HECVAT Category
Datacenter
Datacenter covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Select your hosting option.
This is a scoping question about your hosting model, capturing where and how your application's servers and data actually reside. In a security assessment like HECVAT (Higher Education Cloud Vendor Assessment Tool), this information is crucial because different hosting models present different security considerations, risks, and compliance requirements.
Is a SOC 2 Type 2 report available for the hosting environment?
Independent assurance over your hosting environment is what's being requested: whether a SOC 2 Type 2 report is available for the datacenter where your service runs.
Are you generally able to accommodate storing each institution's data within its geographic region?
Data residency drives this question, which probes whether you can keep each institution's data stored within its own geographic region. This is important for several reasons:
Are the data centers staffed 24 hours a day, seven days a week (i.e., 24 x 7 x 365)?
Round-the-clock staffing is what's under review: whether your data centers have personnel physically present every hour of every day with no coverage gaps.
Are your servers separated from other companies via a physical barrier, such as a cage or hard walls?
Physical isolation in the datacenter is what's being verified: whether your servers are separated from other companies' equipment by barriers such as cages or hard walls.
Does a physical barrier fully enclose the physical space, preventing unauthorized physical contact with any of your devices?
Physical containment is what reviewers want evidence of here: a barrier that fully encloses the space and blocks any unauthorized physical contact with your devices.
Are your primary and secondary data centers geographically diverse?
Geographic separation of data centers is the focus: the question asks whether your primary and secondary sites sit in distinct regions to survive localized disasters. Geographic diversity in data centers is a critical aspect of disaster recovery and business continuity planning.
Is the service hosted in a high-availability environment?
Availability is what's being assessed: whether your service runs in a high-availability environment engineered to minimize downtime and disruption. A high-availability (HA) environment includes redundant components, systems, and infrastructure to ensure continuous operation even when individual components fail.
Is redundant power available for all data centers where institutional data will reside?
Power resilience is what's being verified here, specifically whether every data center holding institutional data has redundant power to stay running through an outage.
Are redundant power strategies tested?
Reviewers want evidence that your datacenter's redundant power systems are not just installed but actively tested to confirm they perform when called upon. Redundant power strategies refer to backup power systems like uninterruptible power supplies (UPS), generators, or multiple power feeds that keep your datacenter operational during power outages.
Does the center where the data will reside have cooling and fire-suppression systems that are active and regularly tested?
Environmental controls at the data center are the concern here, specifically whether cooling and fire-suppression systems are not just installed but active and regularly tested.
Do you have Internet Service Provider (ISP) redundancy?
Connectivity resilience is the focus, specifically whether you maintain redundant Internet Service Providers so that one provider's outage does not sever your internet access.
Does every data center where the institution's data will reside have multiple telephone company or network provider entrances to the facility?
Facility resilience is the concern here: assessors want each data center holding the institution's data to have multiple telephone or network provider entrances into the building.
Do you require multifactor authentication for all administrative accounts in your environment?
Privileged-access protection is the concern here: whether multifactor authentication is required for every administrative account across your datacenter environment.
Are you using your cloud provider's available hardening tools or pre-hardened images?
Cloud hardening is the focus, asking whether you take advantage of your cloud provider's hardening tools or pre-hardened images to strengthen your infrastructure.
Does your cloud solution provider have access to your encryption keys?
Key custody in the cloud is the heart of this question, namely whether your cloud provider can reach the encryption keys that protect your data in their environment. Encryption keys are digital credentials that control the ability to decrypt encrypted data. If your CSP has access to these keys, they could potentially decrypt and access your data.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

