HECVAT Category
Privacy and AI
Privacy and AI covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Does your service use AI for the processing of institutional data?
This question is asking whether your service incorporates artificial intelligence (AI) technologies to process data that belongs to the institution conducting the assessment. 'Processing' in this context refers to any operation performed on data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or any other form of handling.
Is any institutional data retained in AI processing?
This question is asking whether your AI systems store or keep any data from the educational institution during or after processing. 'Institutional data' refers to any information owned by or pertaining to the institution, which could include student records, research data, administrative information, or other sensitive data.
Do you have agreements in place with third parties or subprocessors regarding the protection of customer data and use of AI?
This question is asking whether your organization has formal agreements with any third parties or subprocessors that specifically address how customer data is protected when used in AI systems. As AI systems often require large amounts of data for training and operation, there are specific privacy and security concerns about how this data is handled.
Will institutional data be processed through a third party or subprocessor that also uses AI?
This question is asking whether your organization will be sending institutional data (data belonging to the educational institution) to any third-party vendors or subprocessors that utilize artificial intelligence in their operations.
Is AI processing limited to fully licensed commercial enterprise AI services?
This question is asking whether your organization restricts its artificial intelligence (AI) processing to only using fully licensed commercial enterprise AI services, as opposed to using open-source AI models, custom-built AI solutions, or consumer-grade AI services.
Will institutional data be used or processed by any shared AI services?
This question is asking whether your product or service will use any institutional data (data belonging to the educational institution) with shared AI services. 'Shared AI services' typically refers to third-party AI platforms like OpenAI's ChatGPT, Google's Vertex AI, Microsoft Azure AI, or similar services where the AI models are hosted and maintained by another company.
Do you have safeguards in place to protect institutional data and data privacy from unintended AI queries or processing?
This question is asking whether your organization has implemented measures to prevent institutional data from being inadvertently exposed to or processed by artificial intelligence systems in ways that could compromise privacy or security.
Do you provide choice to the user to opt out of AI use?
This question is asking whether your organization gives users the ability to decline or opt out of artificial intelligence (AI) features or processing within your product or service.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
