HECVAT Category
Data Privacy
Data Privacy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Have you performed a Data Privacy Impact Assesssment for the solution/project?
A Data Privacy Impact Assessment (DPIA) is a structured process to identify and minimize privacy risks in projects that involve personal data processing. This question is asking whether your organization has conducted a formal assessment of how your solution or project might impact individuals' privacy rights.
Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?
Transparency toward end users is what's being assessed, specifically whether you provide a privacy notice that explains why personal information is collected, used, retained, and disclosed.
Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?
Consent practices are under review here, specifically whether you explain the choices available to individuals and obtain implicit or explicit consent for collecting, using, and disclosing their personal information.
Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?
Purpose limitation is the principle being tested: whether you collect personal information only for the purposes agreed with the institution or stated in your privacy notice.
Do you have a documented list of personal data your service maintains?
A personal data inventory is what's sought here: whether you maintain a documented list of the personal data your service holds. Personal data (also called personally identifiable information or PII) includes any information that can identify an individual, such as names, email addresses, phone numbers, IP addresses, location data, financial information, health information, etc.
Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?
Retention and disposal of personal data are at issue here: whether you keep it only as long as the stated purpose or law requires, then dispose of it appropriately. It's specifically concerned with whether you:
Do you provide individuals with access to their personal information for review and update (i.e., data subject rights)?
Data subject rights are the subject: the question asks whether individuals can access, review, and update the personal information you hold about them. This is a fundamental data privacy right often referred to as 'data subject rights' or 'individual rights'.
Do you disclose personal information to third parties only for the purpose(s) identified in the privacy notice or with the implicit or explicit consent of the individual?
Limits on third-party disclosure are what this examines: whether you share personal information only for purposes named in your privacy notice or with the individual's consent. The disclosure aligns with purposes explicitly stated in your privacy notice/policy, OR
Do you protect personal information against unauthorized access (both physical and logical)?
Protection of personal information is what's under review, covering whether you guard it against unauthorized access through both physical and logical controls.
Do you maintain accurate, complete, and relevant personal information for the purposes identified in the privacy notice?
Data quality under privacy law is the focus, specifically whether you keep personal information accurate, complete, and relevant to the purposes stated in your privacy notice.
Do you have procedures to address privacy-related noncompliance complaints and disputes?
Handling of privacy grievances is the focus: reviewers want documented procedures for addressing privacy-related noncompliance complaints and disputes.
Do you "anonymize," "de-identify," or otherwise mask personal data?
Data minimization techniques are the subject here, namely whether you anonymize, de-identify, or otherwise mask personal data to limit how readily individuals can be identified.
Do you or your subprocessors use or disclose "anonymized," "de-identified," or otherwise masked data for any purpose other than those identified in the agreement with an institution (e.g., sharing with ad networks or data brokers, marketing, creation of profiles, analytics unrelated to services provided to institution)?
Secondary data use is the concern: reviewers want to know whether you or your subprocessors put anonymized or de-identified data to any purpose beyond what the institution's agreement permits, such as ad networks, marketing, or unrelated analytics.
Do you certify stop-processing requests, including any data that is processed by a third party on your behalf?
Stop-processing requests are the focus: whether you can certify that you honor them, including for data handled by third parties acting on your behalf.
Do you have a process to review code for ethical considerations?
Ethical code review is the focus, asking whether you have a formal process for examining code for ethical considerations before release. Ethical code review goes beyond just checking for security vulnerabilities or bugs - it examines whether the code's functionality, algorithms, data handling, and decision-making processes align with ethical principles and values.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

