HECVAT Category
Required Questions
Required Questions covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Does your solution have AI features, or are there plans to implement AI features in the next 12 months?
This question is asking whether your product or service currently incorporates artificial intelligence (AI) features or if there are plans to add AI capabilities within the next year.
Does your solution process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act (HIPAA)?
This question is asking whether your software solution handles or processes Protected Health Information (PHI), which is a specific category of sensitive health data that is protected under the Health Insurance Portability and Accountability Act (HIPAA).
Is the solution designed to process, store, or transmit credit card information?
This question is asking whether your software solution or service handles credit card information in any way - whether processing payments, storing card details, or transmitting this data to other systems. This falls under Payment Card Industry Data Security Standard (PCI DSS) compliance requirements.
Does your solution have access to personal or institutional data?
This question is asking whether your software solution or service can access, process, store, or transmit sensitive data belonging to individuals or the institution. Personal data includes information that can identify an individual (like names, addresses, social security numbers) or sensitive information about them (health records, financial details, academic records). Institutional data refers to data owned by the organization that may be confidential or regulated (financial records, research data, etc.).
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
