Higher Education Community Vendor Assessment Toolkit (Free Template)

The HECVAT 4 questionnaire is an effective means of determining how safe your student data is in the hands of your vendors.

Use this HECVAT template to understand the scope of questions covered in a typical HECVAT assessment. For brevity, the template on this page has been cut short. For the complete verison, download our HECVAT 4 questionnaire template.

Sample answers are provided as a guide for the minimum level of detail expected in each response.

General Information (GNRL)

• Solution provider name: [Company Name, e.g., SecureData Systems Inc.]
• Solution name: [Product Name, e.g., CloudPortal 360]
• Solution description: A cloud-based project management platform designed for higher education research teams.
• Solution provider contact name: Jane Doe
• Solution provider contact title: Director of Information Security
• Solution provider contact email: security@company.com
• Solution provider contact phone number: +1-555-0199
• Country of company headquarters: United States
• Employee work locations (all): United States, Canada, and remote employees in the UK.

Compliance (COMP)

• Software and development team: Yes, we maintain dedicated teams for product development, QA, and customer support.
• Structure and size: Our team consists of 45 engineers organized into agile squads, including 5 dedicated to security and 10 to product management.
• Business background: Founded in 2015, we are a privately held subsidiary of Global Tech Holdings.
• Unplanned disruptions: No unplanned disruptions exceeding our 99.9% SLA have occurred in the last 12 months.
• Dedicated security staff: Yes, we have a formal Chief Information Security Officer (CISO) and a dedicated InfoSec office.
• Security office description: Our office includes 6 full-time staff members specializing in cloud security, compliance, and incident response.
• Environment sharing: Our environment is hosted entirely on AWS using a multi-tenant architecture with logical data separation.

Requirements (REQU)

• Product vs. Service: We offer a Software-as-a-Service (SaaS) platform.
• Interface: Yes, the solution is accessed via a web-based dashboard and a mobile application.
• Consulting services: Yes, we offer optional implementation and data migration consulting services.
• AI features: Yes, we currently utilize AI for automated data tagging and plan to add generative summary features in Q4.
• PHI/HIPAA data: No, the solution is not designed to process Protected Health Information (PHI).
• Credit card info: No, we do not store or transmit credit card data; all payments are handled via Stripe.
• Appliance/Firewall exceptions: No, the solution is 100% cloud-native and does not require on-premises hardware.
• Personal/Institutional data: Yes, the solution processes user names, institutional email addresses, and research metadata.

Documentation (DOCU)

• Business Continuity Plan (BCP): Yes, we have a documented BCP owned by our COO and tested annually every June.
• Copy of BCP: Available upon request under an active Non-Disclosure Agreement (NDA).
• Disaster recovery plan (DRP): Yes, a formal DRP is in place with a Recovery Time Objective (RTO) of 4 hours.
• Copy of DRP: Available upon request under NDA.
• SSAE 18/SOC 2 audit: Yes, we have successfully completed a SOC 2 Type II audit.
• Latest SOC 2 report: We can provide our most recent report (dated [Month/Year]) via our secure document portal.
• Security framework: We conform to the NIST Cybersecurity Framework (CSF) and ISO 27001 standards.
• Framework documentation: Our ISO 27001 certification and NIST alignment matrix are available for review.
• Architecture diagrams: Yes, we maintain comprehensive data flow and system architecture diagrams.
• Copy of architecture diagrams: High-level diagrams are included in our security package; detailed versions are available via screen-share.

