REQU-08

Does your solution have access to personal or institutional data?

Explanation

This question is asking whether your software solution or service can access, process, store, or transmit sensitive data belonging to individuals or the institution. Personal data includes information that can identify an individual (like names, addresses, social security numbers) or sensitive information about them (health records, financial details, academic records). Institutional data refers to data owned by the organization that may be confidential or regulated (financial records, research data, etc.). This question is critical in a security assessment because: 1. Data access determines risk level: Solutions that handle sensitive data present higher security risks and require stronger controls. 2. Regulatory compliance: Different types of data are subject to different regulations (HIPAA for health data, FERPA for student records, GDPR for EU citizens' data, etc.). 3. Security requirements: The types of data your solution accesses will determine what security measures are necessary (encryption, access controls, audit logging, etc.). 4. Breach impact assessment: Understanding what data could be compromised helps evaluate the potential impact of a security incident. When answering this question, you should: - Be specific about what types of data your solution accesses (if any) - Explain why this access is necessary for your solution's functionality - Describe how the data is protected - Mention any data minimization practices you employ - Be honest - if you do access sensitive data, acknowledge it and explain your safeguards

Guidance

This includes patient data, student data, employment data, human research data, financial data, etc.

Example Responses

Example Response 1

Yes, our learning management system has access to student data including names, email addresses, student ID numbers, course enrollment information, and academic performance data such as grades and assignment submissions This access is necessary to provide core functionality including user authentication, course delivery, grade tracking, and academic reporting All data is encrypted both in transit (using TLS 1.2+) and at rest (using AES-256) Access to this data is strictly controlled through role-based permissions, and all data access is logged and monitored We maintain compliance with FERPA requirements and have implemented data minimization practices to ensure we only collect and retain the minimum necessary data to provide our services.

Example Response 2

No, our network monitoring solution does not have access to personal or institutional data Our system only collects technical metadata about network traffic such as IP addresses, port numbers, protocol information, and network performance metrics We specifically designed our solution to avoid collecting payload data or content that might contain personal information The system does not integrate with identity management systems, HR databases, financial systems, or any other repositories of personal or institutional data All collected data is anonymized where possible, and our retention policies ensure that even the limited technical data we collect is not kept longer than necessary for operational purposes.

Example Response 3

Partially Our document management system has the capability to store any type of document, which could potentially include personal or institutional data if customers choose to upload such content However, our system itself does not specifically require or request personal data to function We do not have direct integration with systems containing personal data, but customers may upload documents containing such information We cannot guarantee that personal data will never be present in our system, as this depends on customer usage For this reason, we implement strong encryption (AES-256), role-based access controls, and audit logging to protect any sensitive data that may be uploaded We recommend that customers follow data minimization practices and avoid uploading sensitive personal information unless necessary.

Context

Tab
Privacy
Category
Required Questions

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron