This guide shows real-world R2v3 nonconformities that recyclers and ITAD providers run into, why they happen, and exactly how to correct and prevent them. Use the checklists, templates, and acceptance criteria to close findings quickly and keep them from coming back.
How to read this playbook
Scope: Focuses on operational pain points that commonly trigger minor and major nonconformities during Stage 1, Stage 2, and surveillance audits.
Format: Each section lists (1) what auditors usually find, (2) the root causes, and (3) corrective and preventive actions with evidence examples and acceptance criteria.
Use it: Copy the bullet points into your CAPA form and attach the evidence listed.
1) Data security & sanitization: method not matching media, or records incomplete
What auditors find
Drives or devices labeled “wiped” without a verifiable record of method, tool, settings, pass/fail, and unique identifier.
Mixed media types treated with a single method that isn’t appropriate (e.g., SSDs processed with an HDD-only overwrite method).
Sampling performed, but the sampling plan isn’t defined or justified.
Software version or wipe profile changed mid-period without a change control entry.
Likely root causes
SOPs are vague or not role-specific.
Technicians rely on tribal knowledge; training records do not reflect method specifics.
Wipe tool exports not mapped to your log fields; serial capturing inconsistent.
Corrective actions (fix now)
Align each media type to an approved method in a one-page Media → Method Matrix and post it at the station.
Update the Data Sanitization Log to include: asset ID, media type, tool & version, profile, date/time, operator, pass/fail report reference, and reviewer sign-off.
Re-run sanitization for a sample of affected items; quarantine and reprocess any uncertain units.
Record a change control entry for the tool/version/profile currently in use.
Preventive actions (stop it recurring)
Technician training module that covers the matrix and log completion; require practical sign-off.
Weekly sanitization spot-check: supervisor reviews 10 random records against exported tool reports.
Lock the wipe tool configuration; changes require manager approval with a version snapshot.
Evidence to attach
Updated SOP and the Media → Method Matrix.
Completed logs with matching software reports.
Training sign-in and competency checklists.
Spot-check checklist with pass rate.
Acceptance criteria
For a sample of 30 wiped devices across media types, 100% have full, traceable records and correct method per matrix; 0 unlabeled or unverified devices on the floor.
2) Chain of custody: gaps between intake, storage, and outbound transfer
What auditors find
Intake receipts exist, but location status and container IDs aren’t tracked end-to-end.
Outbound shipments lack a complete reconciliation from intake quantities/IDs to final disposition.
“Quarantine” or “secure cage” exists, but no log shows time-in/time-out and who had access.
Likely root causes
Process maps stop at departmental boundaries.
Labels or barcodes not applied at the first practical touchpoint.
Paper forms that don’t sync with the digital ledger.
Corrective actions
Introduce a Chain-of-Custody Ledger (physical or digital) with five mandatory states: Received → In Secure Storage → In Process → Post-Process Hold → Outbound.
Require unique container IDs; affix labels immediately on intake.
Perform a backward reconciliation on last quarter’s shipments: choose 3 representative POs and tie every unit/container to the outbound record; correct discrepancies.
Preventive actions
Gate control: outbound cannot be scheduled unless reconciliation status = “complete.”
Weekly walk-through with a location audit checklist (random containers).
Integrate barcode scanning at intake and outbound to cut manual errors.
Evidence
Completed ledger examples and reconciliations.
Photos of container labels and secure storage signage.
Walk-through checklists and corrective notes.
Acceptance criteria
For 3 sample POs, 100% of items/containers are traceable from receipt to outbound with timestamps and handler IDs.
3) Downstream due diligence: approval packets incomplete or not refreshed
What auditors find
Vendor approval forms on file, but missing waste codes, permit numbers, or final processing descriptions.
Annual reviews overdue; risk ratings not updated after incidents or regulation changes.
EHS/CSR claims (e.g., “no child labor,” “no prison labor”) not backed by documented checks.
Likely root causes
DDQ template doesn’t reflect your actual outbound streams.
Calendar reminders lapse; ownership for annual review unclear.
Overreliance on marketing brochures rather than documented evidence.
Corrective actions
Rework the DDQ to include: legal entity info, permits/licenses per stream, final process description, material flow map, facility photos, insurance, and contacts.
Perform desk audits for top 5 highest-volume downstreams: gather missing docs, verify permit validity dates, and document risk scores.
Temporarily suspend routing to any downstream lacking mandatory artifacts; identify alternates.
Preventive actions
Annual review schedule with assigned owner; automated reminders 60/30/7 days before due.
Post-incident re-evaluation trigger: any shipment complaint, nonconformity, or spill requires a DDQ refresh and risk rescore.
Supplier scorecard with thresholds that auto-flag high risk.
Evidence
Updated DDQ forms with attachments list.
Annual review log and upcoming reminder plan.
Risk scoring sheet with criteria and weighting.
Acceptance criteria
100% of active downstreams have current approval packets (dated within 12 months) that match your outbound streams and demonstrate legal authorization.
4) EHS controls: hazard assessments exist, but controls and training aren’t aligned
What auditors find
Generic risk assessments written years ago; they don’t mention lithium batteries, toner dust, or noise exposure specific to your lines.
PPE signage posted, yet training records don’t show task-specific PPE fit and use.
Spill kits present, inspection logs missing or outdated.
Likely root causes
Copy-paste assessments that never got localized.
Training tracked by job title, not by task.
No calendar for kit inspections or eyewash testing.
