IT asset disposal DPDP India: a Bengaluru SaaS storeroom and 280 signed certificates
IT asset disposal DPDP India: a Bengaluru SaaS storeroom and 280 signed certificates
A working story on IT asset disposal DPDP India. One 240-person Bengaluru SaaS firm. 280 retired laptops and 60 retired phones in a storeroom. Nine working hours from the door opening to a signed PO and a per-device certificate flow. The conversations the CFO and the auditor would actually read.
One Friday morning at a 240-person Bengaluru SaaS firm, the IT head walked into a storeroom holding 280 retired laptops and 60 retired Android phones. The refresh batch had landed two days ago. Nobody had a written disposal plan.
Inside nine working hours he moved from “we will figure it out next week” to a signed PO for certified erasure plus chain-of-custody pickup. The conversations in between are what most Indian SaaS firms never put on paper.
If you read only one line: under the DPDP Act, a retired laptop with cached customer data is the same controllable risk as a live endpoint. Section 33 caps penalties at Rs 250 crore. The asset register that says “disposed” without a per-device certificate is, to the auditor, a register that says “still live.”
Free 4-hour quote on certified ITAD at the end. No card, no contract, no sales call.
08:55 AM · Whitefield, BengaluruThe storeroom door he had been avoiding
Vikram heads IT at a Series B SaaS firm in Whitefield. 240 employees, three offices, a customer base that includes two Indian banks and an insurer. The refresh batch had arrived on Wednesday. 280 four-year-old laptops, 60 retired Android handsets from the field sales team, and a single line item on the asset register that read “to be disposed.” Vikram had walked past the storeroom twice on Thursday and had not opened the door.
Friday morning he opened it. The pallets had been stacked tidy by the courier. Each laptop still had the original asset tag. Each phone was in a cable-tied bundle of ten. The total replacement cost of the data sitting on those drives, if any one of them was lifted, was a number he had never bothered to compute. He computed it standing in the doorway. Customer KYC pointers on the sales team handsets. Source code repositories cached on the engineering laptops. A pricing model spreadsheet on the CFO’s old machine that was sitting eight rows from the door.
The asset register said “disposed.” The pallets said otherwise.
He opened his notebook and wrote one line at the top. “How do we prove to the auditor in November that nothing from these 340 devices left this building?” Underneath it he wrote a second line. “And how do we prove it before then, not after.”
I have walked roughly forty Indian IT heads through this exact morning since the DPDP rules were notified. The pattern repeats. The refresh batch lands. The procurement story is celebrated. The disposal story is filed under “next quarter.” Then a board observer asks a clean question and the storeroom becomes a compliance problem instead of a logistics one.
10:30 AM · Office cafeteria, third floorThe HR head who said the obvious thing first
Meera runs People Operations. She was already at the corner table with a filter coffee when Vikram sat down. She had clocked his face.
“You look like you finally opened that storeroom.”
“Yeah. 280 laptops, 60 phones, four years of customer data on the drives. Sales had KYC pointers. Engineering had source. The CFO’s old machine had a pricing model. I am supposed to send them out next week to a local recycler somebody from facilities found on JustDial.”
“Tell me you are not actually doing that.”
“I am not. But I do not yet have an alternative on paper. And the DPDP audit window opens in November.”
“Then the problem is not the recycler. The problem is that you do not have a certificate.”
Vikram looked up. Meera had compressed the whole morning into one sentence. She did not say “do certified erasure.” She did not say “get a NAID-AAA vendor.” She said the auditor’s word. Certificate. A piece of paper, signed, with a chain of serial numbers and a date, that the firm could produce on demand.
“Shilpa will ask you at the 12:15 budget review what the line item is for. You can either walk in saying ‘I need three lakhs for asset disposal,’ which she will defer to next quarter. Or you can walk in saying ‘I need three lakhs to produce a defensible audit trail for 340 devices that currently sit in our storeroom uncertified.’ Same money. Two different answers.”
I keep coming back to this scene with founders. The HR head was right because she heard the question through Shilpa’s ears. The CFO does not buy disposal services. The CFO buys the ability to answer one question from one auditor with one file. Walk into the budget meeting with the question already written down and you usually walk out with the cheque.
