Best secure mobile device decommissioning and ITAD companies in Canada (2026)

Retiring enterprise mobile devices should be straightforward: wipe the data, recycle the hardware, move on. In practice, it’s one of the most overlooked compliance risks in Canadian IT operations. The gap between what general-purpose ITAD providers can handle and what mobile device fleets actually require is wider than most buyers realise — and that gap creates exposure that persists long after the devices leave your facility.

This guide ranks the seven best secure mobile device decommissioning and ITAD companies serving Canadian enterprises in 2025. We evaluated each provider against criteria that matter specifically for mobile fleets — not servers, not laptops, but the smartphones, tablets, rugged handhelds, and scanners that power frontline operations. If you’re responsible for retiring hundreds or thousands of mobile devices and need a defensible audit trail, this is the comparison you’ve been looking for.

Why choosing the right ITAD partner matters more for mobile devices

A national retailer recently retired 2,000 Zebra scanners from their distribution centres. They sent them to their existing ITAD vendor — a reputable firm with strong credentials for data-centre hardware. Three weeks later, the devices were still sitting in a processing queue.

The problem wasn’t capacity. It was capability. The ITAD provider had no workflow for unenrolling the scanners from SOTI MDM, no process for deregistering IMEIs from the carrier’s asset list, and no documentation for physical SIM destruction. The devices sat in limbo — technically the retailer’s liability, practically untouchable — while the provider scrambled to figure out what to do with them.

This is the gap most buyers don’t see until it’s too late. Managed mobility services encompass the full device lifecycle, but decommissioning is where the handoff between mobility and ITAD typically breaks down. Most ITAD providers built their workflows for laptops, desktops, and data-centre hardware. When you hand them a pallet of Zebra TC72s or Honeywell CT60s, they often don’t know where to start.

The cost of getting it wrong

Getting decommissioning wrong is expensive in ways that extend far beyond the devices themselves. When residual data on an improperly wiped device triggers a breach, the exposure is immediate and quantifiable.

Canadian businesses lose an average of $6.98 million per breach — a 10.4% increase from 2024 according to IBM’s 2025 Cost of a Data Breach Report. That figure represents the fully loaded cost: detection and escalation, notification, lost business, and post-breach response. A single device, wiped incorrectly or not at all, can trigger an incident at this scale.

The regulatory environment makes this worse. The Office of the Privacy Commissioner’s 2024–25 Annual Report documented 686 PIPEDA private-sector breach reports, with 555 of those — 81% — involving unauthorised access. Unauthorised access is precisely the category that end-of-life devices fall into when residual data is exposed. A device sitting in a processing queue, or worse, shipped to a carrier trade-in programme without proper sanitisation, is a breach waiting to happen.

What makes mobile different

The specifics matter here. When a laptop arrives at an ITAD facility, the destruction workflow is well-understood: verify the drive, wipe or shred it, document the process. Mobile devices introduce a layer of complexity that most ITAD providers aren’t equipped to handle.

Before any data destruction can occur, someone needs to unenrol the device from its MDM platform — whether that’s SOTI, 42Gears, Intune, Workspace ONE, or Jamf. If the device is an iPhone, Activation Lock needs to be removed. If it’s an Android device, Factory Reset Protection needs to be cleared. The IMEI needs to be deregistered from the carrier’s asset list. Physical SIMs need to be destroyed. eSIM profiles need to be deleted.

Skip any of these steps, and you’ve created a documentation gap. The device may be physically destroyed, but your audit trail is incomplete — and an incomplete audit trail is a liability during regulatory review.

How we evaluated and ranked these providers

The most common mistake Canadian buyers make when evaluating ITAD providers is accepting a corporate-level certification as proof that the specific facility processing their devices meets the same standard. A provider may hold R2 v3 certification at their US headquarters while their Canadian processing facility operates under different — or no — certification.

Before we ranked a single provider, we established criteria that reflect how enterprise mobile device fleets actually need to be retired in Canada. These aren’t theoretical best practices — they’re the requirements that determine whether your decommissioning documentation will hold up in an audit.

R2 v3 certification — verified at the facility level

R2:2013 certificates expired industry-wide on June 30, 2023. Any active R2 certificate must now be R2 v3. This matters because R2 v3 introduced stronger requirements for data sanitisation, security, and environmental responsibility.

More importantly, R2 v3 certification applies to specific facilities, not corporate entities. A provider can claim R2 v3 on their website while the actual Canadian facility processing your devices operates without certification. The only way to verify is to check the SERI directory directly, searching by facility address — not company name.

We verified each provider’s Canadian facility certifications against the SERI directory. Where discrepancies exist between provider claims and directory listings, we note them explicitly.

Data destruction standards — NIST 800-88 and CCCS ITSP.40.006

For Canadian enterprise and government workloads, the destruction standard hierarchy is clear. CCCS ITSP.40.006 v2 is the Canadian government standard for IT media sanitisation — it replaced RCMP TSSIT OPS-II in 2017 and aligns with NIST SP 800-88 Rev. 1.

NIST 800-88 defines three levels of sanitisation: Clear (logical overwrite), Purge (more thorough methods including cryptographic erase), and Destroy (physical destruction). For mobile devices that cannot be powered on — a common scenario with rugged fleet devices that have endured years of warehouse or field use — physical destruction is often the only option.

For federal Protected B+ workloads, the requirements go further. RCMP GCPSG-001 (2025) specifies that destruction must use RCMP-approved equipment, and technicians must hold PSPC Contract Security Program clearance.

DoD 5220.22-M, while still referenced in some legacy RFPs, is a US standard that predates modern mobile devices. It should not be a primary criterion in Canadian procurements.

Certificate of destruction quality — what actually belongs on the document

A certificate of destruction that reads “Batch of 500 devices — wiped” is worthless in an audit. What auditors actually ask for is a serialised record: this IMEI, this serial number, this destruction method, this date, this technician.

At minimum, a Canadian audit-ready certificate of destruction should include:

• Device serial number
• IMEI (for cellular devices)
• Make and model
• Destruction method (NIST 800-88 Clear/Purge/Destroy, or physical shred with particle size)
• Date of destruction
• Technician name and signature
• Witness signature for high-sensitivity destruction
• Provider corporate signature and reference number

For Protected B+ workloads, the certificate must also link to the RCMP-approved equipment ID and operator clearance documentation.

When evaluating RFP responses, look at the certificate of destruction sample first. If it doesn’t have individual serial numbers, IMEIs, technician names, and destruction method per device, everything else in the proposal is irrelevant — because the one document your auditor will actually ask for doesn’t meet the standard.

Canadian in-country destruction — data residency and chain of custody

PIPEDA requires safeguards “appropriate to the sensitivity of the information” through the full lifecycle, including disposal. Organisations that ship data-bearing devices to US facilities for destruction introduce cross-border data-transfer risk — and in the current trade environment, that risk has procurement implications beyond pure compliance.

In-country destruction means that data-bearing devices never leave Canadian jurisdiction before sanitisation is complete. The chain-of-custody documentation should include GPS-tracked secure transport, scan-in/scan-out at the processing facility, serialised asset reconciliation, and time-stamped milestones from pickup to certificate issuance.

We prioritised providers that can guarantee in-country Canadian destruction with documented chain of custody.

Mobile-specific capabilities — the gap most buyers miss

This is the differentiating criterion. Most ITAD providers were built for servers, laptops, and desktops. Mobile devices require additional pre-destruction workflows that many providers simply don’t have:

• MDM unenrolment: Removing device profiles from Intune, SOTI, 42Gears, Workspace ONE, or Jamf before any wiping occurs
• iCloud/Apple Activation Lock removal: Without this, iOS devices cannot be resold or properly recycled
• Google Factory Reset Protection removal: Same issue for Android devices
• Samsung Reactivation Lock removal: Required for Samsung enterprise devices
• IMEI deregistration: Removing the device from carrier asset lists to avoid ongoing billing or liability
• Physical SIM destruction: Not just removal — documented destruction
• eSIM profile deletion: Increasingly relevant as eSIM adoption grows in enterprise fleets

A general-purpose ITAD provider receiving a pallet of rugged Zebra scanners with active SOTI profiles will often have no idea how to handle any of these steps. The device sits in limbo while your organisation remains liable for the data on it.

Additional criteria — NAID AAA, ISO stack, bilingual reporting, value recovery

Beyond the core criteria, we evaluated providers on supporting factors:

• NAID AAA certification: The data destruction industry’s certification for secure physical and logical destruction
• ISO stack: ISO 9001 (quality), 14001 (environmental), 45001 (occupational health and safety), 27001 (information security) — collectively demonstrating operational maturity
• Bilingual documentation: For organisations with Quebec operations, destruction documentation must be available in French to meet Quebec Law 25 expectations
• Value recovery transparency: Whether the provider offers clear revenue-share terms for devices with residual resale value

The Canadian provider landscape is smaller than you think

The SERI directory indicates approximately 64 R2 facilities across Canada, with 28 of those in Ontario. That sounds like a healthy number — until you filter for mobile-device-specific capabilities, NAID AAA certification, and in-country destruction guarantees.

The actual shortlist for enterprise mobile device ITAD in Canada is a fraction of that 64. Which brings us to the providers that made the cut.

The 7 best secure mobile device decommissioning & ITAD companies in Canada

The ranking that follows applies the criteria established above, with particular weight on mobile-device-specific capabilities, verified Canadian R2 v3 certification, and certificate-of-destruction quality.

This is not a general-purpose ITAD ranking. Organisations whose primary needs are data-centre hardware or laptop disposition may weight criteria differently. For IT leaders managing enterprise mobile device fleets — the smartphones, tablets, rugged handhelds, and scanners that frontline workers depend on — this is the shortlist that matters.

1. PiiComm — best for enterprise mobile device fleets

Canadian-owned and headquartered in Ontario, PiiComm is Canada’s largest pure-play managed mobility services provider, managing 500,000+ devices across thousands of locations. Secure Decommissioning is one of five integrated service pillars — Strategic Sourcing, Staging & Deployment, Lifecycle Management, MDM as a Service (MDMaaS), and certified device retirement with secure data erasure.

What distinguishes PiiComm from every other provider on this list is integration. The same team that deployed and managed the device throughout its life also retires it — with full asset history, MDM enrolment status, and carrier records already in the system. There’s no cold handoff to an ITAD provider who has never seen the device before.

Who it’s best for: Organisations managing fleets of rugged enterprise devices — Zebra scanners, Honeywell handhelds, Samsung tablets, vehicle-mounted computers — who need mobility-specific pre-destruction checks integrated into a documented chain-of-custody workflow.

Key capabilities:

• Data erasure certified to NIST 800-88 and aligned with CCCS ITSP.40.006
• Physical destruction (drill press, shredding) for devices that cannot be powered on
• IMEI-level certificate of destruction with serial number and technician sign-off
• MDM unenrolment from SOTI, 42Gears, Intune, and other platforms
• SIM destruction and eSIM profile deletion
• Reverse logistics coordination from field to Canadian facility
• 24/7 bilingual (English/French) service desk
• Value recovery through trade-in and consignment of viable hardware
• 2023 Leader in Sustainability award from Call2Recycle Canada (2,597 kg of batteries collected)

The government case study demonstrates PiiComm’s capability at the high end of security requirements. A governmental department needed to dispose of 800+ mobile phones, many of which were broken and impossible to software-wipe. PiiComm staff underwent fingerprinting, background checks, and security screening — receiving full clearance within 48 hours. Devices were picked up directly from the department’s facility, each assigned a unique tracking ID. Memory chips were physically destroyed using a drill press, photographed, and logged against the device’s tracking ID. The department received serialised certificates of destruction for every device, with up to 95% of battery materials diverted from landfill.

Pros:

• Only provider on this list with integrated managed mobility lifecycle context — device history, MDM status, and carrier records are already in the system at decommissioning
• Canadian-owned, Canadian-operated, Canadian-staffed — no cross-border data movement
• Specialises in rugged/industrial devices that general ITAD providers struggle with
• Proven government clearance capability for federal decommissioning engagements
• Bilingual documentation for Quebec Law 25 compliance

Canadian-specific takeaway: PiiComm is the strongest choice when the devices being retired are the same devices PiiComm manages through its managed mobility platform — the chain of custody is continuous from deployment through destruction, which is the cleanest audit trail available in the Canadian market.

