Compliance & Security Steps on Intake: Asking the Awkward Questions Up Front
The two intake steps that capture compliance and security requirements before a request goes live, why they exist before the bid round, and how they map to service codes.
A trade-in request that goes out without saying “we need NIST 800-88 Purge” is a request that gets bids back at the wrong price level — and a customer who realises the gap after award has a problem nobody wants. The two intake steps for compliance and security exist so the requirements land before the bid round opens, not after.
The compliance step
Step in the intake wizard where the customer picks compliance frameworks the disposal must meet: GDPR data-erasure, R2v3 chain of custody, ADISA conformance, NAID AAA destruction, ISO 14001 environmental, sector-specific regimes (HIPAA for healthcare, PCI-DSS for payment-handling devices). Each framework selected becomes a constraint on which ITADs can bid: only ITADs whose Coverage indicates active conformance are routed the request.
The security step
Separate step where the customer picks security requirements: data-erasure standard (NIST 800-88 Clear / Purge / Destroy), on-site vs. facility wipe, secure transport (vetted drivers, GPS-tracked vehicles), per-drive certification, witness destruction. Like compliance, each pick maps to a service code that the matching engine uses to filter the bidder pool.
Why two steps, not one
Because compliance and security are different concerns, even when they overlap. A request can require GDPR (compliance) without requiring on-site destruction (security), or vice versa. Splitting the steps keeps the wizard scannable and the picks atomic — and the customer who only needs one of the two doesn’t see fields for the other.
Mapped to service codes
The picks aren’t free-form. Each compliance framework and each security requirement maps 1:1 to a service code in the platform’s seeded catalog. The bid form on the ITAD’s side surfaces the same codes — “the request requires NIST 800-88 Purge, your Coverage offers it, here’s the code on your bid for transparency.” One vocabulary across the request, the bid, and the eventual contract.
What happens if no ITAD matches
The platform shows the customer the relaxation suggestions: which constraints, if loosened, would attract bids. “Drop on-site destruction; 4 ITADs would bid.” Or “drop ADISA conformance; 7 ITADs would bid (still NIST 800-88 Purge).” The customer can adjust before publishing, instead of publishing a request that gets crickets.