DCTR-01

Select your hosting option.

Explanation

This question is asking about where and how your application or service is hosted - essentially, where your servers and data physically or virtually reside. In a security assessment like HECVAT (Higher Education Cloud Vendor Assessment Tool), this information is crucial because different hosting models present different security considerations, risks, and compliance requirements. The hosting option directly impacts: 1. Data sovereignty (which country/jurisdiction laws apply to your data) 2. Physical security controls (who has physical access to servers) 3. Shared responsibility models (what security aspects you control vs. what your provider handles) 4. Compliance scope (which regulations apply based on hosting location) 5. Disaster recovery capabilities Your answer to this question will determine which follow-up questions are relevant in the assessment. For example, if you select a public cloud provider, you'll likely need to answer questions about how you secure that environment, while if you select on-premises, you'll need to address physical security controls. When answering, be specific about your hosting model. Common options include: - Public cloud (AWS, Azure, GCP, etc.) - Private cloud (dedicated infrastructure) - Hybrid cloud (combination of public and private) - On-premises (your own data centers) - Colocation (renting space in a third-party data center) - SaaS provider's infrastructure If you use multiple hosting options for different components, select "Other" and provide details on your specific arrangement.

Guidance

If you are using an option not listed, or a combination of options, select "Other." Your selection here will determine which questions below are required.

Example Responses

Example Response 1

Our application is hosted entirely on Amazon Web Services (AWS) public cloud infrastructure We utilize multiple AWS regions (US-East-1 and US-West-2) for redundancy and disaster recovery purposes All production data resides within these AWS environments, which are SOC 2 Type II and ISO 27001 certified We do not maintain any on-premises servers or use any other cloud providers for this service.

Example Response 2

We operate a hybrid cloud model Our core application and database servers are hosted in our private cloud environment within Equinix colocation facilities in Chicago and Dallas, while our content delivery, email services, and development environments leverage Microsoft Azure public cloud services Customer data is primarily stored in our private cloud infrastructure, with only cached and temporary processing data residing in Azure Both environments maintain separate but complementary security controls aligned with our overall security program.

Example Response 3

Currently, our solution is hosted on-premises in our company-owned data center located in Phoenix, AZ While we are in the process of evaluating cloud migration options with several providers including Google Cloud Platform, we have not yet implemented any cloud hosting components This means we maintain full responsibility for all physical and environmental security controls, power redundancy, cooling, and network infrastructure We recognize this doesn't provide the same level of geographic redundancy as cloud solutions, which is why we're exploring hybrid options for the future.

Context

Tab
Infrastructure
Category
Datacenter

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron