NAID-grade Protocol

What NAID-grade Protocol covers

Operator vetting — every Maxicom destruction operator passes a background check, signs an NDA, and completes destruction-specific training before handling client assets. Operator names and IDs appear on every per-asset certificate; spot audits of operator credentials are part of our quarterly compliance review. Witness destruction — available on request at our facility (with cleared-area protocols, CCTV recording, dual-operator destruction) or on-site at the client facility (with mobile shred units). The witness signature appears on the per-asset certificate alongside the operator signature. Chain of custody — signed manifests at every transfer (data closet → vehicle → facility → destruction station), GPS-tracked vehicles, tamper-evident sealed containers on top-classified loads. No unsigned hand-off windows. Per-asset certificate — every drive has its own line on the certificate (not bulk-job). Eleven required fields: serial number, make/model/capacity, data classification, sanitisation method, particle size or field strength, tool and verification, UTC timestamp, operator name + ID, witness where applicable, chain-of-custody reference, destruction reason where Reuse-First was overridden.

NAID AAA Certification vs NAID-grade Protocol — the honest distinction

NAID AAA is a paid membership requiring annual third-party audit; AAA-certified vendors pay an annual fee and submit to surprise audits. Maxicom has chosen not to pursue AAA Certification for cost reasons (the annual fee + audit cost is non-trivial; the engagement value to most of our clients is sub-marginal because per-engagement compliance review is more relevant than annual blanket certification). We operate to the same operational discipline AAA Certification audits against, and we say so explicitly. Where a client contract specifically requires AAA Certification, we partner with a NAID-AAA-certified destruction subcontractor and document the partnership chain of custody. We do not claim AAA Certification we do not hold.

Why operator vetting matters more than people think

Most data incidents in ITAD do not happen in destruction. They happen at hand-off points where the chain of custody breaks down — typically because an unvetted operator was in possession of data-bearing media for an unsigned interval. Operator vetting closes that gap. The Maxicom standard: every operator handling data-bearing media has signed an NDA, passed a background check appropriate to the data classification (deeper checks for BFSI top-classified work), and completed training on the specific sanitisation method they will execute. The vetting is documented; spot-audits of vetting are part of our quarterly compliance review.

Witness destruction — when and why

Witness destruction is contractually required under: (1) BFSI top-classified material engagements (board minute drives, encryption key stores, customer-PII at scale at major banks); (2) government restricted-data engagements; (3) M&A IT diligence destruction (where the buyer requires evidence the seller has truly destroyed); (4) insurance-claim evidence destruction; (5) regulator-mandated destruction following a data incident. Witness destruction is available on request for any engagement; the per-engagement cost premium is modest relative to the risk-mitigation value.

How NAID-grade Protocol composes with NIST 800-88 Rev. 1 and IEEE 2883-2022

NIST 800-88 Rev. 1 is the technical sanitisation framework — what method to apply to what medium. IEEE 2883-2022 is the SSD-specific firmware Sanitize command set — how to execute the method on solid-state media. NAID-grade Protocol is the operational-discipline layer — who is authorised to execute, who witnesses, how is it documented. The three together form the audit-defensible foundation: NIST tells you the method; IEEE 2883 tells you the command; NAID-grade Protocol tells you the discipline of the human stack executing both.