PRGN-04

Does your solution process user-provided data that may contain regulated information?

Explanation

This question is asking whether your software solution processes data provided by users that could contain regulated information - meaning information that is subject to legal or regulatory requirements regarding its handling, storage, and protection. Examples of regulated information include personally identifiable information (PII), protected health information (PHI), payment card information (PCI), student records (FERPA), or other sensitive data categories. The question is being asked in a security assessment to understand your risk profile and compliance obligations. If your solution does process regulated information, you'll need appropriate security controls, data handling procedures, and compliance measures to protect that data according to relevant laws and regulations (like GDPR, HIPAA, PCI DSS, etc.). This helps the assessor understand what level of security scrutiny to apply to your solution and what compliance frameworks might be relevant. When answering this question, be honest and specific about what types of user-provided data your solution processes and what regulated categories that data might fall into. If you're unsure whether certain data is regulated, it's better to err on the side of caution and identify potential regulated data types. If your solution explicitly prevents or avoids processing regulated data through technical controls or terms of service, explain those safeguards.

Example Responses

Example Response 1

Yes, our solution processes user-provided data that may contain regulated information Our customer relationship management platform allows users to input and store customer contact details, purchase history, and support interactions This data typically includes personally identifiable information (PII) such as names, email addresses, phone numbers, and physical addresses that are subject to privacy regulations like GDPR and CCPA Our platform also has optional fields where healthcare customers might store patient information (PHI) subject to HIPAA regulations We have implemented appropriate security controls, access restrictions, encryption, and data handling procedures to protect this regulated information in compliance with relevant laws.

Example Response 2

No, our solution is designed specifically to avoid processing regulated information Our text analysis tool processes document content for readability scoring and stylistic feedback, but our architecture is designed to analyze text without storing or retaining the content after analysis is complete All processing occurs in memory, and no user-provided content is persisted beyond the immediate session Additionally, our terms of service explicitly prohibit users from submitting documents containing PII, PHI, or other regulated information, and we provide clear guidance to customers about these limitations We also employ automated scanning to detect and reject content that appears to contain patterns matching regulated data types such as social security numbers, credit card numbers, or medical record identifiers.

Example Response 3

Partially Our project management solution may incidentally process some regulated information, though it's not designed for this purpose Users can enter free-form text in task descriptions, comments, and attachments which could potentially contain PII such as employee names or contact information However, our solution is not intended to store sensitive regulated information like PHI, PCI data, or government identification numbers, and our terms of service discourage users from entering such information We cannot technically prevent all instances of regulated information being entered, so we implement security controls including encryption, access controls, and regular security assessments to protect any user data that might contain regulated information We recommend customers use our data classification features to properly identify and protect any fields that might contain regulated information in their specific implementation.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron