HECVAT and vendor security reviews
The HECVATHigher Education Community Vendor Assessment Toolkit — the security questionnaire many universities run on a new vendor. is how most universities assess a new vendor's security. Rather than ask you to send a blank questionnaire and wait, we keep a pre-filled HECVAT-Lite self-assessment that reflects the current state of First Six.
It is deliberately candid about what is and isn't in place. A reviewer trusts a plain "not yet, and here's the plan" far more than an optimistic "yes" that a pen test would later contradict.
The short version
First Six meets or exceeds the technical controls a standard HECVAT looks for. The open items are independent attestation and process maturity — the kind of thing that takes an external audit or time as a company, not an engineering change. We propose those as milestones for a pilot rather than blockers.
Headline answers
| Area | Status |
|---|---|
| Data residency (Australia, AWS Sydney) | Yes |
| Encryption in transit and at rest | Yes |
| Single sign-on with institution-enforced MFA | Yes |
| Row-level tenant isolation | Yes |
| Append-only audit logging | Yes |
| Data minimisation with small-cell suppression | Yes |
| Student data used to train AI | No |
| SOC 2 / ISO 27001 | On the roadmap |
| Third-party penetration test | Planned |
| Data Processing Agreement | In progress |
The full response set walks the standard HECVAT sections: company and documentation, data handling and privacy, authentication and access control, application and infrastructure security, and hosting and business continuity.
The open items, named honestly
We would rather you see these from us than find them later:
- SOC 2 / ISO 27001 — not yet certified; both are on the roadmap. The controls those frameworks look for are largely in place; the external attestation is what's ahead.
- Third-party penetration test — planned, and we're happy to make it a contractual condition.
- Data Processing Agreement — being finalised with counsel.
- Cyber insurance — to be obtained before production at scale.
- Prod / non-prod separation — a known gap (development currently shares the production data project), with remediation planned and tracked in our risk register.
We keep a live risk register and disclose gaps rather than paper over them. The goal is a fast, well-informed review — not a perfect-looking questionnaire.
Using it in your review
- Ask for the responses
Request the HECVAT-Lite self-assessment through your First Six contact or procurement. We share it under NDA, along with our security overview, subprocessor list, and incident-response summary.
- Map it to your checklist
The responses are organised by the standard HECVAT sections, so they line up with whatever internal checklist your team runs.
- Read the gaps, not just the ticks
Each item is marked Yes, Partial, Planned, or No, with a note explaining it. The notes are where the real picture is.
- Set milestones for a pilot
Where an item is still in progress, we can write it into the agreement as a milestone rather than treat it as a blocker.
Common questions
Do you have a completed HECVAT we can use?
Yes. We maintain pre-filled HECVAT-Lite responses that reflect the current state of the product, so your review can start straight away rather than waiting on us to fill in a blank form.
Are you SOC 2 or ISO 27001 certified?
Not yet, and we won't imply otherwise. Both are on the roadmap. The technical controls those frameworks look for are largely in place today; the independent attestation is what's still ahead.
Will you complete our own questionnaire instead?
Yes. If your institution has its own security questionnaire, we'll complete it as part of the assessment.
Where is student data stored?
In Australia, in the AWS Sydney region, isolated per tenant by row-level security. A small set of disclosed subprocessors handle diagnostic-only, scrubbed data.
Related
The fastest answer is usually one question away.