Proudly Canadian flag Canadian

Solutions

Ready to optimize your mobile device strategy?

Speak with a mobility expert to find the right solution for your organization.

Contact us

Products

Ready to optimize your mobile device strategy?

Speak with a mobility expert to find the right solution for your organization.

Contact us

Industries

Ready to optimize your mobile device strategy?

Speak with a mobility expert to find the right solution for your organization.

Contact us

Company

What Happens to Your Data When PiiComm Decommissions Your Devices

Every enterprise mobile device retired in Canada carries residual data. That is not a theoretical risk—it is an operational reality that IT Directors, Procurement Managers, and CFOs navigate every time they cycle out a fleet of scanners, handhelds, or rugged tablets.

The gap between “we recycled it” and “we can prove the data is gone” is where compliance exposure lives. Most organisations discover this gap only when an auditor asks for documentation that does not exist, or when a breach notification inquiry arrives from the Office of the Privacy Commissioner.

This post walks through PiiComm’s Secure Decommissioning service stage by stage—from field recall through certified destruction and value recovery—with the documentation trail that makes each step auditable. The goal is not to convince you that decommissioning matters. You already know it does. The goal is to show you exactly what happens to your devices when PiiComm takes custody, so you can evaluate whether our process meets your compliance requirements.

Consider this context: devices that organisations believe they have “wiped” regularly appear on secondary markets with recoverable data. According to Blancco Technology Group’s 2023 research, 42% of used devices purchased on secondary markets still contained residual data from previous owners. If your retired enterprise devices enter the secondary market without certified erasure, the odds are nearly even that they still carry your data.

That is the exposure this process is designed to eliminate.

Why mobile device decommissioning is not general IT asset disposition

An IT Director sends 1,200 retired Zebra TC52 scanners to a general ITAD provider. The provider’s standard workflow is designed for laptops and servers—assets with removable hard drives that fit their existing destruction processes. The scanners come back with a generic recycling certificate that says “lot destroyed.”

No serial-level documentation. No chain-of-custody record during transit. No confirmation that embedded flash storage was actually sanitised versus simply factory-reset.

The IT Director now has a certificate that looks like compliance documentation but cannot answer the question an auditor will actually ask: “What specifically happened to device #4,217 between the day it left our warehouse and the day you claim it was destroyed?”

If you have encountered this scenario—or suspect you might if you pulled the documentation from your last device retirement—your instinct is correct. Mobile devices are fundamentally different from traditional IT assets when it comes to end-of-life handling, and general ITAD providers routinely miss the differences that matter most.

Embedded storage, SIM cards, and the data you forgot was there

Enterprise mobile devices—Zebra scanners, Honeywell handhelds, rugged tablets—store data differently than laptops and servers. There is no hard drive to pull and shred. Instead, data lives in embedded flash memory, SIM cards with network credentials, cached application data, and MDM configuration profiles.

A factory reset clears the user-facing layer. It does not touch the storage blocks where sensitive data actually persists.

After 15 years of processing device returns, PiiComm technicians routinely receive devices that were “wiped” by internal IT teams and still find cached Wi-Fi credentials, VPN certificates, and—in some cases—customer transaction data sitting in application sandboxes. The internal IT team followed the process they had. The process did not address how mobile devices actually store information.

SIM cards present a separate exposure. A SIM card pulled from a retired scanner contains network credentials and, depending on configuration, authentication tokens. General ITAD providers focused on hard drive destruction often return SIM cards to the organisation unsecured or dispose of them without certified destruction protocols. PiiComm’s process includes certified SIM card destruction performed by trained technicians—because the SIM card is a data exposure point, not just a carrier asset.

The logistics gap between pickup and proof

The specific vulnerability that general ITAD providers create is not at the point of destruction. It is the period between device collection and final processing—when devices are in transit, in a warehouse queue, or sitting on a loading dock—untracked, unaccounted for, and unprotected.

This is where data breaches originate. A device goes missing between pickup and processing. No one notices because the documentation tracks lots, not individual units. Months later, the organisation receives a breach inquiry and cannot prove what happened to a specific device during the gap.

Consider the contrast: in a government engagement where security requirements demanded certainty, PiiComm picked up 800+ highly sensitive devices directly from the department’s storage facility with chain of custody maintained from the moment of receipt. Every device was tracked by serial number or assigned tracking ID from pickup through final disposition. The documentation exists because the process created it at every stage—not because someone filled out a certificate at the end.

For your organisation, this distinction determines whether you can answer the auditor’s question or spend months in remediation trying to reconstruct a record that was never created.

PiiComm’s secure decommissioning process, stage by stage

Most providers describe their decommissioning process in three steps: collect, wipe, recycle. PiiComm’s process has seven documented stages because the gaps between those three steps are where compliance risk actually lives.

This section walks through each stage with enough operational detail that you can visualise what happens to your devices. The goal is transparency—not because we think you need to understand every technical step, but because the organisations that choose PiiComm typically do so after they have received vague proposals from providers who could not explain what actually happens between pickup and certificate.

Stage 1: Field recall and reverse logistics coordination

Decommissioning begins before devices arrive at a processing facility. It begins with the logistics of getting those devices out of the field—whether that field is a single distribution centre, a national network of retail stores, or a fleet of delivery vehicles spread across three provinces.

PiiComm coordinates device collection from your locations. Our team manages the logistics, not yours. For a national retail decommissioning, that means coordinating pickup across dozens of locations simultaneously, providing pre-labelled shipping materials with serialised tracking so that every device is accounted for before it leaves the store.

The alternative—asking store managers to box up old scanners and ship them to a recycler—is how devices go missing. Store managers have other priorities. Devices sit in back rooms for months. When they finally ship, the count does not match, and no one can explain why.

PiiComm’s field recall removes that burden and that risk. Your locations receive everything they need to prepare devices for secure transport. We track what ships against what was expected. Discrepancies surface immediately, not after the certificate is issued.

Stage 2: Secure transport with tracked chain of custody

Between pickup and processing, devices are in transit. This is the stage where chain of custody either exists or it does not.

PiiComm’s transport protocols track every device by serial number—or assigned tracking ID for damaged units where serial numbers are inaccessible—from the moment of pickup through arrival at our Canadian facility. The chain-of-custody documentation begins in the field, not at intake.

This matters because PIPEDA’s accountability principle does not pause during transit. Your organisation remains responsible for personal information on devices being transported for disposal. A device sitting on a loading dock or in an unsecured vehicle is a compliance gap—even if the certificate you receive at the end says “destroyed.”

PiiComm’s tracked transport ensures that the documentation trail your auditor needs exists for the stage most providers do not document at all.

Stage 3: Intake, serialised tagging, and inventory reconciliation

Every device arriving at PiiComm’s Canadian facility is received, logged, assigned a tracking ID, and reconciled against the expected inventory from the field recall.

This is where the asset database begins to close the loop—and where the difference between mobile-specialist processing and general ITAD becomes operational.

Damaged devices present a specific challenge. A scanner with a cracked screen or water damage often cannot be powered on to read a serial number. General ITAD providers typically batch these into a lot and process them without individual tracking. When an auditor asks about a specific device, the answer is “it was in the lot that was destroyed.”

PiiComm assigns each damaged device a unique tracking ID at intake and photographs the device alongside the ID tag. The device’s condition is documented. Its path through processing is tracked against that ID. When the certificate is issued, it ties to a specific unit that can be traced back to the photograph taken at intake.

This step takes time. It is the step general ITAD providers skip. It is also the step that matters most when someone asks, “What happened to device #4,217?”

Stage 4: Certified data erasure to NIST 800-88 standards

Data erasure is performed by PiiComm’s in-house certified technicians in our Canadian facility. This step is never outsourced. It is never offshored. Your data never crosses the border.

All erasure follows NIST 800-88 (Guidelines for Media Sanitization)—the standard your compliance team and auditors will reference when evaluating whether a device was properly retired. NIST 800-88 defines three levels of sanitisation: Clear, Purge, and Destroy.

Clear overwrites data in a way that prevents simple recovery but may leave data accessible to forensic techniques. This is essentially what a factory reset attempts, and it is insufficient for enterprise devices containing sensitive information.

Purge renders data recovery infeasible using state-of-the-art laboratory techniques. This is the standard PiiComm applies to devices that will be remarketed or recycled—complete sanitisation that allows the hardware to be reused safely.

Destroy physically destroys the media so that data recovery is impossible. This applies to devices that cannot be electronically sanitised or where data sensitivity demands physical destruction regardless.

For devices receiving Purge-level erasure, PiiComm issues a certificate of erasure for each unit, tied to its serial number or tracking ID and recorded in your asset database. The certificate is not a summary statement about a lot. It is a per-device record that answers the specific question your auditor will ask.

The next stages address what happens to devices requiring physical destruction, how certificates and asset database updates complete the documentation loop, and how value recovery offsets decommissioning costs—but first, it is worth understanding why the erasure methodology matters as much as the certificate it produces.

Stage 5: Physical destruction for devices requiring it

Some devices cannot be electronically sanitised. A scanner with severe water damage that will not power on. A tablet with a cracked screen and corrupted storage controller. A handheld from a government engagement where data sensitivity demands destruction regardless of whether electronic erasure was possible.

For these devices, PiiComm performs certified physical destruction in our Canadian facility.

The process is methodical. Technicians disassemble each device and separate components. Memory chips are physically destroyed using a drill press—not fed into a general shredder where destruction cannot be verified at the component level. Each destruction event is photographed and logged against the device’s tracking ID. Batteries are individually wrapped for specialised lithium-ion recycling, handled separately because lithium-ion batteries require specific disposal protocols that general e-waste processing does not address.

In a government engagement where PiiComm decommissioned 800+ highly sensitive devices, this component-level approach meant that even units with no accessible serial numbers—damaged devices that could not be powered on—had complete audit trails from intake through physical destruction. The department received certificates of destruction for every unit, not a lot-level summary.

This level of documentation takes longer than batch processing. It is also the level of documentation that satisfies federal security requirements and withstands the auditor’s question about a specific device.

Stage 6: Certificate issuance and asset database closure

Documentation is not the final step in the process. It is generated throughout the process and consolidated at the end.

For each device that received electronic erasure, PiiComm issues a certificate of erasure tied to the device’s serial number. For each device that received physical destruction, a certificate of destruction tied to the serial number or assigned tracking ID. Both certificate types reference the specific sanitisation or destruction method, the date of processing, and the technician responsible.

These certificates are recorded in your asset database—closing the loop on assets that have been tracked through their entire lifecycle. The IT Director can confirm that device #4,217 was received, processed, and certified. The Procurement Manager has the audit trail required for compliance records. The CFO has documentation that satisfies the organisation’s risk management requirements.

The certificate is the final page of the audit trail. The value of that certificate depends entirely on the documentation that precedes it.

Stage 7: Value recovery and environmental disposition

Decommissioning is not purely a cost centre. Functional devices—Zebra TC-series scanners, Honeywell handhelds, ruggedised tablets—retain value after certified data erasure.

PiiComm assesses every device for potential value recovery. Units in good working condition are evaluated for trade-in credits against new deployments or resale on the secondary market for enterprise mobile devices. The secondary market for rugged enterprise hardware is more active than most organisations realise—a Zebra TC52 that has reached end-of-life for your operation may have several years of useful service remaining for a smaller organisation with different requirements.

For devices that cannot be remarketed, PiiComm processes materials for recovery in accordance with EPRA (Electronic Products Recycling Association) standards. In the government engagement, up to 95% of battery materials were recoverable for reuse, and metals were reclaimed from circuit boards. What filled a storage room was ultimately reduced to a single pail of processed material.

This matters for the CFO evaluating decommissioning costs. It also matters for organisations with ESG commitments—responsible enterprise mobile device disposal and the e-waste challenge are increasingly board-level concerns, not just operational details.

Chain-of-custody documentation that survives an audit

The certificate of destruction is the last page of the audit trail, not the only page. If your current provider gives you a certificate but cannot show you what happened between pickup and destruction, you have a compliance gap disguised as a compliance document.

The question your auditor will ask is not “do you have a certificate?” It is “can you prove what happened to this specific device at each stage of the disposal process?” The answer needs to exist before the question is asked.

What the documentation package includes

PiiComm’s decommissioning documentation provides the complete record your compliance team, internal auditors, and regulators require:

  • Chain-of-custody records from field recall through final disposition—tracking every device by serial number or assigned tracking ID at each stage
  • Serialised inventory reconciliation confirming devices received match devices expected from the field recall
  • Certificates of erasure or destruction per device, tied to serial numbers or tracking IDs, referencing the specific method and date
  • Asset database updates closing the loop on retired assets in your inventory system
  • Environmental compliance records documenting responsible materials processing in accordance with EPRA standards

Each document serves a specific stakeholder. The IT Director needs the chain-of-custody records to answer operational questions. The Procurement Manager needs the certificates for vendor compliance files. The CFO needs the complete package for risk management and audit readiness. The compliance team needs documentation that maps to regulatory requirements.

How chain of custody maps to PIPEDA and provincial privacy frameworks

Under PIPEDA’s accountability principle, your organisation remains responsible for personal information in its custody—including information on devices being transported and processed for disposal. The obligation does not transfer to the disposal vendor. It remains with you until the data is verifiably destroyed.

A gap in chain of custody during transit is not a logistical inconvenience. It is a gap in PIPEDA compliance that could trigger breach notification obligations if a device goes missing and cannot be accounted for.

For Ontario healthcare organisations, PHIPA imposes additional obligations on personal health information destruction. For organisations operating in Quebec, Law 25 requires demonstration that personal information has been destroyed in compliance with Quebec’s requirements—the strictest provincial framework in Canada.

PiiComm has seen organisations receive breach notification inquiries from the Office of the Privacy Commissioner related to devices that were “recycled” but never confirmed destroyed. The organisations with serial-level chain-of-custody documentation resolved the inquiry in days. The ones with a generic lot-level recycling receipt spent months in remediation, attempting to reconstruct records that were never created.

The real cost of getting device end-of-life wrong

A Canadian retailer retires 3,000 handheld devices across 200 stores. The cheapest option is to let store managers dispose of them locally—drop them at the nearest electronics recycler, or worse, let them accumulate in back rooms until someone decides what to do with them.

The most expensive option is the data breach that results from one device ending up in the wrong hands with customer payment data still cached in an application sandbox.

The cost asymmetry makes the decision straightforward once you see the numbers.

Breach costs versus decommissioning costs

According to IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach in Canada was $6.32 million. That figure includes direct costs—forensic investigation, notification, regulatory fines—and indirect costs like customer churn and reputational damage.

The per-device cost of certified decommissioning is a rounding error compared to the cost of a single breach originating from an improperly retired device. For the CFO, this is not a disposal expense. It is a risk-adjusted investment with quantifiable downside protection.

Even a small probability of breach—a single device from a fleet of thousands reaching the secondary market with recoverable data—creates expected cost exposure that dwarfs the decommissioning investment. The 42% residual data rate from Blancco’s research is not a theoretical concern. It is the baseline probability your organisation faces if devices enter the secondary market without certified erasure.

Value recovery as a decommissioning offset

Decommissioning costs are further offset by value recovery. Functional legacy devices—Zebra TC-series scanners, Honeywell handhelds—are assessed for trade-in credits or secondary market resale after certified data erasure.

The secondary market for enterprise rugged devices is well-established. A TC52 scanner that has completed its useful life in your operation may have significant residual value for organisations with different requirements or smaller fleets. PiiComm’s assessment identifies devices with recovery potential and facilitates either trade-in against new deployments or resale, with proceeds offsetting decommissioning costs.

This is not the primary reason to decommission properly—compliance and risk mitigation are. But for the CFO building the business case, value recovery transforms decommissioning from a pure cost centre into a managed process with partial cost offset.

Why Canadian operations matter for device decommissioning

When a device containing Canadian personal information is shipped to a US processing facility, it becomes subject to US law—including potential access under US legal frameworks that do not align with Canadian privacy obligations. That is not a political statement. It is a legal fact that affects your PIPEDA compliance posture.

For organisations in government, healthcare, and financial services, this is increasingly a procurement requirement rather than a preference. The post-2025 trade environment has made Canadian operational sovereignty commercially relevant in ways it was not five years ago.

In-country processing, in-house technicians, Canadian-hosted records

PiiComm’s processing facility is in Canada. The technicians performing data erasure and physical destruction are PiiComm employees—not subcontractors, not offshore partners. All chain-of-custody records and certificates are hosted on Canadian infrastructure.

No device crosses the border. No data crosses the border. No processing step is outsourced to a jurisdiction where Canadian privacy law does not apply.

For the IT Director evaluating providers, this means the chain of custody you receive documents a process that occurred entirely within Canadian jurisdiction. For the Procurement Manager responding to RFP requirements about data handling, this means you can demonstrate Canadian-only processing without caveats or exceptions. For the compliance team concerned about cross-border data exposure, this means the compliance gap that US-based processing creates does not exist.

Bilingual service delivery for federal and Quebec requirements

For federal government organisations and Quebec-based operations, bilingual (English/French) service delivery is a procurement requirement. PiiComm’s 24/7 bilingual service desk and bilingual documentation output meet this requirement natively—not as an add-on or translation service, but as standard operational capability.

This matters for organisations operating across multiple provinces with different language requirements. It also matters for federal procurement pathways where bilingual capability is a threshold qualification, not a nice-to-have.

How PiiComm’s approach differs from general ITAD providers

A general ITAD provider processes laptops, servers, networking equipment, and—occasionally—a pallet of mobile devices. PiiComm processes mobile devices exclusively. That specialisation shows up in three places: the logistics model, the erasure methodology, and the documentation granularity.

This is not a criticism of general ITAD providers. They serve an important function for traditional IT assets. But mobile device fleets present specific challenges—embedded storage, SIM cards, ruggedised form factors, high device counts across distributed locations—that require a specialist.

Comparison: PiiComm Secure Decommissioning vs. standard ITAD

Capability PiiComm Secure Decommissioning Standard ITAD / In-House
Data security Certified NIST 800-88 Purge-level erasure Factory reset or unverified wipe
Chain of custody Serial-level tracking from field to final disposition Lot-level or unverified
SIM card handling Certified destruction by trained technicians Returned unsecured or unaddressed
Logistics model Managed multi-site reverse logistics Client ships to provider
Audit documentation Per-device certificates, asset database integration Generic lot certificates
Value recovery Device assessment, trade-in, secondary market Disposed as low-value scrap
Environmental compliance EPRA-compliant processing Variable or unknown

For readers who want a broader view of the Canadian market, we have published a comparison of how PiiComm compares to other decommissioning and ITAD providers in Canada.

When general ITAD is sufficient and when it is not

If your organisation is retiring 50 laptops from a single office, a general ITAD provider is likely sufficient. The devices have removable drives, the logistics are straightforward, and the documentation requirements are manageable.

If you are retiring 2,000 Zebra scanners across 150 locations with cached transaction data, SIM cards, and MDM profiles—and you need serial-level documentation that satisfies PIPEDA, PHIPA, and your internal audit requirements—you need a mobile-specialist provider.

The boundary is not about device count alone. It is about the complexity of the fleet, the sensitivity of the data, the distribution of locations, and the documentation requirements your organisation faces. General ITAD providers are not built for mobile-specific challenges at scale. PiiComm is.

Industries where secure mobile device decommissioning is non-negotiable

Every industry that issues enterprise mobile devices to frontline workers has a decommissioning obligation. The regulatory framework and the operational complexity vary, but the core requirement is the same: prove the data is gone.

Healthcare: PHIPA, patient data, and device turnover

Healthcare devices—clinical handhelds, medication scanning devices, tablets used at point of care—touch patient data. In Ontario, PHIPA imposes specific obligations on the handling and destruction of personal health information. A device that touched patient data requires PHIPA-compliant destruction, not just PIPEDA-compliant destruction.

Device turnover in healthcare is high. Infection control protocols, technology refresh cycles, and the physical demands of clinical environments mean devices cycle out more frequently than in other industries. Each retirement creates a decommissioning obligation that compounds across a hospital network or health authority.

Government and public safety: security clearance and Protected B requirements

Government decommissioning often requires capabilities that general ITAD providers cannot deliver: security clearance for processing staff, physical destruction rather than electronic erasure, and documentation that meets federal security classification requirements.

In the government engagement referenced throughout this post, PiiComm staff underwent background checks, fingerprinting, and security screening—receiving full clearance within 48 hours. For government organisations, this responsiveness and existing security relationships position PiiComm as a provider that can navigate federal procurement pathways and meet stringent requirements without extended timelines.

Transportation, logistics, and retail: high volume, distributed locations

These verticals retire devices in volume across geographically distributed locations. A national retailer with 200 stores. A logistics company with devices in trucks across three provinces. A distribution network with scanners in every warehouse.

The logistics challenge is as significant as the data security challenge. A decommissioning provider that cannot coordinate multi-site pickup at national scale creates an operational burden that defeats the purpose. Store managers and warehouse supervisors have other priorities—asking them to manage device retirement is how devices go missing.

Manufacturing and warehouse: rugged devices with long service lives

Rugged devices—vehicle-mounted computers, industrial scanners, handhelds built for harsh environments—often have 5–7 year service lives. When they are finally retired, the data they carry may span years of operational records, access credentials, and configuration information.

The longer the service life, the deeper the data exposure. A scanner used daily for six years has accumulated more data than a consumer smartphone used for two. The decommissioning process needs to address that accumulation, not just the most recent layer.

What to expect when you engage PiiComm for secure decommissioning

The first step is a decommissioning assessment. PiiComm reviews your current device inventory, identifies end-of-life assets, and scopes the logistics, erasure, and documentation requirements specific to your fleet and your regulatory environment.

