/ R2v3 · ADISA · GDPR
One platform. Every certification surface.
ITAD processors and enterprise IT teams routinely face four-to-six overlapping certifications: R2v3, ADISA, GDPR, HIPAA, SOX, PCI-DSS, ISO 27001, e-Stewards. Stenfox Orion was designed so that one platform produces the evidence each one requires — without re-keying data, without divergent certificate formats, without compliance Mondays.
What you get
R2v3 (SERI)
Orion's chain-of-custody record and signed wipe certificate cover R2v3 Core Requirement 5 (Data Security) and Process Requirement 8 (Sanitization). Auditor pulls one record, not five.
ADISA
Orion aligns with the ADISA ICT Asset Recovery Standard. Risk-graded destruction methods, verification per device, and tamper-evident records are baked into the lane.
GDPR Article 17
Right to erasure is a verifiable record, not a written promise. Orion's signed certificate is admissible evidence for data-subject erasure requests.
HIPAA disposal
45 CFR §164.310(d)(2)(i) requires documented destruction of ePHI. Orion's per-device certificate maps directly to the rule.
SOX & PCI-DSS
Disposal controls tied to fixed-asset records. Orion ties serial → asset tag → erasure cert → disposition in one queryable trail.
ISO 27001 / 27040
Annex A.8.10 and ISO 27040 secure-disposal controls. Orion produces the artifact your ISMS auditor expects.
/ FAQ
Frequently asked questions
Is Stenfox Orion R2v3 certified?
Orion aligns with R2v3 and is deployed inside R2v3-certified ITAD processors as the in-lane erasure and chain-of-custody system that supports their certification. R2v3 is a facility-level certification, not a software certification — Orion provides the evidence the auditor reviews.
Does Orion meet ADISA requirements?
Yes. Orion implements the ADISA risk-graded approach: method selection per device class and per data sensitivity, verification on every device, and a tamper-evident record. ADISA ICT Asset Recovery audits accept Orion's certificate as evidence of compliant sanitization.
How does Orion support GDPR right-to-erasure requests?
When a data subject exercises Article 17 rights and a device is the locus of the data, Orion produces a signed certificate that records the destruction with sufficient detail to satisfy the controller's accountability obligation under Article 5(2). The certificate is exportable for the data subject's records.
Can the certificate be used in a HIPAA / SOX / PCI-DSS audit at the same time?
Yes. The certificate is a single artifact that satisfies the disposal-control evidence each of these requires. SOX teams use it to evidence proper disposal of asset-register items; HIPAA covered entities use it to evidence ePHI destruction; PCI-DSS environments use it to evidence cardholder-data-environment device retirement.
What about ISO 27001 Annex A.8.10 and ISO/IEC 27040?
Orion's record is the artifact your ISMS auditor expects when reviewing secure-disposal controls. The method, verification result and chain of custody match the ISO 27040 framework, and the certificate is acceptable evidence under Annex A.8.10 of ISO 27001:2022.
/ Ready when you are
See Orion run a real lane.
A 30-minute working demo on your own device mix — phones, laptops, drives, anything. Bring your hardest unit.