable report aligned with the same standards (NIST 800-88r2, IEEE 2883-2022, ISO/IEC 27040:2024) and both include full hardware inventory.

Certified additionally uses ADISA-certified WipeOS as the erasure engine and produces an audit-ready Certified Erasure Report with per-device certificate provenance — appropriate when audit-ready documentation is required.

HDDs (SATA, SAS), SSDs (SATA, NVMe, M.2), self-encrypting drives, embedded eMMC. We also handle network equipment via our Revoke tool for vendor-specific factory resets of switches, routers, firewalls, and access points.

Yes. Per NIST SP 800-88 Rev. 2 §3.2, destroying the media encryption key on a self-encrypting drive renders the encrypted data cryptographically unrecoverable — that qualifies as Purge. Cryptographic Erase is recorded as the method on the report.

Software-based sanitization operates through the device's standard logical interface. It cannot guarantee sanitization of regions inaccessible to that interface, including:

• Firmware regions
• Host Protected Areas (HPA) and Device Configuration Overlays (DCO) — though we check and address these where supported
• Remapped or reallocated sectors
• Wear-leveled blocks on flash-based storage
• Physically damaged sectors

Drives that fail verification or have suspect health are routed to certified destruction. For media that requires maximum sanitization assurance, the Destroy method is recommended.

NIST SP 800-88 Rev. 2 defines three levels of sanitization, all of which we use:

• Clear — logical overwrite via the standard interface.
• Purge — firmware-level commands (ATA Secure Erase, NVMe Format), Cryptographic Erase on self-encrypting media.
• Destroy — physical destruction, used when the media is non-functional or when the customer or regulator requires it.

The method used for each device is recorded on the report.

For modern high-density media, verified sanitization is at least as secure as physical destruction — and materially better for the environment, because the embodied carbon of the drive is preserved when the drive is reused. See Why Sanitize for the full case, with citations.

Our Certified tier uses WipeOS, which holds an ADISA Product Claims Test certification — an independent third-party software certification by the Asset Disposal and Information Security Alliance.

The ADISA certification applies to the WipeOS software product, not to FitzgeraldTech as a service provider. We do not claim independent operational certification of our facility, personnel, or chain-of-custody process. Standards alignment (NIST, IEEE, ISO) is self-attested.

Every report includes:

• Job ID and date of issuance
• Per-device serial numbers, models, capacities
• Sanitization method used per device
• Verification results and SMART health data
• Operator name, title, and organization (per NIST 800-88r2 Appendix C)
• Tamper-evident SHA-256 hash
• QR code linking to online verification

Scan the QR code on the report, or visit expungedata.com/lookup and enter the certificate ID or a device serial number. The verification page confirms that the report exists in our system and that its content matches the originally-issued hash.

Not without detection. Every PDF is hashed with SHA-256 at issuance, and the canonical hash is stored separately from the PDF in our object storage. Any modification to the PDF breaks the hash; replacing the PDF doesn't help because the canonical hash is independent.

For multi-drive jobs, each drive also has its own per-drive hash sidecar — so verification can be performed at the per-drive level as well as the per-report level.

Seven years from the date of processing. All reports remain verifiable online throughout the retention period. See our data retention policy for full detail.

Through the customer portal. Authentication is by magic-link to your email address.

Yes, subject to any applicable regulatory hold requirements. Contact us at info@expungedata.com.

The drive is flagged and routed to certified destruction. The report records both the verification failure and the destruction outcome — both are documented in the same tamper-evident system.

We can route specific drives, specific job lots, or your entire flow to physical destruction. The destruction event is documented on the report just like any other method.

No. The report attests to what was done — the method, the verification, the result. It is not a guarantee, warranty, or insurance against recovery by any means.

Determining whether our process meets your specific regulatory obligations (HIPAA, PCI DSS, SOX, GLBA, FACTA, GDPR, CCPA, TDPSA, etc.) is your responsibility. Expunge Data does not provide legal, regulatory, or compliance advisory services; we recommend consulting qualified legal counsel for that determination.

The Terms of Service and Privacy Policy are the authoritative documents. The full legal disclaimer is also printed on every report's final page.