The Laptop with Two SSDs and Zero Certificates

Here's a fun conversation to have with your compliance team at 9am on a Monday:

"How many erasure certificates do we generate per device?"

"One per device. Obviously."

"And how many storage devices does a Dell Latitude 5430 have?"

"One. It's a laptop. It has one drive."

"Check the spec sheet."

"...Two. It has two NVMe slots. And our configuration uses both."

"So how many erasure certificates should we have for 340 of them?"

Silence. The kind of silence that costs money.

The Per-Device Fallacy

Most ITAD systems track erasure at the device level. "Laptop RV-003412: wiped." One device, one status, one checkbox. Simple. Clean. Dangerously incomplete.

A modern Dell Latitude can have two NVMe SSDs. An HP EliteBook 850 sometimes has an NVMe plus a SATA drive. A Dell PowerEdge server can have twelve drives. A storage array? Don't even ask.

When your system says "device wiped," what it means is: something was wiped. Probably the primary drive. Possibly both. Maybe. You hope. The system doesn't know, because the system tracks devices, not storage media.

Your ADISA auditor, however, tracks storage media. Because ADISA understands that data doesn't live on laptops. Data lives on drives. And a laptop with two drives that only has one erasure certificate has a gap. A gap that looks, to a compliance auditor, like a liability. Because it is one.

Per-device erasure tracking is like taking attendance by counting desks instead of people. The number might match. But it probably doesn't. And when it doesn't, nobody can tell you who's missing.

680 Certificates, Not 340

Let's do the maths on a real scenario. A leasing company returns 340 Dell Latitude 5430s. Each has two NVMe drives. That's 680 individual storage devices that need to be independently erased, verified, and certified.

Your system generates 340 certificates. One per laptop. The auditor asks for 680. You can produce 340. Where are the other 340?

"We have a process."

"Is it documented?"

"...We have a spreadsheet."

The spreadsheet, inevitably, has 280 entries instead of 340 because someone forgot to log the last two days of work. The auditor writes a finding. The finding becomes an action item. The action item becomes a project. The project becomes a budget line. All because the system counted laptops instead of drives.

It Gets Worse with Modern Hardware

The two-SSD laptop is just the beginning. Modern hardware is getting more complex, not less.

Intel Optane memory modules sit alongside NVMe drives and cache data independently. Some business laptops have eMMC storage for the OS plus NVMe for user data. Workstations can have three or four drives in various configurations. And servers — servers are a different universe entirely, with RAID controllers that abstract physical drives into logical volumes that may or may not correspond to the actual media that needs to be sanitised.

The 2025 update to NIST 800-88 explicitly addresses this complexity. IEEE 2883-2022 goes further, providing sanitisation guidance specific to SSDs, NVMe drives, and embedded storage. Both standards emphasise per-media verification. Not per-device. Per-media.

If your system can't track at that level of granularity, it's not that your system is old. It's that your system was built for a world where laptops had one hard drive and servers had two. That world ended about five years ago. The compliance standards have caught up. Has your system?

The Certificate Chain

A proper erasure record for that Dell Latitude 5430 should look something like this:

Device: Dell Latitude 5430 — RV-000003412
Storage Device A: WD SN740 512GB — SN: WD-2026-44821
Erasure method: NIST 800-88 Purge
Completed: 2026-03-03 at 14:22:07 CET
Verified: Pass
Certificate: BLC-2026-44821

Storage Device B: WD SN740 256GB — SN: WD-2026-44822
Erasure method: NIST 800-88 Purge
Completed: 2026-03-03 at 14:24:31 CET
Verified: Pass
Certificate: BLC-2026-44822

Two drives. Two erasure events. Two verifications. Two certificates. Linked to one device. Linked to one inbound order. Linked to one client. That's the chain. And every link matters, because the auditor will pull any link and expect the rest to follow.

---

The laptop with two SSDs is not an edge case. It's the new normal. And the gap between per-device tracking and per-drive tracking is not a theoretical compliance risk. It's a practical one — the kind that shows up during audits, creates findings, and costs money.

Your auditor can count. The question is whether your system can count the same way.