Rs 250 Cr. DPDP Section 33 cap. A retired laptop with cached customer data is the same controllable risk as a live one. If the asset register says “disposed” but you cannot show the certificate, the auditor counts it as live. Free 4-hour quote on certified ITAD at the end.
12:15 PM · CFO Shilpa’s office, fourth floorThe budget conversation that paid for the rest of the day
Shilpa is the CFO. She had been at the firm for nineteen months and had walked into the room with the same expression she always wore for IT line items. The printout of the FY26 IT spend sat in front of her. She turned the page once and looked up.
“What is the disposal number for?”
“Three things. One, certified data erasure on 340 retired devices currently sitting in the second-floor storeroom. Two, a chain-of-custody pickup by a CPCB-authorised recycler with a serial-numbered manifest. Three, a signed certificate of destruction per device that we can hand to the auditor in November. Total line is Rs 2.8 lakh including GST.”
“Last quarter the asset register said this was already done.”
“Last quarter the asset register said the devices were marked for disposal. Disposal as accounting status, not disposal as data event. The devices are still on the premises and the data on them is still readable. The line on the register was correct for the books and wrong for the regulator.”
“And the alternative?”
“The alternative is that the November auditor asks ‘show me the certificate of destruction for serial XYZ that the engineering team retired in February,’ and I do not have one. Under DPDP Act Section 8, that is a reasonable-security failure. The Section 33 ceiling is Rs 250 crore. For a Series B SaaS firm carrying customer KYC and source code, the realistic penalty bracket is Rs 25 lakh to Rs 2 crore. The IBM Cost of a Data Breach Report 2024 puts the average Indian breach at Rs 19.5 crore. The CPCB E-Waste Rules add a separate fine track of up to Rs 1 lakh per violation. We are also a data processor for two banks. They will ask their own questions in their next vendor review.”
Shilpa did the thing CFOs do when they have decided but are not ready to say so. She read the printout for ten seconds longer than necessary. Then she capped her pen.
“Find a vendor who can produce the certificate per device, not per batch. I will sign the PO this evening if the scope says one certificate per serial.”
What just happened, mechanically. Vikram did three things many Indian IT heads do not do. He named the gap precisely. He framed the spend as evidence production, not as another service. He cited DPDP Section 8 and the CPCB rules in the same breath because the auditor will. The CFO signed because the cheque the auditor could read was the same one Vikram had drafted.
14:45 PM · Vikram’s desk, second floorThe vendor call that narrowed the scope
Karthik from Sirius Star called back twenty minutes after Vikram sent the enquiry. He did not open with a pitch. He opened with the inventory file Vikram had attached.
“Your file has 340 lines. 280 laptops, 60 phones. I count 47 laptops still on warranty, which means the OEM buyback might be live for those. 11 of the phones are MDM-enrolled per your last export to us, so we already have the EMM erasure baseline for those. The remaining 282 devices need three things. Let me name them.”
Three things. Certified data erasure to a recognised standard. Verified chain of custody from your storeroom to the recycler’s facility. A serial-numbered certificate of destruction returned to you within five working days of pickup.
“For the laptops we use NAID AAA-style sanitisation aligned with NIST SP 800-88 Purge. For SSDs we use the cryptographic erase plus single-pass overwrite verified with a sampling read. For HDDs we do a three-pass overwrite or a degauss and shred depending on your risk tier. The certificate names the device serial, the standard applied, the operator, and the verification result. For the phones we use the vendor EMM wipe plus a factory reset under our supervision, with a video log. R2v3-aligned facility for the downstream e-waste path.”
“Where does it happen. On-site or your facility.”
“Your storeroom for the first pass. We bring a mobile erasure rig and two of our techs. They wipe in your presence. Anything that fails verification gets shredded on the spot. Anything that passes gets sealed in a tagged container, manifest counter-signed by you, and trucked under GPS to the recycler. Certificate per device hits your inbox by Day 7. For 340 devices we are looking at two operating days on-site plus the certificate turnaround.”
