HECVAT Category
General Privacy
General Privacy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Does your solution process FERPA-related data?
Buyers in education want to confirm whether your solution handles data covered by FERPA, the US federal law protecting the privacy of student education records.
Does your solution process GDPR-related or PIPL-related data?
Two major privacy regimes frame this question, the EU's GDPR and China's PIPL, and whether your solution processes personal data covered by either.
Does your solution process personal data regulated by state law(s) (e.g., CCPA)?
State privacy law exposure is the subject here, specifically whether your solution processes personal data regulated under laws such as the CCPA or comparable statutes in other states.
Does your solution process user-provided data that may contain regulated information?
At issue here is whether your solution processes user-provided data that might contain regulated information subject to legal or regulatory handling requirements. Examples of regulated information include personally identifiable information (PII), protected health information (PHI), payment card information (PCI), student records (FERPA), or other sensitive data categories.
Web Link to Product/Service Privacy Notice
Provide the URL to your product or service's privacy notice, sometimes called a privacy policy. A privacy notice is a public document that explains how your organization collects, uses, shares, and protects personal data. It outlines what data you collect, why you collect it, how long you retain it, and what rights users have regarding their data.
Have you had a personal data breach in the past three years that involved reporting to a governmental agency, notice to individuals (including voluntary notice), or notice to another organization or institution?
Breach history is what reviewers want surfaced: whether you have had a personal data breach in the last three years that triggered notice to a government agency, to individuals, or to another organization.
Use this area to share information about your privacy practices that will assist those who are assessing your company data privacy program.*
This is an open space to share details about your privacy program that help assessors understand practices not captured by the other questions. It's essentially an open-ended opportunity to share details about your privacy program that demonstrate your commitment to protecting personal data.
Have you had any violations of your internal privacy policies or violations of applicable privacy law in the past 36 months?
A track record on privacy is what's being examined here, namely whether you have had any breaches of internal privacy policies or applicable privacy laws in the past 36 months.
Do you have a dedicated data privacy staff or office?
Reviewers want to confirm whether you have dedicated privacy staff or a dedicated office responsible for data privacy matters. Data privacy refers to the proper handling, processing, storage, and protection of personal and sensitive information.
If you have completed a SOC 2 audit, does it include the Privacy Trust Service Principle?
SOC 2 scope is the focus here, specifically whether a completed SOC 2 audit included the Privacy Trust Service Principle alongside the other criteria.
Do you conform with a specific industry-standard privacy framework (e.g., NIST Privacy Framework, GDPR, ISO 27701)?
Alignment to a recognized privacy framework is the subject, such as the NIST Privacy Framework, GDPR, or ISO 27701, that gives structure to how you manage personal data and privacy risk. Privacy frameworks are standardized approaches that help organizations implement privacy controls, manage data protection, and comply with relevant laws.
Does your employee onboarding and offboarding policy include training of employees on information security and data privacy?
Security and privacy training within the employee lifecycle is the concern here, specifically whether onboarding and offboarding include instruction on information security and data privacy.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

