HECVAT Category

International Privacy

International Privacy covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

INTL-01

Will data be collected from or processed in or stored in the European Economic Area (EEA)?

European data jurisdiction is what's at stake here, namely whether data will be collected from, processed in, or stored within the European Economic Area.

INTL-02

Do you have a data protection officer (DPO)?

A Data Protection Officer is the subject here, with reviewers checking whether you have appointed one as required by privacy regulations such as the EU GDPR.

INTL-03

Will you sign appropriate GDPR Standard Contractual Clauses (SCCs) with the institution?

Cross-border transfer safeguards are the focus, asking whether you will sign GDPR Standard Contractual Clauses with the institution to cover personal data leaving the EEA.

INTL-04

Will data be collected from or processed in or stored in China?

Data sovereignty involving China is the concern here: whether any data is collected from, processed in, or stored within China. It specifically references China's Personal Information Protection Law (PIPL), which is China's comprehensive data privacy regulation that came into effect in November 2021.

INTL-05

Do you comply with PIPL security, privacy, and data localization requirements?

China's Personal Information Protection Law sets the bar here, and reviewers want confirmation that you meet its security, privacy, and data localization requirements. PIPL is China's comprehensive data privacy law that regulates how organizations collect, store, use, process, transfer, and disclose personal information of individuals in China.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron