HECVAT Category
Privacy of Third Parties
Privacy of Third Parties covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you have contractual agreements with third parties that require them to maintain standards and to comply with all regulatory requirements?
Contractual flow-down of obligations is what reviewers want to confirm: whether your agreements with third parties require them to uphold security standards and meet all applicable regulatory requirements.
Do you perform privacy impact assesments of third parties that collect, process, or have access to personal data to ensure they meet industry and regulatory standards and to mitigate harmful, unethical, or discriminatory impacts on data subjects?
Third-party privacy diligence is the focus: reviewers want to know whether you run privacy impact assessments on parties that collect, process, or access personal data to ensure they meet standards and avoid harmful or discriminatory outcomes. A privacy impact assessment is a systematic process to evaluate how a third party collects, processes, stores, and shares personal data, and to identify potential privacy risks or compliance issues.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

