White Paper: “Vendor Risk Management: Due
Diligence Compliance Report”

Vendor due diligence is no longer a compliance formality—it’s a fundamental component of
cybersecurity, legal defensibility, and fiduciary accountability.

In an era of accelerating digital risk, your organization’s resilience depends on more than internal controls—it hinges on the trustworthiness, compliance, and transparency of your third-party vendors. As highlighted in the Wall Street Journal’s “What Keeps CIOs Up at Night,” the practices and vulnerabilities of your external partners are now core to your own security profile.

Due Diligence: A Legal and Operational Imperative

Federal and state privacy regulations—including HIPAA, GLBA, SOX, GDPR, and CCPA—require documented due diligence on any third party that processes, stores, or disposes of sensitive data. The Office of the Comptroller of the Currency (OCC) offers one of the clearest regulatory frameworks in its guidance on third-party risk management—one that should be adopted by any organization with a duty to safeguard client data and mitigate supply chain risk.

Vendor Due Diligence Requirements and BTTF’s Compliant Response

1. Vendor Selection and Capability Assessment

Regulatory Requirement:
A formal, documented evaluation of the vendor’s qualifications and internal controls must precede any engagement. Prior business relationships or general familiarity are not sufficient substitutes for evidence-based assessment of the vendor’s operational competence, legal compliance, and service delivery capacity.

BTTF Response:
Back Thru The Future maintains a robust set of third-party-validated certifications and technical standards compliance that demonstrate consistent, auditable operational discipline:

• NAID AAA Certification for secure data destruction – the global benchmark for information disposal security.
• ISO 9001:2015 – Quality Management Systems, ensuring repeatable, measurable, and customer-centric service processes.
• ISO 14001:2015 – Environmental Management Systems, supporting full environmental compliance and sustainability standards.
• ISO 45001:2018 – Occupational Health & Safety, ensuring safe, risk-managed operations across all facilities and field services.
• R2 (Responsible Recycling) Certification, affirming responsible e-waste handling, data security, and downstream accountability.
• NIST 800-88 Guidelines for Media Sanitization Compliance, ensuring that all data-bearing devices are destroyed or sanitized in accordance with the U.S. government’s highest recognized standard for secure data disposal.

2. Legal and Regulatory Compliance

Regulatory Requirement:
The vendor must be fully authorized to perform contracted services and maintain compliance with all applicable legal and regulatory requirements—including licensing, permitting, and data privacy laws. Compliance must be demonstrated through current documentation and verified through regulator or third-party sources where applicable.

BTTF Response:

BTTF is a fully licensed Universal Waste electronics processing destination facility, permitted by the New Jersey Department of Environmental Protection and the U.S. Environmental Protection Agency (EPA).

We maintain compliance with environmental regulations in all 50 states, many of which legally require data-bearing electronics to be recycled by state-authorized entities. For example, in New Jersey and Connecticut, hard drive destruction services such as shredding or degaussing are explicitly prohibited without a valid Universal Waste Processing Permit, which BTTF holds.

Our data destruction services also conform to the NIST 800-88 Guidelines for Media Sanitization, satisfying federal mandates under HIPAA, GLBA, FACTA, and other applicable laws. We provide documented Certificates of Destruction to support audit trails and legal defensibility.

3. Business Experience, Reputation, and Stability

Regulatory Requirement:
Due diligence must examine the vendor’s history, reputation, resource capacity, market position, and any record of litigation or regulatory action. Reference checks and a review of business continuity planning are essential in evaluating long-term vendor viability.

BTTF Response:

Back Thru The Future is a 30+ year veteran in the secure data destruction industry. We were the first U.S. electronics recycler to achieve NAID AAA certification and helped shape national best practices in information disposal and compliance.

Today, we support over 1,000 clients across the Northeast United States, including a 70% market share among New Jersey-based community banks and hospitals. We provide detailed reference lists, litigation-free operational history, and continuity planning documentation as part of our client onboarding process.

4. Insurance and Risk Transfer Mechanisms

Regulatory Requirement:

Adequate insurance is a critical safeguard in vendor management. Required coverage includes fidelity bonds (employee dishonesty), professional liability (errors and omissions), general liability, and environmental liability coverage.

BTTF Response:

BTTF maintains and annually renews comprehensive insurance policies that include:
– $5M Professional Liability Coverage
– $5M Employee Dishonesty/Fidelity Bond
– $5M Pollution/Environmental Liability Insurance
– Standard General Liability, Workers’ Compensation, and Auto Coverage
We provide Certificates of Insurance (COI) to all clients during onboarding and as part of our compliance documentation portfolio.

5. Cybersecurity Controls and Information Governance

Enhanced Due Diligence Requirement:

Organizations must review a vendor’s cybersecurity posture, including physical security, data handling protocols, breach readiness, encryption standards, and employee training in security best practices.

BTTF Response:

BTTF operates under a formal Information Security Management Program aligned with NIST and ISO 27001 principles. Key controls include:

• Documented chain-of-custody procedures
• Secure password-protected client portal access
• Secure and restricted access to all processing areas
• Video documentation of destruction (available upon request)
• Regular staff training in handling, data security, and compliance protocols

Our policies and procedures are audited by third-party certifying bodies as part of our ISO and NAID programs.

6. Ongoing Monitoring, Audit Rights, and Transparency Enhanced Due Diligence Requirement:

Due diligence does not end at contract signature. Organizations must conduct periodic vendor reviews and secure audit rights to ensure long-term compliance and accountability.

BTTF Response:

We support continuous monitoring through:
– Annual renewals of all certifications
– Quarterly compliance documentation updates
– On-demand access to records and certificates
– Client audit support, including site visits and remote reviews
– Proactive reporting of any regulatory or operational changes

We operate as a fully transparent, auditable service provider committed to ongoing clientassurance and regulatory alignment.

Final Recommendation: Compliance is a Process—Not a Promise

Third-party vendor risk is now a primary threat vector in data protection, legal compliance, and operational resilience. Trust must be earned—and validated—through certified, consistent, and well-documented practices. Back Thru The Future is not just a service provider—we are a strategic compliance partner
equipped to meet your regulatory, operational, and audit expectations with confidence.

Request our complete Vendor Risk Management documentation packet or schedule a compliance briefing today.