IT Asset Disposal (ITAD)

The Reuse-First decision tree

Step 1 — every asset is triaged for reuse potential. Step 2 — working units flow to wipe-and-refurbish; the residual value is settled to you in MYR against PO. Step 3 — only what fails the reuse triage (non-functional media, top-classified drives, regulator-mandated destruction) is destroyed. Step 4 — destruction method is matched to the media: NIST SP 800-88 Purge for working drives, IEEE 2883-2022 firmware Sanitize for SSD/NVMe, 6mm/2mm shredding for top-classified, degaussing for LTO/DLT.

What we collect

Servers, storage, networking, laptops, desktops, GPUs, AI accelerators, switches, UPS, racks, structured cabling, retired media. We pull partial racks; we do not require full-cage commitments.

How destruction is matched to media

Working enterprise media: NIST SP 800-88 Rev. 1 Purge (software wipe with cryptographic verification). Top-classified or non-functional drives: physical destruction at 6mm or 2mm shred size. SSDs and NVMe: IEEE 2883-2022 firmware Sanitize. LTO/DLT magnetic tape: degaussing with field-strength logged per pass. Every method is logged per device.

What you get back

A sealed envelope containing: (1) device-level manifest with serial numbers, (2) per-asset Per-job Certificate of Destruction listing method + particle size + date + operator, (3) chain-of-custody log signed at every transfer, (4) consolidated settlement against your PO in MYR, (5) ESG metrics — diversion-from-landfill %, material recovery, estimated CO₂e avoided — for your sustainability report.

Engagement profile and timeline

A typical Maxicom engagement runs through six stages, each documented and signed off before the next begins. Stage 1 — Scoping (1-3 business days): asset list reconciled to physical reality, regulator stack confirmed, witness destruction requirement determined, settlement currency and PO terms agreed. Stage 2 — SOW and pricing (1-2 days): written MYR quote per asset with line-item detail; SOW includes service levels, certificate retention, exception handling, indemnity terms, NDA. Stage 3 — Pickup scheduling (1-5 days): chain-of-custody manifest pre-prepared, vehicle GPS-tracked from pickup, tamper-evident sealed containers on top-classified loads. Stage 4 — Sanitisation and refurbishment (5-14 days): NIST SP 800-88 Rev. 1 Purge or IEEE 2883-2022 firmware Sanitize per media; Reuse-First triage applied per device; per-asset Certificate of Destruction generated; refurb-eligible units routed through trader-channel network. Stage 5 — Settlement (5-7 days): MYR settlement against PO, line-item per asset, net of agreed deductions; ESG metrics report attached. Stage 6 — Quarterly review (programme engagements): Reuse-First reuse rate, compliance attestations, sustainability metrics, exception reporting. Total cycle from signed SOW to settled PO: 14-30 business days for single-event engagements; 30-90 days for multi-site programmes; rolling cadence for multi-year contracts.

Audit defensibility — what regulators actually inspect

Across the four markets we operate in, regulator inspections of ITAD documentation focus on four criteria. First, per-asset granularity: does the certificate name specific drives by serial number, or is it a bulk-job certificate naming only "all drives in batch X"? Bulk certificates are the most common finding and we do not issue them. Second, standard citation: is the sanitisation method named with a specific reference to NIST SP 800-88 Rev. 1 (Clear / Purge / Destroy with technique), IEEE 2883-2022 (Block Erase or Crypto Erase), DoD 5220.22-M where contractually specified? Vague references like "secure wipe" or "industry-standard erasure" fail audit. Third, verification evidence: is there documented evidence the sanitisation actually completed — controller status response, read-back verification, photographic evidence of physical destruction? Vendors that skip verification produce certificates that fail on this field. Fourth, chain-of-custody continuity: does the certificate trace back to the pickup manifest without unsigned gaps in transit, intake, or destruction-stage hand-off? Maxicom certificates pass all four criteria by design across BFSI inspections (RBI in India, OSFI Guideline B-13 in Canada, MAS TRM in Singapore, Central Bank of UAE / DIFC / ADGM in the UAE), government inspections, and healthcare audits since 1996.

Settlement mechanics — currency, PO, payment terms

Settlement is in your reporting currency (MYR) against your purchase order. Payment terms are 7 business days from manifest reconciliation as the Maxicom standard; programme engagements run on milestone-based settlement against the rolling pickup schedule with monthly true-up. Line-item invoicing per asset is standard — your finance team sees exactly what each unit was worth and how the total was computed, with deductions for destruction, logistics, or rework called out explicitly. We do not bundle. We do not surprise-charge. Cross-border settlement (where the engagement spans multiple Maxicom operating regions) is consolidated to your reporting-currency entity through internal Maxicom inter-company arrangements; the customer-facing transaction is single-currency. Where the customer requires invoicing through a specific Maxicom legal entity (Maxicom UAE, Maxicom India, Maxicom Singapore, Maxicom Canada, Maxicom Hong Kong), the SOW is structured accordingly and the GST / VAT / HST / withholding-tax treatment is handled per local tax law.