Corrective actions
Update the Hazard Identification & Risk Assessment by process step (intake, demanufacturing, battery handling, shredding, packing). Add specific hazards and controls.
Map each task to required PPE and training; issue task cards at workstations.
Inspect and replenish spill kits; start a monthly inspection log.
Conduct a drill (spill or fire) and document lessons learned.
Preventive actions
Quarterly floor audit with an EHS checklist tied to the risk assessment.
New-hire and job-change competency checks (not just attendance).
Purchasing control: PPE or kit changes trigger SOP and training updates.
Evidence
Revised risk assessment with sign-off date.
Task cards, training matrix, and signed competency forms.
Completed kit inspection logs and drill report.
Acceptance criteria
Zero missing or expired EHS controls in a random walk-through; training matrix shows 100% of active operators with current task-specific training.
5) Testing, evaluation, and repair (reuse claims not evidenced)
What auditors find
Units sold as “tested working,” but no test protocol or proof of test steps/criteria per device category.
Repairs performed, but parts traceability and final quality check missing.
Cosmetic grading inconsistent across technicians.
Likely root causes
Test procedures live in people’s heads.
Work orders don’t require attachment of test results or photos.
No final QA gate before sale.
Corrective actions
Create category-specific test sheets (e.g., laptops, desktops, monitors) with pass criteria, firmware/BIOS checks, and battery/cycle thresholds.
Require a final QA sign-off on each work order before listing or shipment.
Introduce a grading guide with photos and definitions for A/B/C; train staff.
Preventive actions
Monthly QA sampling: pull 10 sold items, verify test sheets and grade accuracy.
Calibration or version control for diagnostic tools.
Separate “retest” lane for returned units.
Evidence
Completed test sheets and work orders with QA sign-offs.
Grading guide and training records.
QA sampling log with results and actions.
Acceptance criteria
For a sample of 20 sold units, 100% have complete test evidence; grading disputes under 2% over a quarter.
6) Document control & change management: people use the old version
What auditors find
Multiple SOP versions on the floor; technicians follow an outdated instruction.
Recent process change (e.g., new wipe profile) not documented or reviewed.
Forms without revision numbers; difficult to verify they’re current.
Likely root causes
Shared folders without permissions or archival rules.
No “controlled copy” process for printed SOPs.
Changes implemented informally and announced verbally.
Corrective actions
Assign document owner per SOP. Add revision, effective date, and approval fields to the header.
Implement controlled copies: stamped printouts with an expiry; remove/replace old prints during change rollout.
Create a Change Control Log capturing reason, impacted docs, training required, and validation.
Preventive actions
Quarterly document review calendar.
Floor audit that checks version numbers against the master list.
CAPA: template forces root cause and effectiveness; no overdue high-risk CAPAs.
Final notes
Auditors don’t expect perfection; they expect control. That means traceable records, clear ownership, and proof that your fixes work. If you use this playbook to structure your logs, training, DDQ packets, and CAPA forms, you’ll not only close today’s findings—you’ll reduce tomorrow’s risk.
Plain-English objective: R2v3 requires you to protect data at every stage—intake, handling, transport, processing, and final disposition—using documented controls that actually work. This guide gives you a practical, audit-ready workflow with sample SOP steps you can adapt immediately.
Scope & key definitions (keep these in your SOP)
Data-bearing asset (DBA): Any device or component that can store data (HDD, SSD, NVMe, mobile, tablet, server, printer/MFP with storage, network gear with flash, DVR, point-of-sale, USB/SD, embedded controllers).
Sanitization outcomes:
Clear: Overwrite data so it cannot be recovered using standard system functions and tools.
Purge: Render data unrecoverable using more rigorous techniques (e.g., cryptographic erase, firmware-assisted purge).
Destroy: Physically damage media so data is irretrievable (e.g., shredding, crushing, disintegration).
Verification: Evidence that sanitization achieved the intended outcome (software report, hash check, sample QC, physical fragment size checks).
Chain of custody (CoC): Continuous control and documented custody from pickup to final disposition.
Add these terms to your Definitions section so employees and auditors share the same language.
Data Security Lead (DSL): Owns the SOP, approves methods, maintains approved tool list, reviews exceptions.
Sanitization Operator: Executes wipe/purge/destroy steps and records serials, method, outcome, and verification.
QC Auditor: Independently verifies a defined sample or 100% where required; documents pass/fail.
Logistics/Dispatch: Ensures secure transport, seals, custody logs, and storage area integrity.
Compliance Manager: Performs internal audits, trend analysis, and CAPA for nonconformities.
Document this RACI in your procedure so it’s unambiguous who does what.
Intake-to-Disposition: the required control flow
Why this matters: Most nonconformities happen before or after the wipe—at intake (items missed) and after sanitization (mix-ups, incomplete records). A clean flow prevents both.
Pre-intake screening
Customer declares if assets are data-bearing; requests desired outcome (reuse with wipe, purge, or destroy).
Capture special handling requirements (e.g., encrypted assets, defective drives).
Secure intake
At receipt, visually and systematically identify DBAs. Use a laminated checklist by asset type.
Affix DATA-BEARING label and a unique asset ID. Photograph pallet/serial plates where feasible.
Record: customer, pickup manifest, seal numbers, time/date, handler signatures.
Controlled storage
Move DBAs to a restricted, CCTV-covered area with logged access.
Separate unsanitized from sanitized inventory with physical barriers and distinct tags.
High risk, encryption unknown, or device defective:Purge or destroy.
Customer-mandated destruction:Destroy regardless of device state.
Log the chosen method and rationale.
Sanitization execution
Use only approved tools/machines listed in your SOP (version-controlled).
Capture serial numbers, method, operator, start/end time, result code.
For cryptographic erase, record proof that the key was destroyed or reset performed.
Verification & QC
100% verification for software-based wipe/purge (attach reports per device).
Statistical QC only where justified and documented (e.g., repeated identical media batches).
For physical destruction, verify fragment size against your acceptance criteria.
Exception handling
If a device fails wipe or tool aborts, quarantine and escalate to DSL.
Decide re-attempt with alternate method or destroy.
Record the exception, corrective action, and final outcome.
Final disposition
Mark assets as SANITIZED or DESTROYED with visible tagging.
Update inventory status; separate storage for post-sanitization goods.
Prepare Certificates of Sanitization/Destruction with traceability fields (see template below).
Outbound control & records retention
For remarketing: ensure no unsanitized DBAs are mixed into outgoing lots.
For scrap: ensure destroyed media stays in secure custody until it enters the shredder and is ground to spec.
Retain records for your defined retention period (commonly 3–7 years).
Sample SOP: Data Security & Sanitization (copy-adapt this)
Purpose Ensure all data on received DBAs is secured and sanitized in compliance with R2v3 and customer requirements.
Scope All DBAs handled at [Facility Name], including HDD, SSD/NVMe, mobile devices, printers/MFPs with storage, network devices, USB/SD, DVRs, and embedded flash.
Responsibilities As listed in Roles & responsibilities above.
Procedure
Identification at Intake
Use the DBA Identification Checklist for each pallet/skid.
Tag suspected DBAs with red DATA-BEARING labels and assign Asset ID.
Photograph pallet and serial plates if accessible.
Log customer, time/date, receiver signature, and truck seal number.
Secure Storage (Pre-Sanitization)
Move DBAs to Cage A (restricted access). Log entry/exit in Cage Access Log.
Place into bins labeled UNSANITIZED ONLY.
Method Selection
Review customer instructions and device condition.
Select Clear, Purge, or Destroy per the Sanitization Decision Tree.
Record decision and operator initials in the Sanitization Work Order.
Execution – Clear/Purge
Connect device; verify serial in software UI.
Start approved wipe or crypto-erase profile.
On completion, export verification report; ensure it contains device ID, model, capacity, serial, method, date/time, and result.
If failed/aborted, quarantine and notify DSL.
Execution – Destroy
For HDD: remove from chassis; process through crusher/shredder.
For SSD/flash: process via fine shredder or pulverizer meeting your fragment size limit.
Record batch ID, input count/weight, start/end time, and operator.
Collect fragment samples periodically to verify size.
Verification
100% report capture for software methods; store reports against Asset ID.
For destruction: perform hourly fragment checks; document results against acceptance criteria.
QC Auditor signs Verification Log daily.
Exception Handling
For any failure: complete Nonconformance Report (NCR) with cause, action, and outcome.
DSL approves rework or destruction.
Labeling & Segregation (Post-Sanitization)
Apply green SANITIZED labels to cleared/purged devices.
Move to Cage B (sanitized only). Update inventory status.
Certificates & Reporting
Generate Certificate of Sanitization/Destruction with customer name, PO/WO, asset list with serials, method, date, operator, and authorization signature.
Provide to customer; retain digital copy internally.
Records Retention
Keep all logs, reports, certificates, and photos for [X years] in the Data Security Repository with controlled access.
Acceptance Criteria
Software wipes: report states PASS and matches serial exactly.
Crypto-erase: record of successful key destruction/reset.
HDD destruction: fragments meet or are less than [your mm/in threshold].
SSD/flash destruction: fragments meet [smaller threshold]; no intact memory packages.
No unsanitized DBAs in sanitized/outbound areas.
Training & Competence
New Sanitization Operators require two shadowed shifts and a competency check before solo work.
Annual refresher covering tool updates and incident lessons learned.
Change Control
DSL maintains Approved Tool List with version numbers. Any tool/profile change requires a controlled update and staff briefing.
Records you must be able to produce on demand (audit-ready)
Intake Manifest & Seal Log
Cage Access Logs (pre/post-sanitization)
Sanitization Work Orders with method and operator
Verification Reports (one per device for software methods)
Destruction Batch Records with fragment checks
Certificates of Sanitization/Destruction tied to asset serials
Exception/NCR forms with CAPA evidence
Training records and Approved Tool List (with versions)
Inventory status reports showing transitions UNSANITIZED → SANITIZED/DESTROYED
Keep these organized by customer → work order → asset ID. Consistent filenames and index sheets save you during audits.
Verification strategies that pass scrutiny
100% device-level verification for software methods is the cleanest approach.
Where statistical sampling is justified (e.g., homogeneous batches of identical media processed by a validated, unaltered workflow), document:
Sampling plan (e.g., AQL, lot size, sample size).
Rationale (history of zero defects, controlled inputs).
Escalation rule (any failure → 100% verification and process review).
For destruction, define objective fragment size limits and measure on a routine cadence (e.g., each batch or every 30 minutes of operation).
Common nonconformities—and fast fixes
Missed DBAs at intake
Fix: Implement a DBA Identification Checklist by device type; retrain intake staff; spot-audit pallets.
Serial mismatches between report and label
Fix: Require barcode scanning at connect AND at report save; block save if mismatch.
Tool version drift (reports don’t match SOP)
Fix: Create an Approved Tool List with exact versions; IT locks updates; DSL signs off changes.
Cage integrity (finds of mis-segregation per month)
On-time certificate issuance (%)
Review KPIs monthly; create CAPA for trends exceeding your thresholds.
Practical setup tips (low cost, high impact)
Mount a visual workflow board at the cage: UNSANITIZED → METHOD → VERIFIED → SANITIZED/DESTROYED.
Standardize label colors: red = DATA-BEARING (unsanitized), green = SANITIZED, black/white = inventory only.
Use barcodes/QRs for asset IDs; scan into the wipe tool to avoid typos.
Keep a hot-swap cart of adapters (SATA, NVMe, 2.5/3.5, USB docks) to reduce handling delays.
For SSDs headed to destruction, seal containers immediately post-pull; don’t accumulate loose media on benches.
Final checklist (print for the station)
DBA identified and labeled?
Asset ID and serial captured?
Method chosen and recorded (clear/purge/destroy)?
Wipe/destruction executed using an approved profile/machine?
Verification report or fragment check completed?
Exception handled and documented (if any)?
Status updated to SANITIZED/DESTROYED and assets moved to correct cage?
Certificate generated and stored?
Logs filed under the correct customer/WO?
Bottom line: If you can prove what happened to every single data-bearing asset—through clear procedures, objective verification, and tidy records—you’ll satisfy R2v3 expectations and build customer trust. Start by adopting the SOP above, tighten your intake controls, require 100% verification for software wipes, and make certificates and logs the natural by-product of doing the work right.
Purpose of this guide: give you a practical, copy-and-use framework to evaluate, approve, and monitor downstream vendors under R2v3—so you can defend decisions to auditors and reduce real-world risk.
1) What “downstream due diligence” actually means in practice
In R2v3, “downstream” covers every organization that receives your material, components, or data-bearing devices after they leave your control—refurbishers, brokers, repairers, recyclers, data sanitizers, smelters, and final disposers. Due diligence is the repeatable process you use to:
Assess risks before using a vendor
Decide whether to approve them (and for which materials)
Define controls in writing (contracts, specifications, reporting)
Monitor performance and re-assess on a schedule or when conditions change
Think of it as a living file per vendor: risk score → approval scope → controls → evidence of monitoring → periodic re-approval.
2) Map your material flows first (scope drives effort)
Before scoring anyone, write a one-page map of what goes where:
Material types: data-bearing devices, batteries, displays, PCBs, plastics, precious-metal fractions, whole units for reuse, non-hazardous residuals.
Path: Your facility → Vendor A → Vendor B (if any) → final process (reuse, recycle, energy recovery, landfill).
Jurisdictions touched: your location, vendor’s location, any transit countries.
Disposition intent: reuse/resale vs. material recovery vs. disposal.
This map determines the risk profile and the depth of checks required. High-risk examples: data-bearing devices; export to unfamiliar jurisdictions; hazardous fractions (e.g., batteries); multi-hop chains.
3) A pragmatic risk model you can implement tomorrow
Use a 100-point scoring model so decisions are explainable. Score each vendor on the factors below, then classify: 0–24 Low, 25–49 Moderate, 50–74 High, 75–100 Critical. Calibrate thresholds to your risk appetite.
Factor
Guiding questions
Score (0=best, 20=worst)
Regulatory exposure
Hazardous materials? Export? Permits clearly in place?
High: quarterly KPI review + annual on-site or remote audit
Triggered review: any incident, regulatory change, ownership change, change in downstream path, or material type
KPIs that matter:
Reporting timeliness: % shipments with complete documentation within X days
Data sanitization validation: % lots with verification logs, % failures detected and resolved
Material accountability: variance between shipped mass and processed/received mass within agreed tolerance
Nonconformities: count and severity; closure time for CAPA
Safety/environment: reported incidents related to your lots; trend over time
Evidence to keep in the vendor file:
KPI summaries and your review notes
Updated permits/licenses (or screenshots of public registry entries)
Training matrix snapshot (roles related to your material)
Any incident reports and CAPA closure evidence
Re-approval memo with updated risk score and next review date
8) How to run a remote or on-site audit without wasting a day
Pre-audit (1–2 weeks before):
Send scope: which processes and materials you will review
Request a single recent lot involving your material for document tracing
Share a 10–12 point agenda and timebox to 3–4 hours
During the audit:
Walk the material flow in order: receiving → storage → processing → staging → outbound
Trace one lot: BOL → receiving log → processing log → output documentation → downstream shipment proof
Interview process owner(s) for data wiping, hazardous handling, and packing
Sample PPE, labeling, segregation, and spill kits in the areas used for your material
Common findings to watch for:
Mismatch between SOP and actual practice
Incomplete wipe verification fields (e.g., missing operator ID or date/time)
Containers missing labels or date
Mass/serial reconciliation gaps
Expired permits on the wall vs. current in the file
Close-out:
Classify findings (minor/major)
Agree on CAPA owners and due dates
Record updated risk score if warranted
9) Handling multi-hop downstreams (beyond your first vendor)
If your vendor sends material to a further processor, you still need adequate assurance that the final path is legitimate. Practical approach:
Require your vendor to disclose the named downstream for your material and keep an internal list.
For low-risk streams, review the downstream’s public credentials and a sample invoice/BOL showing the path.
For higher-risk streams (data-bearing, hazardous, export), perform at least a desktop review of the downstream, or obtain your vendor’s documented vetting results and sample permits.
If the downstream changes, treat as a triggered review and pause shipments until reassessed.
10) Red flags and what to do immediately
Immediate holds on new shipments if you see any of the following:
Claim of capacity far above the facility’s apparent scale
Refusal to provide even basic evidence (permits, sample logs)
Frequent name changes, shell companies, or mismatched addresses
Export offers that seem too cheap relative to market recovery value
Repeated delays in providing data wipe logs or mass balances
Action: escalate, notify management, log a potential nonconformity, and require corrective actions before resuming shipments.
11) Recordkeeping: how long and how to organize
Keep at least:
Risk score sheets and approval memos for each vendor
Shipment-level traceability records (serials or mass balances)
Organization tip: one folder per vendor with subfolders: 01_Approval, 02_Contract, 03_Monitoring, 04_Audits, 05_Traceability. Keep a master index spreadsheet with vendor name, scope, risk tier, next review date, downstreams, and notes.
12) Typical nonconformities—and how to prevent them
Approval too generic: Fix by issuing material-specific approval scopes and updating shipping instructions.
Evidence not reviewed: Fix by adding a short checklist to every review (what you checked, date, initials).
No trigger reviews: Fix with a one-page SOP listing triggers and responsible person; add a simple email template: “Triggered review opened because X.”
Great policy, weak practice: Fix by training process owners on the exact documents auditors will ask for and doing quarterly internal spot checks.
13) Step-by-step SOP you can adopt
Initiate: business owner requests a new vendor; due-diligence lead opens a file and assigns provisional risk 30.
Collect: send DDQ and document pack list; receive samples.
Assess: score the five risk factors; write 1–2 lines rationale per factor.
Decide: draft approval memo with scope, controls, KPIs, cadence.
Contract: include control clauses; communicate packaging/labeling and reporting requirements.
Onboard: run a trial shipment (if applicable); validate documentation flow.
Monitor: review KPIs per cadence; log outcomes; adjust controls if needed.
Audit: schedule remote/on-site per risk or when triggered.
Re-approve: update risk score annually or after major changes; re-issue approval memo.
Retire: if terminated, record final status, reason, and where remaining material will go.
Data protection: No data handling for our scope—score 0.
Process maturity: ISO-like system, training records sampled—score 8.
Traceability: Mass balance reports monthly, variances <2%—score 6.
Reputation/history: Stable ownership since 2017; no adverse media—score 4. Total: 30 → Moderate. Decision: approve for Li-ion consolidation; quarterly KPI review.
Triggered review email: Subject: Triggered Review — [Vendor], [Reason] Body: A change was reported: [permit expired/ownership change/downstream change/incident]. Shipments paused for this stream. We will reassess documents and confirm approval scope within [X] business days.
15) Final checklist (use before you ship)
Material flow map updated; jurisdictions understood
DDQ and sample evidence reviewed; risk score documented
Approval memo with specific scope and expiry date issued
KPI set and monitoring cadence scheduled on calendar
Shipping/warehouse teams briefed on scope and packaging/labeling requirements
Vendor file complete and indexed
Bottom line
Downstream due diligence under R2v3 is not about collecting the biggest binder—it’s about clear scope, justified risk decisions, and fresh evidence that shows your controls work in the real world. If you maintain a living vendor file with a logical risk score, material-specific approval, and consistent monitoring, you’ll satisfy auditors and, more importantly, keep your supply chain trustworthy.
Goal of this guide: give you a practical, copy-ready blueprint for the documents, logs, and evidence that an R2v3 auditor will expect to see—and how to organize them so they’re complete, consistent, and easy to verify.
1) What “audit-ready” means in practice
Audit-ready documentation is not a pile of forms. It’s a controlled system where:
Every policy and SOP has a current version, an owner, and a last-review date.
Every process produces objective records (logs, photos, serials, manifests) that prove you followed the SOP.
You can trace any unit or batch from intake to final disposition and show who did what, when, and based on which instruction.
Gaps trigger corrective actions (CAPA) that are documented and closed out.
Think in layers:
Top level: Policies (intent, scope, responsibilities).
Keep a Document Index spreadsheet: columns for ID, title, process, version, effectivity, owner, reviewer, next review date, status (draft/active/obsolete).
Stamp or watermark OBSOLETE on retired versions; keep them read-only in an “Archive/Obsolete” folder.
Use the same naming convention everywhere: PROC-ITAD-INTAKE-001_v3.1_2025-02-10.
3) Core logs your facility should maintain (and the fields that matter)
Below are copy-ready field sets you can implement in spreadsheets or your system of record. If you already track these data points digitally, export sample reports and keep them with your audit pack.
A) Receiving & Chain-of-Custody Log
Intake Date/Time
Customer/Source
Shipment/PO/Work Order
Transporter/Driver ID
Seal Number(s) and Condition
Pallet/Container Count
Unit Count by Category (e.g., laptops, drives, batteries)
Unique Intake Batch ID
Initial Condition/Exceptions (photos if applicable)
Receiver Name/Signature
Evidence add-ons: dock photos, scale tickets, exception tags, discrepancy reports.
B) Inventory Tracking & Work-in-Process (WIP)
Batch ID / Serial Number
Asset Tag(s)
Location (rack/room/area) with time stamps for moves
Process Stage (intake → triage → data wipe → test → grade → disposition)
4) Evidence mapping: prove each step happened as written
Create a one-page “Evidence Map” that links each SOP to its evidence sources. Auditors love this because it shortens the path from “policy says X” to “show me X happened yesterday.”
Example (excerpt):
SOP / Control
Primary Record
Secondary Evidence
Owner
Intake & Chain-of-Custody
Receiving Log + photos
Seal logs, exception forms
Warehouse Lead
Data Wipe
Wipe Log + tool report
Sample verification sheet
ITAD Supervisor
Batteries Handling
Hazardous storage log
Spill kit inspection checklist
EHS Coordinator
Downstream Shipment
Bill of Lading, manifest
Scale ticket, export paperwork
Logistics Lead
CAPA Management
CAPA register
Root cause analysis worksheet
Compliance Manager
Keep the map printed in your Audit Binder and mirrored in your quality folder.
5) How to design records that survive scrutiny
Make it tamper-evident:
Use unique IDs and date/time stamps.
Limit edit rights; capture who changed what and when.
For paper forms, pre-number pages, and require initials on corrections.
Data sanitization/destruction: multi-year minimum (often aligned to customer contracts)
Downstream approvals, permits, monitoring: through relationship + several years
EHS incidents and training: per regulatory and insurer guidance
Whatever period you choose, write it down and apply it consistently. Ensure rapid retrieval: if an auditor asks for “wipe logs for batch INT-2025-0912,” you should fetch them in minutes.
12) Common pitfalls (and how to avoid them)
Beautiful SOPs, empty logs. Fix: align every SOP with a mandatory record and a check.
Different numbers in different systems. Fix: daily reconciliation between intake, WIP, and outbound; investigate variances.
Expired downstream certs. Fix: a vendor calendar with 30-day reminders; no shipments if expired.
Training says “general safety.” Fix: specify process authorization by role (e.g., “authorized for HDD destroy”).
CAPAs that never close. Fix: weekly CAPA stand-up; escalate overdue items.
13) Your 30-day implementation plan
Week 1
Build your Document Index and assign owners.
Approve a Document Control SOP.
Draft the Evidence Map.
Week 2
Stand up 5 core logs: Receiving/CoC, Inventory/WIP, Data Wipe, Downstream DDQ, EHS Incidents.
Train owners and start using the forms immediately.
Week 3
Populate the Vendor Folders and risk ratings; set monitoring dates.
Run a mini internal audit on one process; open CAPAs.
Week 4
Reconcile one full batch trace end-to-end and fix gaps.
Hold a Management Review to set KPIs and resourcing.
Lock versions, archive drafts, and set next review dates.
14) Final sanity check before the auditor arrives
Can you trace one unit from intake to final disposition with matching counts, signatures, and dates?
Can you show who performed and verified each critical step and that they were authorized and trained?
Can you prove your downstream was approved and monitored at the time of shipment?
Do your CAPAs show root cause and effectiveness checks?
Are your policies/SOPs current, controlled, and consistent with how work is actually done?
If the answer is yes to all five, your documentation system is not just compliant—it’s operationally useful. That’s what makes evidence stand up in an R2v3 audit.
Use this as a practical, printable playbook. It translates R2v3 into day‑to‑day actions, owners, and evidence to show an auditor. Always defer to the official R2 Standard, the R2 Equipment Categorization (REC), the Code of Practices (COP), and SERI guidance when in doubt.
Quick‑Start & Table of Contents
How to use this guide
Confirm your Scope and which Appendices apply. 2) Assign Owners. 3) Print the checklists for only the clauses that apply. 4) Build your Evidence Binder using the clause‑to‑evidence map. 5) Run the Self‑Assessment Scorecard and close gaps. 6) Rehearse with the Auditor Interview Playbook. 7) Keep it current monthly.
Core Requirements (CR 1–10) — apply to every certified facility.
Process Requirements (Appendices A–G) — apply only if you perform those operations (e.g., Data Sanitization, Test & Repair, Brokering, PV Modules).
Manager’s first job: publish a clear Scope (CR‑1), determine which Appendices apply, then build procedures, training, records, and metrics around both.
Roles & RACI (suggested)
Top Management (TM): policy, resources, objectives, management review.
Periodic sample of routing decisions with evidence (e.g., evaluation forms, photos, test results).
Show the auditor: policy, routing SOPs, sampled job tickets, nonconforming material log.
CR‑3 EH&S Management System (EHSMS)
Plain‑English: Run a real EHS management system (ISO 14001 + ISO 45001 or RIOS). Know your hazards and control them.
You need:
Certification to an approved EHSMS (or documented conformance if allowed by COP) and effective risk assessments for your processes (e.g., batteries, CRTs, PV, shredding, manual disassembly).
Show the auditor: certificates, risk register, SOPs, drills, inspection logs, training/competency records, internal audit + CAPA, management review.
CR‑4 Legal & Other Requirements
Plain‑English: Know the laws that apply (environmental, health & safety, waste, import/export, data, privacy) and prove you follow them.
You need:
A legal register covering all jurisdictions (site + shipping). Include permits/consents, waste codes, transporter and destination authorizations, and data/security rules.
A compliance plan with monitoring, documented checks, and corrective actions. Include proof of lawful imports/exports when applicable.
Consider customer and other contractual requirements.
Checklist (Owner: EHS + LOG + DSV)
Legal register current (incl. cross‑border flows, Basel/equivalents, customs/classifications).