2. Quantum Lifecycle Partners — best for large-scale, multi-asset ITAD

Toronto-headquartered and Canadian-owned, Quantum Lifecycle Partners has a 30+ year history and operates as Canada’s largest vertically integrated ITAD provider and e-waste recycler. The company maintains 12 Canadian facilities, with nine holding R2 v3 certification: Barrie, Brampton, Calgary, Coquitlam, Edmonton recycling, Montreal, Richmond Hill, Toronto, and Vancouver.

Quantum holds NAID AAA certification at Brampton and the full ISO stack (9001, 14001, 27001, 45001). The April 2026 acquisition of Red8 Device Lifecycle Management signals an expansion into mobile device capabilities.

Who it’s best for: Large enterprises with mixed IT estates — data centres, laptops, desktops, and mobile devices — that need a single ITAD provider with national geographic coverage and the broadest certification stack in Canada.

Key capabilities: Full lifecycle management, mobility services, data-centre decommissioning, e-plastics recovery, CTIA-aligned wireless processing at Brampton.

Pros:

• Most R2 v3-certified Canadian facilities of any provider (9)
• NAID AAA + full ISO stack
• National geographic coverage (12 facilities coast to coast)
• CTIA-certified wireless processing
• Canadian-owned

Cons:

• ITAD is the core business, not managed mobility — MDM unenrolment, IMEI deregistration, and carrier coordination are not integrated into a broader mobility lifecycle platform
• Red8 acquisition is recent (April 2026); mobile-specific workflow maturity may still be developing

Canadian-specific takeaway: Quantum is the default choice for enterprises that need a certified Canadian ITAD provider with the broadest physical footprint. For mobile-only fleets, verify that the specific facility processing your devices has CTIA certification and can handle MDM unenrolment.

3. Greentec — best for Ontario-focused organisations prioritising R2 v3 pioneering

Cambridge, Ontario-based and Canadian-owned, Greentec was founded in 1995 and became the first Canadian e-waste processor to receive R2 v3 certification on January 11, 2022. The company holds NAID AAA certification and operates across Ontario with locations in Cambridge, Toronto, Ottawa, Belleville, Brampton, Kitchener-Waterloo, London, and Milton.

Greentec publishes a service line for cellphone and tablet destruction and offers video destruction records for additional audit documentation.

Who it’s best for: Ontario-based enterprises that want a proven, R2 v3-pioneering ITAD provider with NAID AAA certification and documented cellphone/tablet destruction capabilities.

Pros:

• First R2 v3-certified e-waste processor in Canada — demonstrated commitment to highest certification tier
• NAID AAA for data destruction
• Video destruction records for additional audit documentation
• Strong Ontario geographic coverage

Cons:

• Ontario-focused — limited national footprint outside the province
• Not a managed mobility provider; mobile-specific pre-destruction checks (MDM unenrolment, IMEI deregistration, Activation Lock removal) are not part of published service offerings
• No published bilingual (French) service capability

Canadian-specific takeaway: Greentec is a strong regional choice for Ontario organisations, particularly those that value the R2 v3 early-adopter track record. For national deployments or Quebec-based operations requiring bilingual documentation, additional providers may be needed.

The remaining providers on this list address different needs — from global enterprises seeking multi-country ITAD consolidation to organisations evaluating whether carrier take-back programmes can meet their compliance requirements. But before we continue, it’s worth pausing on a pattern that’s already emerging: the providers that score highest on mobile-specific capabilities are the ones built around device lifecycles, not the ones that added mobile processing to an existing ITAD operation.

4. Iron Mountain — best for organisations already using Iron Mountain records management

US-headquartered (Boston, MA; NYSE: IRM) with extensive Canadian operations, Iron Mountain offers Asset Lifecycle Management, Secure ITAD, and Data Centre Decommissioning across the country. Canadian locations include Toronto, Ottawa, Montreal, Quebec City, Vancouver, and Burnaby, with bilingual service capability.

Iron Mountain holds NAID AAA certification and references R2 v3, ISO 9001, 14001, and 45001 on its Canadian location pages.

Who it’s best for: Large enterprises already in the Iron Mountain ecosystem for records management or data-centre services, seeking to consolidate ITAD under an existing vendor relationship.