Third-Party Management (THRD)

• Security assessments: Yes, all third-party vendors undergo a security assessment prior to onboarding and annually thereafter.
• Practices summary: We use a standardized risk assessment (SIG Lite) and require SOC 2 reports from all critical sub-processors.
• Contractual language: Yes, our Master Service Agreement (MSA) includes strict data protection and access clauses for all sub-processors.
• Third-party list: [AWS - Hosting], [Okta - Identity], [SendGrid - Email Notifications].
• Liability for breach: Yes, our contracts require third parties to indemnify the company for breaches caused by their negligence.
• Management strategy: We maintain a centralized vendor risk management (VRM) program to monitor third-party compliance.
• Environment context: Our environment relies heavily on AWS native services, ensuring inherited compliance with major standards.
• Hardware supply chain: We do not manufacture hardware; all corporate laptops are sourced from authorized Apple/Dell distributors.
• Compliant regions: Our supply chain processes are compliant with US and EU trade regulations.

Change Management (CHNG)

• Notification of changes: Yes, clients are notified via email 30 days prior to any major environment changes.
• Notification method: Notifications are sent via our "Status Page" and direct emails to designated technical contacts.
• Client customizations: No, our SaaS platform is standardized to ensure stability across all releases.
• Customization strategy: We use feature flags to allow users to toggle specific new capabilities without breaking core workflows.
• Configuration management: Yes, we use Infrastructure as Code (Terraform) to maintain secure, version-controlled "gold" images.
• Management process: Our process includes automated linting and security scanning for all configuration changes.
• Documented change process: Yes, all changes follow a formal "Request-Test-Approve-Deploy" workflow.
• Current process summary: Changes are tracked in Jira, requiring peer review and QA sign-off before production deployment.
• Authorization and testing: Yes, all changes require impact analysis and must pass in a staging environment before production.
• Procedures implemented: (a) Impact analysis performed; (b) Authorized by Tech Lead; (c) Tested in UAT; (d) Limited to DevOps personnel.

Privacy & Policy Procedures (PPPR)

• Patch management: Yes, we have a documented policy requiring critical patches to be applied within 48 hours.
• Institutional policy compliance: Yes, we can comply with standard institutional privacy and data protection requirements.
• Policy review: We have reviewed the provided IT policies and confirm our ability to meet the stated standards.
• Geographic laws: Yes, we are subject to US Federal and [State] laws.
• Encryption standards: Yes, we utilize industry-standard TLS 1.2+ and AES-256 encryption.
• Systems development life cycle (SDLC): Yes, our SDLC incorporates security checkpoints at every stage (Shift-Left security).
• SDLC summary: Our SDLC includes requirement analysis, secure coding training, code review, and automated testing.
• Background screenings: Yes, all employees undergo criminal and employment background checks prior to hiring.
• Background check practices: We utilize a third-party service to conduct multi-state criminal and social media screenings.
• New employee agreements: Yes, all employees sign NDAs and Acceptable Use Policies on their first day.

Authentication, Authorization & Identity (AAAI)

• SSO support: Yes, we support SAML 2.0 and OIDC for single sign-on.
• Authentication enforcement: We enforce complex passwords (12+ characters) and require MFA for all administrative accounts.
• Local authentication: Yes, local authentication is available as a fallback, utilizing bcrypt hashing for passwords.
• Local mode practices: Local accounts are restricted to emergency use only and are monitored for brute-force attempts.
• Complexity requirements: Yes, admins can configure minimum length and special character requirements.
• Complexity implementation: Requirements are enforced at the application layer during account creation or password reset.
• Complexity limitations: We support passwords up to 64 characters with no restrictions on special characters.
• Reset procedures: Yes, we use secure, time-limited email tokens for self-service password resets.
• Reset description: Users receive a unique link via email that expires after 15 minutes; all resets are logged.
• InCommon/eduGAIN: Yes, we are a registered member of the InCommon Federation.

Data Security & Storage (DATA)

• Publicly routable IPs: No, all database and file servers are located in private subnets with no public IP addresses.
• Transport encryption: Yes, all data in transit is encrypted using TLS 1.2 or higher.
• Transport strategy: We enforce HSTS (HTTP Strict Transport Security) to ensure all connections are secure.
• Storage encryption: Yes, all data at rest is encrypted using AES-256.
• Encryption strategy: We utilize AWS KMS for managed key rotation and full-disk encryption for all volumes.
• FIPS conformity: Yes, our cryptographic modules are FIPS 140-2 compliant.
• FIPS certificates: Available upon request.
• Data availability post-contract: Yes, data remains available for 90 days following contract termination.
• Retention length: Data is accessible for 90 days, after which it is securely purged from our systems.
• Acquisition/Bankruptcy rights: Yes, data ownership and return rights are maintained regardless of company status.

Application Security (APPL)

• Access controls: Yes, we utilize Role-Based Access Control (RBAC) for all user accounts.
• Available roles: Standard roles include Administrator, Editor, Viewer, and Auditor.
• Web application firewall (WAF): Yes, we utilize AWS WAF to protect against common web exploits.
• WAF description: Our WAF is configured to block OWASP Top 10 threats, including SQLi and XSS.
• Supported libraries: Yes, we only use libraries that are actively maintained and receiving security updates.
• Dependency list: A full Software Bill of Materials (SBOM) is available for review under NDA.
• Location/GPS data: No, the application does not require or collect GPS data.
• Separation of duties: Yes, administrative tasks are split between "System Admins" and "Security Officers."
• Separation reference: Our internal policy prevents the same individual from both requesting and approving production access.
• Static code analysis: Yes, we use SonarQube and Snyk for static analysis in our CI/CD pipeline.

Data Center & Hosting (DCTR)

• Hosting option: Public Cloud (Amazon Web Services).
• SOC 2 Type 2 for hosting: Yes, AWS SOC 2 reports are available through the AWS Artifact portal.
• Obtaining the report: We can provide a copy of the AWS SOC 3 report or facilitate access to the SOC 2.
• Geographic storage: Yes, we can host data in the AWS US-East or EU-Central regions as required.
• Staffed 24x7: Yes, AWS data centers are physically guarded and monitored 24/7/365.
• Staff capabilities: On-site staff manage physical security, power, and cooling; they do not have logical access to our data.
• Physical barrier: Yes, servers are housed in locked racks within secure, limited-access cages.
• Barrier strategy: We utilize a "Zero Trust" physical model with biometric access and video surveillance.
• Enclosed space: Yes, the physical space is fully enclosed and requires multi-factor physical authentication to enter.
• Geographically diverse centers: Yes, our primary and secondary zones are located in separate AWS Availability Zones.

Firewalls & Intrusion Detection (FIDP)

• SPI firewall: Yes, we utilize stateful security groups and network ACLs.
• SPI description: Our firewalls are configured with a "deny-all" default stance, allowing only necessary ports (443).
• Change request policy: Yes, all firewall changes must be requested via Jira and approved by the Security Lead.
• Policy description: Changes require a business justification and a peer review of the proposed rule.
• Network IDS: Yes, we use AWS GuardDuty for network-based threat detection.
• IDS description: GuardDuty monitors VPC flow logs and DNS logs for suspicious activity.
• Host-based IDS: Yes, we utilize [Tool Name, e.g., CrowdStrike] for host-based monitoring.
• HIDS description: Agents are installed on all production instances to detect anomalous processes.
• Audit logs: Yes, all network and firewall changes are logged in AWS CloudTrail.
• Logging strategy: Logs are streamed to a centralized, write-once S3 bucket for 365-day retention.

Incident Response (HFIH)

• Formal IR plan: Yes, we maintain a comprehensive Incident Response Plan (IRP).
• IRP link: Available in our customer security portal.
• Internal/External team: We have an internal team and a 24/7 retainer with a third-party forensics firm.
• Process summary: Our process includes Detection, Containment, Eradication, Recovery, and Post-Mortem.
• 24/7 Response: Yes, our on-call rotation ensures 24/7/365 coverage for security incidents.
• Internal approach: We utilize automated PagerDuty alerts to notify the on-call security engineer immediately.
• Cyber-risk insurance: Yes, we carry a comprehensive cyber insurance policy.
• Coverage description: Our policy covers up to $5M for data breach response, forensics, and business interruption.

Vulnerability Management (VULN)

• Vulnerability scanning: Yes, we perform authenticated scans using [Tool, e.g., Nessus] before every release.
• Brief description: Scans cover the OS, middleware, and application layers to ensure no high-risk vulnerabilities are present.
• Provide scan results: We can provide a high-level summary of our latest vulnerability scan.
• Scan documentation: Our quarterly "Vulnerability Management Report" can be shared upon request.
• Customer testing: Yes, we allow annual customer pentesting with 30 days' prior notice and a signed Rules of Engagement.
• Testing setup: Customers must coordinate with our DevOps team to whitelist their testing IPs.
• Third-party assessment: Yes, a full third-party penetration test is conducted annually.
• Assessment results: The executive summary of our last pentest (dated [Month/Year]) is available for review.
• Common web scans: Yes, we scan for the OWASP Top 10 weekly using [Tool, e.g., Burp Suite].
• External scans: Yes, our public endpoints are scanned daily from external networks.

Accessibility (ITAC)

• Contact Name: Alex Smith
• Contact Title: Accessibility Coordinator
• Contact Email: accessibility@company.com
• Contact Phone Number: +1-555-0122
• Accessibility Link: https://company.com/accessibility
• VPAT Created/Updated: Yes, a VPAT for version 3.0 was completed in January 2026.
• VPAT Date: January 15, 2026. (Copy attached to this submission).
• Contractual agreement: Yes, we agree to maintain WCAG 2.1 AA compliance as a contractual commitment.
• Substantial conformance: Yes, the product conforms to WCAG 2.1 AA standards.
• Reporting process: Yes, accessibility bugs are prioritized in our Jira backlog and tracked to resolution.

Consulting Services (CONS)

• Network access: Only if requested for specific integration tasks; typically performed via screen-share.
• Data handling training: Yes, all consultants undergo HIPAA and PCI-DSS data handling training.
• Encryption at rest: Yes, consultants are required to use encrypted company-issued laptops.
• IP restriction: Yes, we can restrict consultant access to specific institutional IP ranges.
• On-premises: No, consulting is typically performed remotely via secure VPN.
• Hardware access: No, consultants do not require access to physical data center hardware.
• Domain account: No, we prefer to use a guest account with limited permissions.
• Data transfer: No, data remains within the institutional environment unless explicitly approved.
• Remote access: Yes, remote access is facilitated via a secure, logged VPN connection.

HIPAA Compliance (HIPA)

• Workforce training: Yes, all employees complete annual HIPAA Privacy and Security training.
• Areas of risk: We have identified data storage and unauthorized access as our primary risk areas.
• Policy testing: Yes, our HIPAA policies are reviewed and tested during our annual internal audit.
• Subcontractor BAAs: Yes, we maintain BAAs with all subcontractors who have access to sensitive systems.
• Regulation monitoring: Yes, our legal team monitors HHS/OCR updates for changes in HIPAA rules.
• Privacy/Security Officers: Yes, our CISO serves as the Security Officer and our Legal Counsel as the Privacy Officer.
• HITECH compliance: Yes, we are fully compliant with HITECH notification and security requirements.
• Risk analysis: Yes, a formal HIPAA Risk Analysis is conducted annually.
• Risk mitigation: We have implemented MFA and database encryption to mitigate identified risks.
• 90-day password change: Yes, our system enforces password rotation every 90 days for administrative accounts.