Permits/licenses displayed and valid; conditions tracked.
Import/export dossier template (evidence of legality) defined; shipping files include it.
Controls to prevent mixing of incompatible or hazardous streams; defect/hold process.
Checklist (Owner: OPS + QTL)
Evaluation forms/templates live and used.
REC mapping published at workstations.
Nonconforming/hold procedure + quarantine area.
Calibration/maintenance for test equipment.
Show the auditor: traveler packets, evaluation records, REC labels, calibration logs.
CR‑7 Data Security
Plain‑English: Prevent data breaches. Sanitize or physically destroy data storage devices under controlled conditions — and prove it.
You need:
Data security policy (roles, access control, authorization levels, disciplinary consequences).
Physical/logical security of data areas (restricted access, CCTV or equivalent controls, chain of custody, tamper‑evident packaging, device tracking).
Sanitization SOPs aligned to device type and data sensitivity; incident response.
Checklist (Owner: DSL)
Access control list + authorization records for data handlers.
Secure areas defined; security controls tested.
Incident response plan + drills.
If you sanitize: Appendix B is applicable (see below).
Show the auditor: policy, access logs, chain‑of‑custody, incident drills, sample sanitization packets.
CR‑8 Focus Materials (FM)
Plain‑English: Identify Focus Materials (e.g., mercury devices, CRT glass, some batteries and lamps, certain PV components). Manage them to prevent uncontrolled releases and ensure legal downstream recovery.
You need:
FM identification by device/component, safe handling & storage, containment, spill kits, emergency response.
Qualified downstream vendors with appropriate permits/capabilities; additional controls for export.
Evidence that non‑FM streams are still managed per the hierarchy and law.
Checklist (Owner: EHS + DSV + OPS)
FM inventory & handling SOPs.
FM storage specs (closed, labeled, compatible, inspected).
FM downstream qualifications complete and current; contracts reference FM controls.
Export screens and records (where applicable).
Show the auditor: FM list by SKU/bill of materials, inspections, training, downstream approvals, shipment files.
CR‑9 Facility Requirements
Plain‑English: Your building, equipment, and housekeeping protect workers, the public, the environment, and product integrity.
You need:
Good housekeeping; weather/containment controls; ventilation and dust/noise controls where needed; fire prevention & protection; battery and lithium handling precautions; security.
Pack/segregation SOPs by device/material (incl. batteries, displays, PV).
Shipping descriptions/codes verified before dispatch.
Seal logs and exception handling.
Show the auditor: sample BLs/manifests, carrier files, packaging SOPs, seal records, training.
Appendix Applicability Matrix (quick self‑screen)
A – Downstream Recycling Chain: If you transfer control to any downstream (reuse, repair, recovery, disposal) — almost everyone.
B – Data Sanitization: If you wipe or destroy data storage devices, or manage data‑bearing devices for reuse.
C – Test & Repair: If you functionally test and/or repair devices/components for reuse.
D – Specialty Electronics Reuse: If you refurbish, test, or resell specialized equipment (e.g., medical, lab, industrial) requiring special competencies/compliance.
E – Materials Recovery: If you mechanically or chemically process to recover materials (e.g., shred, smelt partners, de‑manufacture to commodity streams).
F – Brokering: If you control equipment to a downstream without physically receiving/processing it at your site.
G – PV Modules: If you handle, process, store, transport, or broker photovoltaic (solar) modules/cells.
If an activity is outsourced, Appendix A controls still apply to managing that downstream.
Appendix Applicability Decision Tree (quick)
Start → Do you transfer control to any downstream? → Yes → Appendix A applies
↓ No → (rare; recheck)
Do you handle data‑bearing devices or sanitize/destroy storage? → Yes → Appendix B
Do you test/repair for reuse? → Yes → Appendix C (and D if specialized equipment)
Do you mechanically/chemically recover materials? → Yes → Appendix E
Do you arrange downstreams without physical possession? → Yes → Appendix F
Do you handle/broker PV modules? → Yes → Appendix G
If an activity is outsourced, Appendix A controls still apply to managing that downstream.
Process Requirements (Appendices A–G)
Appendix A — Downstream Recycling Chain (DSV)
Plain‑English: Know your downstreams, qualify them, contract them, and keep verifying.
You need:
A downstream map from your dock to final disposition for each stream.
Qualification criteria (permits, capabilities, certifications, FM handling, legality), initial due diligence, and ongoing monitoring.
Contract terms requiring conformance and allowing oversight.
Records that shipments matched the plan (no leakage to uncontrolled destinations).
Checklist (Owner: DSV)
Stream‑by‑stream downstream map maintained.
Qualification pack per downstream (permit/licensing, capabilities, references, audit/assessment).
Contract language covering R2 duties, FM, confidentiality, sub‑tier control.
Annual monitoring (desktop or on‑site); re‑qual triggers defined.
Shipment exception process (mismatches, rejections) with CAPA.
Show the auditor: current downstream matrix, sample qualifications, contracts, monitoring reports, exception/CAPA log.
Appendix B — Data Sanitization
Plain‑English: Sanitize (logical erase) and/or physically destroy per device type, verify the result, and trace each device.
You need:
Device‑specific methods (aligned to NIST 800‑88 or stricter where required). When using physical destruction, follow method tables and controls.
Parts provenance/traceability (no counterfeit); ESD program.
