Features
Everything it takes to prove a drive is clean
Two sanitization categories, read-back verification, tamper-evident certificates, and safety engineering that assumes the worst — all in one portable console.
Sanitization
Clear and Purge — two standards-defined categories
ProofWipe implements the Clear and Purge sanitization categories defined by NIST SP 800-88. You choose the category per drive; the certificate records exactly which was used.
Clear — overwrite
NIST SP 800-88 Clear
Overwrites user-addressable storage so data cannot be recovered with standard tools.
- Single-pass and multi-pass overwrite methods, including crypto-random patterns (AES-256-CTR keystream)
- Bad-sector handling: unwritable regions are isolated, skipped, and disclosed on the certificate
- Works on any writable drive Windows can address — SATA, NVMe, USB media
Purge — firmware sanitize
NIST SP 800-88 Purge
Uses the drive’s own firmware sanitize commands to render data recovery infeasible even with laboratory techniques.
- ATA SANITIZE and Secure Erase for SATA drives; NVMe Sanitize and Format for NVMe drives
- Hard support detection: drives behind USB bridges, BIOS-frozen, or lacking the capability are greyed out with the reason stated
- Post-sanitize read-back evidence is captured, and the certificate distinguishes Purge from Clear
Not sure which you need? The standards pageexplains when Clear is sufficient and when Purge is warranted.
Verification
Verified, not assumed
Every wipe is verified by read-back sampling (1%, 10%, or 100%) and documented with a tamper-evident certificate secured by a SHA-256 log hash.
- Sampling always includes the first and last regions of the drive — the classic spots where residual data hides
- Caches are flushed before verification reads, so what’s checked is what’s on the platters or flash — not what’s in RAM
- Sectors skipped as unreadable during the wipe are excluded from verification and disclosed on the certificate
Verification levels
Every level always samples the first and last regions of the drive in addition to the random sample.

Sanitization Certificate
NIST SP 800-88 · CSE ITSP.40.006
- Certificate ID
- PW-2026-0R7A-4F19-C3E2
- Device
- Samsung SSD 870 EVO 1TB
- Serial
- S6PTNZ0T4••••••
- Method
- Purge — NVMe/ATA firmware sanitize
- Verification
- Read-back sampling · 100%
- Result
- Success
- Operator
- J. Tremblay
- Completed
- 2026-06-18 14:22 UTC
SHA-256 log hash
9f2c1a7b6e4d0c83a5f1e29d7b4c60a8f3e5d1c927b8a6f40e3d2c1b0a9f8e7d6
Illustrative sample — not a real certificate
Certificates
Documentation auditors can trust
The certificate is the product of the wipe — not an afterthought. Every field an auditor or downstream buyer needs is captured automatically.
- HTML report + PDF certificate from a shared content model — same facts, two formats
- SHA-256 log hash binds the certificate to the wipe log for tamper evidence
- A certificate is generated for every outcome — including cancelled or partial wipes.
- Discloses method, verification level, operator, arming method, BitLocker status, hidden-area findings, and any skipped sectors
An online portal to validate certificate IDs and log hashes iscoming soon.
Safety
Fail-closed, by engineering — not by checkbox
Fail-closed by design: ProofWipe refuses to touch the system or application disk. A drive is wipeable only when it is positively determined to be safe.
System & app disks are untouchable
The engine positively identifies the Windows system disk and the disk ProofWipe itself runs from (by device number, not drive letter) and refuses to select them. Protection is enforced in the engine — not just greyed out in the UI.
Uncertainty means protected
If a drive’s role can’t be positively determined — unreadable disk, virtual/VHD disk, failed volume mapping — it is treated as protected. Never the other way around.
Two-step arming + confirmation
Each drive must be armed by typing its serial number (or a generated code when the serial is unavailable), then confirmed in a modal before anything destructive happens. Identity is re-validated immediately before the wipe starts, with a hard abort on mismatch.
And more
Built for real decommissioning benches
HPA/DCO hidden-area detection
Some ATA drives hide capacity behind a Host Protected Area or Device Configuration Overlay. ProofWipe detects both at enumeration, warns in the UI, and discloses them on the certificate — noting that an overwrite Clear cannot reach hidden areas, while an ATA SANITIZE Purge does.
Multi-drive parallel batch
Wipe many drives at once with fully isolated per-drive sessions — own locks, progress, cancellation, and certificate. One drive failing or being cancelled never touches another. Per-drive arming is preserved: there is deliberately no “arm all”. System sleep is blocked for the duration of the batch.
BitLocker awareness
BitLocker-encrypted volumes are detected before the wipe and recorded on the certificate — useful chain-of-custody context for drives that were encrypted in service.
Offline by design
Offline by design — no phone-home, no telemetry. Licensing uses offline keys. The app never needs a network connection — a fit for air-gapped and controlled environments.
Portable, zero-install
One self-contained .exe that runs from a USB stick on Windows 10/11 (Administrator required). No installer, no dependencies, no traces to clean up on the host.
Bootable WinPE edition
Wipe the Windows system disk itself — and sealed devices like Surface — by booting from ProofWipe media. Built from the same engine.
See it on your own bench
The Free tier wipes a single drive with NIST Clear and 10% verification — enough to evaluate the whole workflow end to end.