Pros:

• National Canadian footprint with bilingual service capability
• Established brand with deep enterprise relationships
• NAID AAA certified
• Broad service portfolio (records, data centres, ITAD)

Cons:

• Critical verification required: Iron Mountain’s authoritative ALM Certifications page attributes R2 v3 certificate scope to facilities in the US, UK, Ireland, France, and Thailand — no Canadian street address is explicitly named as R2 v3-certified. Buyers must verify site-specific Canadian R2 v3 certification in the SERI directory before treating it as in-country certified destruction
• US-headquartered — data processed in Canadian facilities, but corporate governance and data access policies are subject to US jurisdiction
• Not a mobility specialist; mobile-specific pre-destruction workflows are not a published core capability

Canadian-specific takeaway: Iron Mountain is a convenient choice for organisations already in the ecosystem, but the R2 v3 certification gap at the Canadian facility level is a material concern. Request written confirmation of which specific Canadian facility will process your devices and its current SERI-listed certification status before proceeding.

5. eCycle Solutions — best for Western Canada and multi-province coverage

eCycle Solutions operates R2 v3-certified facilities in Chilliwack (BC), Airdrie (AB), Mississauga (ON), Brampton (ON), and Salaberry-de-Valleyfield (QC) — five certified Canadian locations providing coast-to-coast coverage. The company functions primarily as an e-waste recycling and ITAD processor.

Who it’s best for: Organisations with distributed operations across Western Canada and Quebec that need a certified processor with physical facilities in multiple provinces.

Pros:

• Five R2 v3-certified Canadian facilities across four provinces
• Strong Western Canada presence (BC and Alberta) where fewer ITAD options exist
• Quebec facility for bilingual processing needs

Cons:

• Less publicly documented mobile-device-specific capabilities compared to PiiComm or Quantum
• Lower brand recognition in the enterprise ITAD space
• Limited published information on certificate-of-destruction granularity for mobile devices

Canadian-specific takeaway: eCycle Solutions fills a geographic gap. Organisations in BC, Alberta, and Quebec can route devices to a nearby R2 v3-certified facility, reducing transit time and cross-provincial shipping risk. For mobile-specific pre-destruction workflows, confirm the facility’s capabilities before shipping.

6. Sims Lifecycle Services — best for global enterprises needing multi-country ITAD

Sims Lifecycle Services is a business unit of Sims Limited (ASX-listed, Australian parent). SLS Americas is based in the United States. Destruction standards include NIST 800-88 r1, ISO/IEC 21964, and HMG IA Standard No. 5.

Current Americas R2 v3-certified facilities are all US-based: Atlanta, West Chicago, Nashville, Roseville, and Tucson. Historical Canadian facilities in Mississauga and Laval are no longer on the SERI certification list as of May 2026.

Who it’s best for: Global enterprises with ITAD needs spanning multiple countries that want a single vendor relationship — and where Canadian data residency is not a hard requirement.

Pros:

• Global scale and multi-country coverage
• Strong destruction standards (NIST 800-88, ISO/IEC 21964)
• Established brand in the ITAD space

Cons:

• No Canadian R2 v3-certified facility as of May 2026 — Canadian devices are likely transported to US facilities for destruction
• Material concern for PIPEDA-regulated workloads: organisations must obtain a written warranty on where destruction occurs
• US-headquartered with no current Canadian certified processing

Canadian-specific takeaway: Sims is a global ITAD leader, but Canadian buyers must understand that their devices will likely cross the border for processing. For any PIPEDA-regulated, PHIPA-regulated, or government workload, this is a disqualifying factor unless the organisation obtains explicit documentation of in-country destruction.

7. Carrier take-back and OEM trade-in programmes — when they’re sufficient (and when they’re not)

Bell, TELUS, and Rogers all offer consumer and business trade-in and recycling programmes. OEMs — Apple Trade In, Dell Asset Recovery, Zebra GO Trade-In — offer trade-in credit with recycling. These programmes serve a purpose, but they are not enterprise-grade ITAD.

The critical distinction is liability. Every carrier programme places data-destruction responsibility on the customer before submission. None issues an enterprise-grade serialised certificate of destruction by default.

