Built for the audit you haven't scheduled yet.
Compliance in ITAD is not a feature -- it is the foundation. Every action in reCore produces a verifiable, timestamped record tied to an identified operator. When an auditor asks for documentation, you don't scramble to compile it. You export it.
NIST SP 800-88 Rev 2 compliant certificates
Every verified data wipe in reCore produces a PDF certificate of destruction that meets the documentation requirements of NIST SP 800-88 Rev 2. This is the standard referenced by R2, e-Stewards, and most enterprise data destruction policies.
Each certificate includes: device make, model, and serial number; drive serial number and specifications; sanitization method and compliance standard; start and completion timestamps in UTC; operator identification; verification method and result; SHA-256 file integrity hash; and authorizing organization details.
The certificate file itself is hashed (SHA-256), so any modification to the PDF after generation is detectable. This is tamper-proof documentation in the literal sense.
Separation of duties
NIST SP 800-88 recommends that the person who performs data sanitization should not be the same person who verifies and approves the result. reCore enforces this at the system level, not as a policy recommendation.
When a technician completes a data wipe, an administrator or authorized verifier must review the results and approve certificate generation. The system checks the identity of both parties and blocks the action if they are the same person. No workarounds, no overrides.
This creates a clean, three-role chain: the operator who performs the wipe (identified by PIN), the verifier who reviews and approves (cannot be the operator), and the administrator who manages users, generates reports, and maintains organizational settings.
The audit trail
Every action in reCore is recorded with a UTC timestamp, the identity of the user who performed it, and the context in which it occurred. This includes:
None of these records can be modified or deleted after creation. The audit trail is append-only by design. When an auditor asks "who wiped this device, when, and how was it verified?" the answer is a database query, not a filing cabinet search.
Reporting for audits and clients
reCore generates several types of reports designed for external consumption:
Batch reports -- Multi-sheet Excel workbooks containing a summary page, full device inventory, test results across all devices, grade distributions, and wipe records with certificate references. This is the document you hand to an R2 auditor or attach to a client invoice.
Device reports -- Per-device reports showing the complete processing history from intake to certificate. Useful for individual device lookup, customer inquiries, or post-sale support.
Certificate archives -- Bulk export of PDF certificates filtered by batch, client, date range, or wipe method. Downloaded as a ZIP file ready for auditor submission.
All reports are generated on-demand from live data. There is no stale report cache -- the export you download at 3pm reflects the state of the system at 3pm.
Standards alignment
reCore's compliance features are designed around the requirements of the most commonly encountered ITAD audit frameworks:
NIST SP 800-88 Rev 2 -- The primary reference for data sanitization methods, verification procedures, and documentation requirements. reCore implements all three sanitization categories (Clear, Purge, Destroy) and generates certificates that meet the publication's documentation guidance.
R2 (Responsible Recycling) -- Requires documented data destruction procedures, trained operators, and verifiable records. reCore's per-device audit trail, separation of duties, and certificate system address these requirements directly.
e-Stewards -- Requires trackable chain of custody and documented proof of data destruction. reCore's per-drive serial tracking and timestamp chain provide the traceability this certification demands.