HECVAT Category
International Privacy
International Privacy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Will data be collected from or processed in or stored in the European Economic Area (EEA)?
This question is asking whether your service or system will handle data (collect, process, or store) within the European Economic Area (EEA), which includes EU member states plus Iceland, Liechtenstein, and Norway.
Do you have a data protection officer (DPO)?
This question asks whether your organization has appointed a Data Protection Officer (DPO), which is a formal role required by certain privacy regulations, most notably the EU's General Data Protection Regulation (GDPR).
Will you sign appropriate GDPR Standard Contractual Clauses (SCCs) with the institution?
This question is asking whether your company is willing to sign Standard Contractual Clauses (SCCs) to comply with the EU's General Data Protection Regulation (GDPR) when transferring personal data outside the European Economic Area (EEA).
Will data be collected from or processed in or stored in China?
This question is asking whether your organization collects, processes, or stores data in China or from Chinese sources. It specifically references China's Personal Information Protection Law (PIPL), which is China's comprehensive data privacy regulation that came into effect in November 2021.
Do you comply with PIPL security, privacy, and data localization requirements?
This question is asking whether your organization complies with the Personal Information Protection Law (PIPL) of China, which went into effect on November 1, 2021. PIPL is China's comprehensive data privacy law that regulates how organizations collect, store, use, process, transfer, and disclose personal information of individuals in China.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
