HECVAT Category
Required Questions
Required Questions covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Does your solution have AI features, or are there plans to implement AI features in the next 12 months?
Reviewers want to know whether your product already ships AI capabilities or has them on the roadmap within the next twelve months.
Does your solution process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA scope is what's being established: whether your solution processes Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act.
Is the solution designed to process, store, or transmit credit card information?
At issue is whether the solution is designed to process, store, or transmit credit card information in any way. This falls under Payment Card Industry Data Security Standard (PCI DSS) compliance requirements.
Does your solution have access to personal or institutional data?
Data exposure is what this question establishes, asking whether your solution can access, process, store, or transmit personal or institutional data at all. Personal data includes information that can identify an individual (like names, addresses, social security numbers) or sensitive information about them (health records, financial details, academic records). Institutional data refers to data owned by the organization that may be confidential or regulated (financial records, research data, etc.).
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