“And the part nobody tells me. The number.”
“Rs 820 per laptop fully loaded for the certified-erasure pickup. Rs 320 per phone. Plus a fixed Rs 12,000 on-site mobilisation per pickup. For 340 devices on a single pickup window, the bill lands at Rs 2.71 lakh including GST. We also offer the OEM buyback path for the 47 in-warranty laptops, which usually returns Rs 8,000 to Rs 14,000 per device against the disposal line. If we book that, the net cost falls to Rs 2.0 to 2.4 lakh.”
Vikram wrote one line in capitals at the top of his notes. “Per-device certificate. Per-device traceability. Per-device price.”
“One more thing. Your CFO will ask whether ‘format and sell’ is cheaper. It is, by about Rs 600 per device. It also leaves you with zero defensible evidence that the data is gone. If even one device surfaces six months from now with a recoverable customer KYC file, the cost of explaining that to your bank customers is significantly more than what you saved. Do not invite that conversation.”
“Right. Send the scope. I will route the PO this evening.”
17:30 PM · Vikram’s desk, lights coming on outsideThe auditor’s email that arrived right on cue
The vendor review committee from one of the bank customers sent the quarterly questionnaire at 5:14 PM. Question 11 read, in the standard phrasing the BFSI compliance teams have been using since the DPDP rules dropped. “Please attach evidence of certified data destruction for any of your retired endpoints that processed our customer data in the last 18 months.”
Vikram read it twice. Two hours earlier he would have had no answer. The signed PO sat in Shilpa’s inbox now, the on-site pickup was scheduled for Monday and Tuesday next week, and the certificates would be in his hands by the following Monday. He could write the reply tonight in three lines and attach the executed PO as evidence of programme commencement, with a commitment that the certificates would be forwarded by Day 14.
He wrote the reply. He copied Shilpa. He copied the compliance lead. He copied Meera, because she had earned it. The signed PO came back from Shilpa at 18:42 PM with one sentence at the bottom of her email.
“Good. Send me the first batch of certificates the Monday after pickup closes. And book the same vendor for next year’s refresh in advance.”
Vikram leaned back. Outside, Whitefield was lighting up in the way it does after 6 PM, when the campus buses start lining up. The storeroom downstairs still held 340 devices. By next Friday it would hold zero, and his filing system would hold 340 signed certificates. The auditor’s November question now had a Day-7 answer.
What this story teaches, mapped to your week
- Disposal as accounting status is not disposal as data event. The asset register marks a device “disposed” the moment it is removed from the active fleet. The DPDP auditor counts a device as live until you produce a certificate of destruction for that specific serial. Until then, the device is your problem.
- Frame ITAD as evidence production, not as e-waste collection. CFOs defer e-waste line items. CFOs sign certificate line items. The cheque is the same. The conversation is not.
- Per-device certificate is the only audit-grade output. Per-batch certificates do not survive a question that names a single serial. If the vendor cannot promise per-device, the vendor is selling you logistics, not compliance.
- Cite both regulatory tracks. DPDP Section 8 is the data-fiduciary track. The CPCB E-Waste Rules are the environmental track. Real Indian audits pull from both. Vendor proposals that name only one will get rejected by sharper compliance teams.
- Recover the salvage value where it is real. 30 to 40 percent of a typical refresh batch is in-warranty and OEM-buyback-eligible. Routing those through buyback rather than disposal often pays for the entire certified erasure on the remaining 60 percent. The vendor who does not raise this is leaving your money on the table.
Buyer’s checklistIT asset disposal DPDP India: the four questions to answer in writing
Before your next standup, answer these four in writing. If you cannot answer any one of them with a number or a date, that is your gap.
- How many retired devices are physically on your premises today, and what data sat on each one when it was retired? Storeroom counts plus the last user roles. Sales handsets carry different evidence than engineering laptops.
- Do you hold a per-device certificate of destruction for every device retired in the last 18 months? Not a batch certificate. Not a recycler invoice. A signed per-serial certificate naming the standard applied. If the answer is “no” for any device that processed customer data, that device is your DPDP exposure.
