HECVAT Category
General Privacy
General Privacy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Does your solution process FERPA-related data?
This question is asking whether your software solution processes data that falls under the Family Educational Rights and Privacy Act (FERPA), which is a federal law that protects the privacy of student education records in the United States.
Does your solution process GDPR-related or PIPL-related data?
This question is asking whether your software solution processes personal data that falls under two major privacy regulations: the European Union's General Data Protection Regulation (GDPR) and China's Personal Information Protection Law (PIPL).
Does your solution process personal data regulated by state law(s) (e.g., CCPA)?
This question is asking whether your software solution or service processes personal data that falls under the jurisdiction of various state privacy laws, such as the California Consumer Privacy Act (CCPA) or similar laws in other states (like Virginia's CDPA, Colorado's CPA, etc.).
Does your solution process user-provided data that may contain regulated information?
This question is asking whether your software solution processes data provided by users that could contain regulated information - meaning information that is subject to legal or regulatory requirements regarding its handling, storage, and protection. Examples of regulated information include personally identifiable information (PII), protected health information (PHI), payment card information (PCI), student records (FERPA), or other sensitive data categories.
Web Link to Product/Service Privacy Notice
This question is asking for the URL(s) to your product or service's privacy notice (sometimes called a privacy policy). A privacy notice is a public document that explains how your organization collects, uses, shares, and protects personal data. It outlines what data you collect, why you collect it, how long you retain it, and what rights users have regarding their data.
Have you had a personal data breach in the past three years that involved reporting to a governmental agency, notice to individuals (including voluntary notice), or notice to another organization or institution?
This question is asking whether your organization has experienced a personal data breach in the past three years that was significant enough to require formal notification to governmental agencies, affected individuals, or other organizations.
Use this area to share information about your privacy practices that will assist those who are assessing your company data privacy program.*
This question is asking you to provide additional information about your organization's privacy practices that might not be covered by other HECVAT questions. It's essentially an open-ended opportunity to share details about your privacy program that demonstrate your commitment to protecting personal data.
Have you had any violations of your internal privacy policies or violations of applicable privacy law in the past 36 months?
This question is asking whether your organization has experienced any breaches or violations of either your internal privacy policies or applicable privacy laws (such as GDPR, CCPA, HIPAA, etc.) within the past three years.
Do you have a dedicated data privacy staff or office?
This question is asking whether your organization has dedicated personnel or a department specifically responsible for data privacy matters. Data privacy refers to the proper handling, processing, storage, and protection of personal and sensitive information.
If you have completed a SOC 2 audit, does it include the Privacy Trust Service Principle?
This question is asking whether your organization's SOC 2 audit specifically included the Privacy Trust Service Principle.
Do you conform with a specific industry-standard privacy framework (e.g., NIST Privacy Framework, GDPR, ISO 27701)?
This question is asking whether your organization follows a recognized privacy framework that provides structured guidance for managing personal data and privacy risks. Privacy frameworks are standardized approaches that help organizations implement privacy controls, manage data protection, and comply with relevant laws.
Does your employee onboarding and offboarding policy include training of employees on information security and data privacy?
This question is asking whether your organization's process for bringing on new employees (onboarding) and processing departing employees (offboarding) includes specific training components related to information security and data privacy.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
