IT

IT asset disposal for MSP clients: from onboarding to destruction

17 March 2026 · 7 min read · DeSnipperaar

A Managed Service Provider manages hardware on behalf of clients: laptops, workstations, servers, firewalls, mobile phones and backup media. That hardware contains client data. When a device goes out of service, via lease end, fault, or refresh cycle, the medium must be destroyed or securely wiped in a verifiable manner. This article describes how an MSP integrates asset disposal with onboarding, so the chain from intake to destruction closes.

The role of the MSP as processor

In managing client hardware you are a GDPR processor within the meaning of art. 28. The client is the controller, you are the processor, and the destruction party is the sub-processor. Hence there is a processor agreement between client and MSP, and a processor agreement between MSP and destroyer. See also our processor agreement checklist.

Chain of custody starts at onboarding

A chain-secure destruction route does not start at the end, but at registration. At onboarding you record per asset:

• Serial number and asset label.
• Type of media (HDD, SSD, NVMe, LTO, optical).
• Owner (which client, which contract).
• Encryption status (FDE on/off, BitLocker, FileVault, LUKS).
• Date in management.

At offboarding you record per asset:

• Date out of service.
• Reason (refresh, fault, lease end, theft/loss).
• Chosen route: wipe, degauss, destroy.
• If destroy: which standard, which destroyer, which certificate number.

Which route for which medium?

Classic HDD

Wiping to DoD standards works, but with faults or partitions that cannot be mounted it fails. In practice physical destruction to DIN 66399 H-4 is the plain choice. See our explanation in hard drive wipe vs destroy.

SSD and NVMe

Wear-levelling and reserve blocks make secure erase unreliable. Even ATA Secure Erase and vendor tools leave traces. The practical standard for SSDs with client data is E-4: physical destruction to particles up to 30 mm². Background in destroying SSDs: why wiping does not work.

Mobile phones

Factory reset clears most data, but leasing companies often ask for destruction certificates for faulty units or devices with inaccessible partitions. See Mobile phones lease end.

LTO tapes and backup media

Degaussing or physical destruction, depending on retention period and client request. See backup tapes LTO tidy-up.

An MSP managing hardware for twenty clients has dozens of media going out of service per quarter. A collection journey with one mobile destruction per quarter is usually cheaper and more chain-secure than disposing piece by piece.

Mobile destruction at MSP site or client site

Two workable models:

1. Collecting at the MSP site. Assets from different clients come into a sealed room. Each quarter DeSnipperaar comes round and destroys everything in the car park. A separate certificate per client.
2. Directly at the client site. For sensitive clients (financial, care, government) hardware is not taken away. Destruction takes place on the client premises, with MSP manager and client as witnesses.

Documentation for the client

Every asset going out of service is linked to a destruction certificate. The client receives an overview per quarter or at end of contract: which assets, which standard, which certificate number. That is evidence for the client's GDPR processing register, and gives you as MSP a professional handover document.

Benefits of the mobile approach for MSPs

• No intermediate stop at an external processing centre: the chain stays short.
• The client can attend and witness if desired.
• Certificate the same day, no weeks of waiting.
• Volumes from 10 kg of data media to several hundreds of kilos of paper fit in one visit.

Sector page

More on our approach for MSPs, IT managers and systems-management firms at IT service providers & MSPs.

---

Integrating asset disposal into your service delivery? Request a quote and discuss with us what a quarterly route would look like for your client portfolio.