- Who is your CPCB-authorised recycler and what is the GPS-tracked chain-of-custody record from your storeroom to their facility? A reputable ITAD vendor produces the manifest. A non-reputable one says “we will handle it.”
- What is the OEM buyback path for in-warranty devices in your refresh batch? 30 to 40 percent of a typical batch will qualify. If your disposal proposal does not net those off, you are paying twice.
For the broader compliance picture, pair this with our DPDP readiness checklist for HR and IT teams, our walkthrough on DPDP penalties for Indian SMBs, and our field-tested companion on USB data theft prevention for Indian companies.
Your storeroom is the audit answer or the audit question. There is no third option.
If you cannot produce a per-device certificate of destruction for any retired endpoint that touched customer data in the last 18 months, the auditor will. We will run a free 4-hour ITAD readiness scoping against your current inventory and tell you exactly which devices need certified erasure first, which qualify for OEM buyback, and what the per-device certificate flow looks like. No card. No contract. No sales call.
Questions Vikram wishes he had asked sooner
What exactly does IT asset disposal DPDP India mean in practice?
It means three artefacts the auditor will ask for, every time. First, certified data erasure aligned with NIST SP 800-88 Purge or equivalent, performed before the device leaves your premises or under verified custody. Second, a chain-of-custody manifest from your storeroom to the CPCB-authorised recycler. Third, a per-device certificate of destruction listing the serial, the standard applied, the operator, and the verification result. Anything less is logistics, not compliance.
We are a 90-person Indian startup. Do the DPDP rules really apply to our retired laptops?
Yes. DPDP Section 8 places the reasonable-security obligation on every data fiduciary regardless of size. If any device in your refresh batch ever processed personal data, customer KYC, employee PAN, or any regulated data type, then the disposal of that device is a DPDP-relevant event. The 250 crore Section 33 ceiling is the upper bracket; the realistic enforcement bracket for a 90-person firm is Rs 5 lakh to Rs 50 lakh.
Can we just format the drives and sell the laptops to staff?
Formatting is not data erasure under NIST SP 800-88. A standard format leaves recoverable data on most SSDs and HDDs. Selling formatted devices to staff does not create the chain-of-custody record an auditor needs, and it usually voids any OEM buyback you could otherwise claim. The path costs about Rs 600 per device less than certified erasure and creates two distinct compliance problems. We do not recommend it for any device that processed customer data.
How long does a 300-device certified ITAD pickup take in India?
Two operatin
Similar Posts
Freshworks vs HubSpot for Indian support teams: a Pune SaaS CFO and CX head argue it out
Freshworks vs HubSpot for Indian support teams: a Pune SaaS CFO and CX head argue. INR math, Freddy AI bundle, three clauses that mattered.
APC Smart UPS for Indian office: what the Andheri Friday outage taught us about runtime math
A Mumbai BPO quarter end outage and what an APC Smart UPS 3000VA actually carried. Load math, DG timing, and three changes before the next close.
Dell Latitude vs HP: which to buy in India for a business fleet
Dell Latitude vs HP for an Indian business fleet: the 4 decisions, the line items that move the price, and which one wins on a 50-unit refresh in 2026.
emSigner vs DocuSign India: a Pune fintech CFO and CHRO argue it out
A 320 person Pune fintech CFO and CHRO debate emSigner vs DocuSign for offer letters, NACH mandates and vendor agreements. Pricing, data residency and the clause we added.
We swapped 180 random mice for Logitech business accessories. Here is one IT lead’s Friday in Lower Parel
A 240-person consulting firm in Lower Parel had four mouse brands, three keyboard brands, and zero standard. One Friday floor walk, three Logitech SKUs, and 71 per cent fewer L1 tickets later. Riya Kapoor’s field report on standardising business accessories in an Indian office fleet.
Business Central vs Tally vs SAP B1 for Indian SMBs: a Bengaluru co-founder weekend
A Comparative Dialogue walkthrough on Business Central vs Tally vs SAP B1 for Indian SMBs: two co-founders, one parallel run, the call they made on Monday.