Where this service fits in your refresh cycle

Most enterprise IT refresh cycles produce predictable retiring volumes — laptop fleets at 3-year cycles, server estates at 5-year cycles, networking at 5-7 year cycles, GPU clusters at 12-18 months under AI workload pressure. Maxicom services attach to those refresh cycles as the disposition workstream: at the back of the refresh, retiring assets flow through Reuse-First triage; at the front of the next cycle, refurbished assets are available through our Refurbished IT Sales pipeline if the customer wants to mix new and refurb procurement. The integration model varies by engagement: single-event services (refresh, decommissioning, M&A divestiture) run as 14-60-day SOWs; programme services (Programme ITAD, Global ITAM) run as multi-year master service agreements with quarterly review cadence. Most BFSI and government engagements move from single-event to programme within 12-18 months as the customer realises the disposition workstream is more efficient under a programme contract than under repeated single-event RFPs.

Reuse-First reuse rate — the disposition KPI that matters

The single most informative disposition KPI is the Reuse-First reuse rate: the percentage of retired tonnage that was refurbished and redeployed (vs destroyed). Across Maxicom engagements, our blended reuse rate for the 2024-2025 cohort was 67% — meaning about two-thirds of every retired tonne came back into productive service somewhere in our five-country network rather than being destroyed and recycled. The remaining 33% split between regulator-mandated destruction (top-classified data, encryption key stores, drives that failed Purge verification) at about 22%, and asset classes where refurb is uneconomic (legacy USB flash, optical media, certain consumer-grade peripherals) at about 11%. We report your engagement-specific reuse rate quarterly so you can benchmark against the blended; programme engagements typically improve their reuse rate from year 1 to year 2 as the engagement learns which asset classes hold value. The reuse rate also drives the embodied-carbon-recovered metric flowing to your sustainability committee — every percentage point of reuse rate corresponds to approximately 30-50 tonnes of CO₂e avoided per 1,000-asset engagement.

Cross-jurisdiction execution — when your engagement spans multiple Maxicom regions

A meaningful portion of our engagements span multiple operating regions — UAE-headquartered enterprises with Indian back-office, Canadian banks with Indian or Singaporean operations, multinational hyperscale tenants with cross-border AI clusters. The cross-jurisdiction model: single SOW with the contracting Maxicom legal entity (typically the entity in your reporting-currency jurisdiction), country leads in each operating region executing locally, programme manager coordinating across, consolidated reporting in your reporting currency, regulatory attestations issued per jurisdiction so each regulator sees a compliant engagement record in their format. Asset routing decisions happen at scoping: where the customer requires sovereign data residency, sanitisation completes in-jurisdiction before any cross-border movement; where cross-border resale is permitted, post-sanitisation refurb routing optimises against the trader-channel network. This is the single most-cited reason BFSI and hyperscale customers consolidate from regional vendor panels to Maxicom — operational simplification at the contract level without losing local-execution depth.

Insurance, indemnity and liability — what the SOW actually covers

Standard Maxicom SOW indemnity covers: gross negligence in sanitisation execution (e.g. drive routed to refurb without completed Purge verification — never seen in 25 years of operations, but contractually covered if it occurred); chain-of-custody breach attributable to Maxicom operators (transit incidents, intake mismatches); errors in the per-asset certificate where the error caused regulator finding. We carry professional indemnity insurance sized to enterprise engagements; cover sheet and policy reference available on NDA at SOW signing. Standard exclusions: customer-side mis-classification at retirement (Maxicom executes against the data classification on the manifest; if the customer mis-classifies, that is the customer's exposure); regulator changes after engagement signing where the SOW does not include a change-management clause; force majeure events. Where the customer requires expanded indemnity (typical for BFSI top-classified engagements), the SOW addendum specifies the extended cover and the cost premium.

Termination, exit and data-portability — what happens if the engagement ends

Standard Maxicom MSAs include: 60-day termination-for-convenience with no penalty, 30-day cure period for material breach, 30-day exit transition with full handover of engagement records to the customer or to a successor vendor in the customer's nominated format. Data-portability: every engagement record (manifest, certificate, settlement invoice, ESG metrics) is exportable in CSV / JSON / PDF / on encrypted physical media. Compliance vault retention continues post-termination for the regulator-required period; certificates remain retrievable on request even after the commercial relationship ends. We do not hold data hostage; we do not gate exit; we do not impose unreasonable transition fees. Where the customer is moving to a new ITAD vendor, we cooperate with the successor on chain-of-custody handover. The exit clause is the single most underrated piece of an MSA — we draft it for clean exit because clean exit is the right answer for both sides.