Outgoing quality checks; RMA/warranty feedback loop into CAPA.
Show the auditor: traveler with test results, grading snapshots, calibration certificates, training, outgoing QC records.
Appendix D — Specialty Electronics Reuse
Plain‑English: Extra controls for specialized equipment (e.g., medical, lab, avionics, networking/carrier‑grade) where laws, safety, or calibration apply.
You need:
Proof of competency, specialized tools, and access to service info.
Calibration and functional verification to appropriate standards before resale.
Checklist (Owner: QTL + EHS)
Specialty device inventory and risk screen.
Regulatory/standards map per device type; prohibitions documented when reuse is unsafe/illegal.
Calibration records & labels; warnings/instructions included with sales.
Show the auditor: device‑type cheat sheets, competence records, calibration, outgoing documentation.
Appendix E — Materials Recovery
Plain‑English: Control your depollution and recovery processes so there are no uncontrolled releases and FMs get proper downstreams.
You need:
Depollution steps before shredding; emission/effluent controls where applicable.
Process parameters, maintenance, and monitoring records.
Contracts/downstream verification for each commodity, especially FM fractions.
Checklist (Owner: OPS + EHS + DSV)
Pre‑treatment/depollution work instructions (batteries, mercury, toner, PV laminate, etc.).
Shredder or dismantling controls (guards, ventilation, fire suppression, feed limits).
Sampling/analytics for output quality if claimed.
Downstream verifications current; shipments match declared outlets.
Show the auditor: SOPs, maintenance logs, monitoring data, shipment files, downstream approvals.
Appendix F — Brokering
Plain‑English: Even if you never touch the goods, you still control them. Prove they went to qualified downstreams with correct categorizations and documents.
You need:
Control and visibility from seller → downstream; accurate descriptions and REC categories.
Contracts binding downstreams; qualification & monitoring like Appendix A.
Records: chain of custody, shipping docs, exceptions & CAPA.
Repair Traveler (Appendix C/D) — diagnostics performed; parts used; locks/firmware status; cosmetic grade; final test results; traceability to sanitization record.
Facility Inspection (CR‑9) — aisles/egress; density limits; battery stations; fire systems; PM checks; photo log.
Create these as single‑page PDFs, laminate, and post at the relevant workstations.
1) Hierarchy of Responsible Management Strategies
Order of preference (always legal & safe): 1) Reuse → 2) Materials Recovery → 3) Disposal (last resort). Never reuse: stolen, counterfeit, recalled, illegally imported/exported, or unsafe items. Operator cues: If reusable per SOP → route to Test/Repair; if not → depollute FMs → materials recovery; document your decision on the traveler.
2) REC Quick‑Guide (per product family) — fill in your site’s mappings
Product Family
Example Acceptance for Reuse
Required Tests/Proof
Data Status
Cosmetic Grade
Your REC Category
Laptops
Boots to OS; battery health ≥ threshold
Keyboard, display, ports, battery, Wi‑Fi
Wiped/verified
B/C
[select]
Desktops
POST OK; no missing major parts
CPU/RAM/storage checks; ports
Wiped/verified
B/C
[select]
Smartphones
Unlockable; no activation lock
Screen, camera, battery, radios
Wiped/verified
B/C
[select]
Servers/Networking
Powers; passes vendor diag
Fans, ports, firmware, PSU
Wiped/verified
N/A
[select]
Displays
No cracks; acceptable pixel defects
Burn‑in, color, controls
N/A
B/C
[select]
PV Modules
Safe connectors; passes test plan
Visual + electrical checks
N/A
N/A
[select]
Replace [select] with your approved REC code per the official R2 Equipment Categorization. Keep a printed copy of the full REC table nearby.
3) Battery & PV Handling — Do’s / Don’ts
Batteries (esp. lithium):
Do: tape/cap terminals; segregate by chemistry and state (intact vs. damaged); use approved containers; maintain spacing; inspect daily; keep spill/thermal event kit ready; train staff.
Don’t: crush, puncture, over‑stack, mix damaged with intact, charge in staging, or store near heat sources.
PV modules:
Do: assume energized; cover connectors; use glass‑safe lifting; store flat/secured; clean‑up broken glass per SOP; identify FM components before processing.
Don’t: cut live wires; lean stacks unsecured; ignore micro‑cracks or delamination.
4) “Call Before You Ship” — Export/Transfer Checklist
Receiving site authorized (permits/licences) and qualified in your downstream matrix.
Correct classifications/codes and documentation prepared (include evidence of legality where required).
Contract includes R2 obligations, FM handling, and sub‑tier controls.
Packaging/segregation per SOP; no data‑bearing devices shipped without required status/proofs.
Records pack assembled (shipping docs, permits/consents, contacts). If anything uncertain → call the DSV/LOG lead before dispatch.
5) Data Area — Golden Rules
Access‑controlled: authorized, trained staff only; visitors escorted and logged.
Chain of custody: every device has a unique ID; status visible (e.g., To‑Wipe/In‑Process/Verified/Failed).
Approved methods/tools only; verification recorded for every device per SOP.
No personal devices, photography, or unsecured notes in the data area.
Incident? Stop, secure, report to DSL; complete incident log and follow response plan.
Final Reminders
Keep it simple, visible, and provable. If you can’t show it, it didn’t happen.
When you add a new process or product family, revisit Scope, REC mapping, hazards, downstreams, and training.
Use internal audits as practice — the best time to find a gap is before the auditor does.