Bell’s trade-in programme requires customers to remove MDM profiles before submission. TELUS explicitly disclaims all data liability post-deposit: “TELUS and its affiliates, partners, and contractors assume no responsibility or liability related to the deposited devices, including for any loss or unauthorized access to data.” Rogers Trade-Up has similar customer-side reset requirements.

OEM trade-in documentation is generally limited to factory-reset confirmation — insufficient for healthcare, financial services, or federal government Protected B/C requirements.

Who it’s best for: SMBs with consumer-grade devices and no regulatory obligation for serialised destruction documentation. Also useful as a secondary channel for value recovery on devices that have already been through a certified ITAD provider’s documented wipe process.

Pros:

• Convenient for consumer and SMB devices
• Trade-in credit offsets new device costs
• TELUS Certified Pre-Owned refurbishment facility holds ISO 9001:2015 and R2 v3

Cons:

• Not enterprise-grade ITAD — no serialised certificate of destruction
• Data liability explicitly disclaimed by carriers
• MDM unenrolment is the customer’s responsibility
• Inadequate as sole disposition channel for PIPEDA-regulated, PHIPA-regulated, or government workloads

Canadian-specific takeaway: Carrier programmes are a value-recovery supplement, not a compliance strategy. Use them after your certified ITAD provider has completed documented NIST 800-88-compliant erasure and issued a serialised certificate of destruction — never as a substitute.

Canadian ITAD providers compared — summary table

The pattern in this table tells the story. The providers that score highest on mobile-specific capabilities — MDM unenrolment, IMEI deregistration, Activation Lock removal, SIM destruction — are the ones built around device lifecycles. The ones that added mobile processing to an existing ITAD operation score well on general certifications but show gaps in the mobile-specific columns.

For organisations managing enterprise mobile device fleets, the question isn’t just “Who can destroy our hardware?” It’s “Who can handle the full chain of pre-destruction steps that mobile devices require, document each step at the IMEI level, and maintain a continuous audit trail?”

Ready to discuss your mobile device decommissioning requirements? Talk to a PiiComm mobility expert about building a compliant retirement workflow for your fleet.

What to ask before signing an ITAD contract in Canada

The most important question is not “Are you R2 certified?” It’s “Which specific Canadian facility will process my devices, and can you show me its current SERI directory listing?”

That question alone will separate the providers who can back their claims from the ones who cannot. But it’s just the starting point. Before signing any ITAD contract for mobile device decommissioning in Canada, ask the following:

**1. Which specific Canadian facility will process my devices, and is it R2 v3-certified in the **SERI directory?

Search by facility address, not company name. Certification applies to specific locations, not corporate entities. If the provider cannot name the facility and it doesn’t appear in the directory, their certification claim is unverifiable.

2. Can you provide an IMEI-level certificate of destruction — not a batch summary — for every device?

Ask for a sample certificate. If it lists “Batch of 500 devices — wiped” without individual serial numbers, IMEIs, destruction methods, and technician signatures, the documentation won’t satisfy a regulatory audit.

3. What is your process for MDM unenrolment, Activation Lock removal, and IMEI deregistration?

This is the question that exposes whether the provider actually handles mobile devices or just processes them like generic IT hardware. If they can’t describe the specific workflow for removing SOTI, 42Gears, or Intune profiles — or explain how they handle iOS Activation Lock — they’re not equipped for mobile-specific decommissioning.

4. Will any data-bearing media leave Canada at any point before sanitisation/destruction is complete?

For PIPEDA-regulated workloads, this should be a hard requirement. Get a written warranty, not a verbal assurance. Ask specifically about scenarios where devices are routed to partner facilities.

5. Can you provide bilingual (English/French) destruction documentation for Quebec deployments?

Organisations with Quebec operations need destruction records that align with Quebec Law 25 expectations. The penalty magnitude — up to $25 million or 4% of worldwide turnover — makes this a procurement requirement, not a nice-to-have.

6. What is your chain-of-custody process from device pickup to certificate issuance, and can you provide GPS-tracked transport documentation?

A device in transit is still your liability. Secure transport with documented chain of custody closes the gap between when the device leaves your facility and when destruction is certified.

7. For Protected B+ workloads: do your technicians hold PSPC Contract Security Program clearance, and do you use RCMP-approved destruction equipment?

Most commercial ITAD providers cannot meet this requirement. If you’re processing federal government devices or contractor devices with Protected B+ classification, this is a screening question — not a negotiating point.

8. What is your value-recovery/revenue-share model, and can you provide a hardware asset lifecycle disclosure for ESG reporting?

Devices with residual value shouldn’t disappear into the ITAD process without a transparent accounting. Ask for the revenue-share schedule and documentation standards for ESG reporting.

For a deeper dive on what to look for in a mobile device decommissioning partner, PiiComm’s Secure Decommissioning Guide covers the evaluation framework in detail.

Frequently asked questions about secure device decommissioning services in Canada

What is the difference between ITAD and secure mobile device decommissioning?

ITAD (IT asset disposition) covers all IT hardware. Mobile device decommissioning requires additional pre-destruction steps — MDM unenrolment, IMEI deregistration, Activation Lock removal, SIM destruction — that general ITAD providers often lack. A provider certified for laptop and server ITAD may have no workflow for mobile-specific requirements.

Is R2 v3 certification mandatory for ITAD providers in Canada?

R2 v3 is not legally mandatory, but it is a de facto requirement in Canadian enterprise and government RFPs. R2:2013 certificates expired industry-wide on June 30, 2023, so any active R2 certificate must be v3. Verify at the facility level through the SERI directory, not the corporate level.

Can I use a carrier trade-in programme instead of a certified ITAD provider?

Bell, TELUS, and Rogers trade-in programmes explicitly disclaim data liability and issue no enterprise-grade serialised certificate of destruction. They are inadequate as a sole disposition channel for PIPEDA-regulated workloads. Use them for value recovery after certified ITAD processing, not as a substitute.

What should a certificate of destruction include for Canadian compliance?

At minimum: device serial number, IMEI, make/model, destruction method (NIST 800-88 level), date, technician name/signature, and provider reference number. For Protected B+ workloads, the certificate must link to RCMP-approved equipment ID and operator clearance documentation per CCCS ITSP.40.006.

Does my ITAD provider need to destroy devices in Canada?

PIPEDA requires safeguards “appropriate to the sensitivity of the information,” and cross-border transfer of data-bearing devices introduces additional risk. For PIPEDA-regulated, PHIPA-regulated, and government workloads, in-country Canadian destruction with a written warranty is strongly recommended.

What are the penalties for improper device disposal under Quebec Law 25?

Up to $25 million or 4% of worldwide turnover for private-sector organisations. Destruction documentation must be bilingual and aligned with CAI expectations for organisations with Quebec operations or Quebec-resident customer data.

How do I verify that an ITAD provider’s Canadian facility is actually R2 v3-certified?

Search the SERI directory by facility address, not company name. Some providers hold R2 v3 at US or international facilities but not at Canadian locations. Provider website claims may be outdated or apply to different facilities — the SERI directory is the authoritative source.

What happens to the residual value of decommissioned devices?

Industry-typical revenue-share arrangements see the enterprise client retaining 50%–80% of net resale value. No published Canadian-specific survey exists, so ask providers for a transparent value-recovery schedule and hardware asset lifecycle disclosure before signing.

The audit question you don’t want to answer unprepared

Somewhere in your organisation, there’s probably a storage closet. Maybe it’s a locked cabinet in the IT department, or a shelf in a warehouse, or a pallet in a distribution centre. Sitting in that space are devices that reached end-of-life months or years ago — devices with data on them, devices your organisation is still technically liable for, devices that represent the exact exposure this entire post has been about.

Every IT leader knows about their closet. Most are waiting for someone to have time to deal with it.

The regulatory environment isn’t waiting. The 686 PIPEDA breach reports the OPC documented last year weren’t from organisations that set out to be negligent — they were from organisations that had gaps. End-of-life devices are one of the most common gaps because they’re invisible right up until they’re not.

Protecting corporate data through the full device lifecycle means closing this gap before an auditor or an incident forces the issue. The providers ranked here give you options. The evaluation criteria give you a framework. The questions give you a procurement checklist.

The closet is still there. What happens next is up to you.