HECVAT Category
Privacy of Sensitive Data
Privacy of Sensitive Data covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you collect, process, or store demographic information?
Demographic data handling is the subject, namely whether you collect, process, or store demographic information about individuals. Demographic information includes characteristics that describe a population, such as age, gender, ethnicity, education level, religion, geographic location, or occupation.
Do you capture or create genetic, biometric, or behaviometric information (e.g., facial recognition or fingerprints)?
Especially sensitive identifiers are the concern: this item asks whether you capture genetic, biometric, or behaviometric data such as fingerprints or facial recognition.
Do you combine institutional data (including "de-identified," "anonymized," or otherwise masked data) with personal data from any other sources?
Data combination practices are under scrutiny here: whether you merge institutional data, including de-identified, anonymized, or masked data, with personal data drawn from other sources. This is a critical privacy question because combining datasets can lead to re-identification of individuals, even when the original institutional data was supposedly anonymized or de-identified.
Is institutional data coming into or going out of the United States at any point during collection, processing, storage, or archiving?
Data residency is the concern: the question is whether institutional data ever enters or leaves the United States during collection, processing, storage, or archiving. Specifically, it's asking if data is transmitted to or from locations outside the United States during collection (when data is gathered), processing (when data is manipulated or analyzed), storage (where data resides), or archiving (long-term retention).
Do you capture device information (e.g., IP address, MAC address)?
Device-level data collection is what's being asked about, namely whether you capture identifiers like IP and MAC addresses from connecting devices. Device information primarily includes IP addresses (which identify a device on a network) and MAC addresses (a hardware identifier unique to a network interface).
Does any part of this service/project involve a web/app tracking component (e.g., use of web-tracking pixels, cookies)?
Web and app tracking is the subject under review, covering whether your service uses technologies such as tracking pixels or cookies to follow user behavior. Web tracking components include technologies like:
Does your staff (or a third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?
Access to institutional data is the concern here, namely whether your staff or any third party can reach sensitive information such as financial records or PHI through any means. Sensitive institutional data includes personally identifiable information (PII), protected health information (PHI), financial records, student records, research data, or other confidential information.
Will you handle personal data in a manner compliant with all relevant laws, regulations, and applicable institution policies?
A commitment to lawful handling is what's sought here, namely whether you will manage personal data in line with all relevant laws, regulations, and applicable institution policies. Personal data refers to any information that can identify an individual, such as names, addresses, social security numbers, financial information, health records, etc.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

