NIST 800-88
Data sanitization to NIST 800-88, certified per storage medium
NIST 800-88 is the leading guideline for sanitizing storage media. The moment you dispose of IT hardware that ever held business or personal data, it is the standard your erasure has to meet. XITAD runs that standard as a certified process and records the result per storage medium in a wipe certificate.
The difference is in the evidence. Every wiped medium gets its own certificate, and the matching audit report is collected in your archive. That lets you demonstrate per device which method was applied, instead of relying on a blanket promise.
What NIST 800-88 secures
Formatting only removes the references to files; the data itself stays recoverable. NIST 800-88 describes how data is genuinely removed from a storage medium beyond recovery, matched to the type of medium. The guideline applies to anything that ever held data, from laptops and servers to loose drives and SSDs.
Clear, Purge and Destroy
The standard distinguishes three methods. Clear overwrites the data, Purge erases it to a lab-resistant degree (cryptographic, for example), and Destroy physically destroys the medium. Which one fits depends on the medium and the risk; flash memory such as SSD and NVMe needs a different approach than a classic hard drive.
Method per device and sensitivity
Not every storage medium calls for the same treatment. The right method is chosen on device type and data sensitivity: for most business data Purge is sufficient, for the highest classifications or defective media Destroy is applied. That way the treatment maps to your own internal requirements instead of a single fixed route.
Certificate per medium and audit report
Every successful sanitization produces a wipe certificate per storage medium, stating the method applied and the serial number. The matching audit report is automatically stripped of foreign metadata on upload and bundled in your archive. Your auditors find the evidence per device, ready for your own compliance file.
On-site or secured facility
Where the wiping happens is partly your call. With the on-site option the data stays on your own premises until it is wiped, so no medium leaves the building with the data still on it. If wiping happens elsewhere, it takes place in a secured processing facility, after which the hardware moves further down the chain.
Sanitization decoupled from the sale
Data destruction is fully separate from the eventual sale. Hardware is wiped and certified first; only after that final clearance does a buyer get access. That sequence is enforced in the platform, not merely promised: the status only advances once the evidence is in.
Frequently asked questions
about the NIST 800-88 protocol
How is this different from just formatting?
Formatting only removes the references, not the data itself, which stays recoverable. NIST 800-88 ensures the data is genuinely removed beyond recovery.
Which method (Clear, Purge or Destroy) do I need?
That depends on the device type and the sensitivity of the data. For most business data Purge is sufficient; for the highest classifications or defective media Destroy is applied.
Do I get proof it was done to NIST 800-88?
Yes. For every storage medium you receive a wipe certificate stating the method applied and the serial number, plus an audit report in your archive.
Does my data leave the building before it is wiped?
With the on-site option the data stays on your own premises until it is wiped. If wiping happens elsewhere, it takes place in a secured processing facility, and a buyer only gets access after the certified clearance.
Take no risk with your data.
Tie your decommissioning directly to the strictest international standards. Start a portfolio scan or get in touch for a tailored enterprise solution.