PCI DSS (PCID)

• Attestation of Compliance (AoC): Yes, our current AoC was executed in October 2025.
• PA-DSS listed: Not applicable, as we are a service provider and do not sell a payment application.
• Third party for payment: Yes, we use Stripe for all credit card processing.
• Store/Process/Transmit data: No, we do not store, process, or transmit full credit card numbers.
• PCI DSS Compliant: Yes, we are compliant as a Level 1 Service Provider.
• Service provider classification: Yes, we are classified as a Service Provider.
• Visa approved list: Yes, we are listed on the Visa Global Registry of Service Providers.
• Merchant classification: We are a Level 2 Merchant.
• Transaction architecture: The application uses "Stripe Elements" to send data directly from the client to the processor.
• Supported gateways: Currently, we exclusively support Stripe and PayPal.

Operations Management (OPEM)

• RBAC for admins: Yes, we use role-based access to limit administrative functions.
• RBAC description: Roles are granular, separating "Billing Admin" from "Technical Admin."
• Remote access: No, employees only access customer instances via an authorized management portal.
• Architecture diagrams: Yes, a full communications architecture diagram is available under NDA.
• Remote management: No, we do not require ongoing remote management of institutional hardware.
• Logged actions: Yes, all support actions are logged and available for review in the customer audit portal.
• Log availability: Audit logs are provided in real-time via the "Admin Logs" section of the dashboard.
• FERPA compliance: Yes, we treat all institutional data as protected under FERPA guidelines.
• FERPA integration: Our staff is trained on FERPA, and we sign a "School Official" addendum when required.
• SNMPv3 monitoring: Yes, we support status monitoring via standard API and SNMPv3.

AI & Machine Learning (AI-Specific)

• Machine learning use: Yes, we use ML for anomaly detection and user behavior analysis.
• LLM use: Yes, we utilize a Large Language Model (GPT-4o) for our support chatbot.
• AI risk model: Yes, we follow the NIST AI Risk Management Framework (RMF).
• Disabling AI features: Yes, administrators can disable AI features at the tenant level.
• Responsible AI training: Yes, all developers working on AI features have completed ethics and safety training.
• Capabilities description: AI is used for data summarization, natural language search, and predictive maintenance.
• Business rules for data: Yes, we use "Data Guard" rules to prevent sensitive fields from being sent to the AI model.
• Risks posted/clear: Yes, our AI Usage Policy is publicly available and strictly enforced.
• Identified risks: We have identified "Hallucination" and "Data Leakage" as high risks and implemented mitigations.
• Timely disabling: Yes, AI features can be disabled instantly via a global kill-switch.

Privacy Regulations & Data Handling

• FERPA data: Yes, the system is designed to handle student education records securely.
• GDPR/PIPL data: Yes, we provide full compliance with GDPR (EU) and PIPL (China) requirements.
• State laws (CCPA): Yes, we comply with CCPA/CPRA requirements for California residents.
• User-provided data: Yes, users may upload files that contain regulated information.
• Privacy notice link: https://company.com/privacy-notice
• Personal data breach: No, we have had no reportable data breaches in the past three years.
• Breach documentation: Not applicable.
• Privacy practices sharing: We utilize "Privacy by Design" and conduct annual Privacy Impact Assessments (PIAs).
• Privacy violations: No, we have had no policy or law violations in the last 36 months.
• Breach documentation: Not applicable.

Privacy and AI (DPAI)

• AI for processing: Yes, we use AI to help categorize and tag institutional data for better searchability.
• Data retention in AI: No, we utilize "zero-retention" APIs for all third-party AI processing.
• Third-party agreements: Yes, we have BAAs and data protection addendums (DPAs) with our AI providers.
• Subprocessor AI: Yes, our hosting provider (AWS) uses AI for infrastructure monitoring and security.
• Enterprise AI services: Yes, we only use fully licensed, enterprise-grade AI services with strict privacy controls.
• Shared AI services: No, your institutional data is never used to train shared or public AI models.
• Unintended query safeguards: Yes, we use a prompt-injection filter and PII-stripping middleware.
• User opt-out: Yes, individual users can opt out of using AI-powered features in their profile settings.
• Supporting documentation: Our SOC 2 report, ISO 27001 certificate, and AI Safety Policy are attached.