This is a consultative step, not a sales pitch. The assessment identifies what you have, where it is, and what the decommissioning process needs to address. For some organisations, the assessment surfaces devices that have been sitting in storage rooms for years, untracked and unaccounted for—a compliance gap that existed before the conversation started.

The decommissioning assessment

The assessment covers:

  • Inventory review: What devices are approaching or past end-of-life? Where are they located? What is their condition?
  • Regulatory requirement mapping: What compliance frameworks apply to your organisation? PIPEDA? PHIPA? Law 25? Internal security policies?
  • Logistics planning: How many locations? What is the pickup coordination required? Are there devices in remote or difficult-to-access locations?
  • Value recovery estimate: Which devices have potential for trade-in or secondary market resale?

The output is a scoped proposal with clear timelines, documentation deliverables, and cost structure. You know what you are getting before the engagement begins.

From assessment to first pickup: typical timelines

Timelines vary by fleet size, geographic distribution, and complexity. A single-site decommissioning of 500 devices has a different timeline than a national retail rollout across 200 locations.

For context: in the government engagement, PiiComm obtained security clearance within 48 hours and picked up devices directly from the department’s storage facility. That responsiveness reflects existing government security relationships and operational capacity—not an exceptional effort for a single engagement.

For a comprehensive overview of PiiComm’s approach, see the Secure Decommissioning Guide.

Ready to scope your decommissioning requirements? Request a decommissioning assessment to begin the conversation.

Frequently asked questions about secure device decommissioning in Canada

What data erasure standard does PiiComm use for mobile device decommissioning?

PiiComm performs Purge-level erasure to NIST 800-88 standards, executed by in-house certified technicians in our Canadian facility. Certificates of erasure are issued per device by serial number. This step is never outsourced or offshored—your data never crosses the border.

Does PiiComm handle physical destruction for devices that cannot be electronically wiped?

Yes. Devices that are damaged, contain highly sensitive data, or have storage media that cannot be verified as electronically sanitised are physically destroyed. Memory chips are drilled, each destruction is photographed, and events are logged against the device’s tracking ID. Certificates of destruction are issued per device.

What chain-of-custody documentation does PiiComm provide?

PiiComm provides serial-level tracking from field recall through final disposition, including transport records, intake reconciliation, certificates of erasure or destruction per device, and asset database updates. All documentation is audit-ready and maps to PIPEDA, PHIPA, and Law 25 requirements.

Can PiiComm coordinate device pickup from multiple locations across Canada?

PiiComm manages reverse logistics across thousands of locations nationally. For multi-site decommissioning, we provide pre-labelled shipping materials with serialised tracking for each location. The logistics burden stays with PiiComm, not your store managers or warehouse supervisors.

Does PiiComm’s decommissioning process meet PIPEDA and provincial privacy requirements?

PiiComm’s process satisfies PIPEDA’s accountability principle, PHIPA requirements for Ontario healthcare, and Quebec Law 25 obligations. Documentation demonstrates verifiable destruction of personal information with chain of custody maintained throughout.

Is there any value recovery from retired enterprise mobile devices?

Functional devices—Zebra TC-series, Honeywell scanners—are assessed for trade-in credits or secondary market resale after certified data erasure. Value recovery can offset the cost of new deployments. Devices without resale potential are processed for materials recovery under EPRA standards.

Does PiiComm process devices in Canada or ship them to the US?

All processing occurs in PiiComm’s own Canadian facility, staffed by PiiComm’s in-house certified technicians. No devices or data cross the border. Chain-of-custody records are hosted on Canadian infrastructure. This eliminates the cross-border data exposure that US-based processing creates.

How quickly can PiiComm begin a decommissioning engagement?

Timelines vary by fleet size and complexity. PiiComm has demonstrated 48-hour security clearance turnaround for government engagements. The process begins with a decommissioning assessment to scope logistics, erasure, and documentation requirements specific to your fleet.

The documentation gap is the compliance gap

The difference between organisations that resolve privacy inquiries in days and those that spend months in remediation is not the quality of their intentions. It is the quality of their documentation.

A certificate of destruction that cannot be traced back through a complete chain of custody—from the moment a device left the field through every stage of transport, intake, processing, and final disposition—is a certificate that answers the wrong question. The auditor does not ask whether you have paperwork. The auditor asks whether you can prove what happened to a specific device at a specific point in time.

That proof either exists or it does not. The time to create it is before the device leaves the field, not after the inquiry arrives.