The ABC’s of Certified Destruction

Take Control of Your Records

Get a free consultation to simplify storage, scanning, retrieval, and secure destruction.

Get Started

Certified destruction is the documented, standards-based destruction of records and data so the information cannot be reconstructed, carried out by a vetted provider that issues a certificate of destruction for every job. The credentials that signal a provider can do it properly are SOC 2 Type 2 and HIPAA compliance, backed by a documented chain of custody.

Getting rid of records you no longer have to keep sounds like the easy part of information management. Shred the paper, wipe the drives, move on. The catch is that how you destroy information is regulated as tightly as how you store it, and “we threw it away” is not a defense a regulator accepts.

The cost of getting it wrong is not abstract. IBM’s Cost of a Data Breach Report 2025 put the global average breach at 4.44 million dollars and the United States average at a record 10.22 million. A box of unshredded files or a drive that was “wiped” but is still readable can be the entry point. The Federal Trade Commission’s Disposal Rule, under the Fair and Accurate Credit Transactions Act, requires any business that holds consumer information to destroy it so it cannot be reconstructed. So the real question is not whether to destroy records securely, but how to prove you did.

That proof comes down to a short list of terms every buyer should understand before hiring a destruction provider: certified destruction, SOC 2 Type 2, and HIPAA compliance. Here is what each one means and why it matters.

What Certified Destruction Actually Means

Certified destruction is destruction performed to a defined standard, under a documented chain of custody, by trained and screened staff, ending in a certificate of destruction. It covers paper and digital media, and the standard applied depends on how sensitive the information is and what kind of media holds it.

Certified destruction is not a single method. For paper, it means cross-cut shredding to a particle size small enough that reconstruction is not realistic. For digital media, it means sanitizing or physically destroying the long tail of devices that hold data: hard drives, backup tapes, CDs, microfilm, USB flash drives, access cards, even retired smartphones and printers. A certified provider secures the material from the moment of pickup through final destruction, completes the work in a secure facility within a guaranteed window, and documents every handoff along the way.

Paper and Digital Are Destroyed to Different Standards

Two standards define the word “destroyed.” Paper is measured by the DIN 66399 particle-size levels, P-1 through P-7. Digital media follows NIST SP 800-88, which sets three levels: Clear, Purge, and Destroy. Deleting a file or reformatting a drive does neither.

On paper, a strip-cut office shredder at level P-1 or P-2 is adequate for junk mail and little else. Regulated personal, financial, and health records belong at P-4, where particles are no larger than 160 square millimeters, or smaller. On digital media, the federal benchmark is NIST Special Publication 800-88. Clear uses overwriting and defends against simple recovery. Purge applies stronger methods such as cryptographic erase or degaussing that defeat laboratory recovery. Destroy physically ruins the media so it can never be reused. Deleting a file only removes the pointer to it; the data stays on the drive and is recoverable with basic tools. For any drive leaving your control, physical destruction is the only method that leaves nothing behind.

SOC 2 Type 2 Certification

SOC 2 Type 2 is an independent audit of how an organization actually handles security, availability, processing integrity, confidentiality, and privacy over a period of time. For a destruction provider, it confirms that data is protected throughout the destruction process, not just on paper.

SOC 2, short for System and Organization Controls, was created by the American Institute of Certified Public Accountants (AICPA). A Type 2 report goes further than Type 1: it tests whether the controls operated effectively across a span of months, not just whether they existed on a single day. An independent CPA performs the audit. If a provider stores or destroys digital information, especially in the cloud, SOC 2 Type 2 is the evidence that an outside auditor, not the vendor’s marketing team, has examined how the work is done.

HIPAA Compliance

HIPAA compliance means a provider follows the federal rules for destroying protected health information, covering both the timing and the method, for paper and electronic records alike. For any organization that touches health data, it is not optional.

The Health Insurance Portability and Accountability Act became federal law in 1996 and was strengthened by the HITECH Act and the 2013 Omnibus Rule. The Department of Health and Human Services regulates how protected health information is stored, shared, and destroyed, and has stated plainly that leaving records in a public dumpster is not acceptable disposal. A HIPAA-compliant provider trains every employee who handles health information and destroys it under documented, compliant procedures. Penalties for getting it wrong reach into the millions, so for healthcare organizations the provider’s HIPAA posture is part of their own compliance.

The Certificate of Destruction

A certificate of destruction is the document that turns “we destroyed it” into evidence. It records what was destroyed, when, by what method, and by whom, and it is the document an auditor or court asks for. Without it, you cannot prove that retired records are actually gone.

Every destruction job should end with one. In an audit, the certificate is proof that you disposed of records under policy. In litigation, it answers the discovery question for records you no longer hold: you can show they were destroyed on schedule, before any duty to preserve attached, rather than leaving an unexplained gap that invites an adverse inference. Keep each certificate for as long as the underlying records would have been retained.

How GRM Handles Certified Destruction

GRM’s paper shredding and data destruction services are SOC 2 certified, run under a documented chain of custody, with destruction completed within 48 hours of pickup and a certificate of destruction issued for every job. The service covers paper and digital media alike, from hard drives and backup tapes to CDs, microfilm, and USB devices, through document shredding services across 15 regions nationwide. Because destruction is the last step in the records lifecycle, GRM checks retention before anything is destroyed: if records are not yet eligible, they can move to secure document storage or be scanned instead of shredded. To plan a one-time purge or scheduled shredding, request a free quote.

Frequently Asked Questions

What does certified destruction mean?

Certified destruction is the destruction of records and data to a defined standard, under a documented chain of custody, by trained and screened staff, ending in a certificate of destruction. It applies to both paper and digital media, and the method used depends on the sensitivity of the information and the type of media being destroyed.

What certifications should a document destruction provider have?

Look for SOC 2 Type 2, which independently audits a provider’s security and confidentiality controls over time, and HIPAA-compliant processes if any health information is involved. The provider should also issue a certificate of destruction for every job and follow a documented chain of custody, with background-screened staff and secure transport from pickup through final destruction.

Does deleting a file or reformatting a drive destroy the data?

No. Deleting a file removes the pointer to it while the data remains on the drive and is recoverable with basic tools. Reformatting is similar. To destroy digital data you need a method from the NIST SP 800-88 framework, Clear, Purge, or Destroy, chosen by sensitivity. For retired or highly sensitive drives, physical destruction is the only method that leaves nothing recoverable.

What is a certificate of destruction?

It is the formal document confirming which materials were destroyed, when, by what method, and by whom. It closes the chain of custody and serves as proof in audits and litigation. Without a certificate, an organization cannot demonstrate that retired records were actually destroyed under policy, which creates exposure for material it no longer holds.

Is document shredding HIPAA compliant?

It can be, when handled by a provider that follows HIPAA-compliant policies and procedures, trains the staff who handle protected health information, and documents the destruction. For healthcare organizations and anyone handling PHI, using a provider with HIPAA-compliant destruction processes is part of meeting their own compliance obligations.