Complete a HECVAT online — Higher education security assessment in minutes
Need to complete a HECVAT online? Auto-fill your HECVAT Full or HECVAT Lite from your SOC 2 and policies. Source-cited answers for every question.
A university IT security team just sent you a HECVAT. If you sell SaaS to higher education, you've seen this before — or you're about to see it a lot. The HECVAT (Higher Education Community Vendor Assessment Toolkit) is the standard security questionnaire for university procurement.
No completed HECVAT, no university contract. Here's how to complete it online without spending a full day on it.
What is the HECVAT?
The HECVAT was created by the Higher Education Information Security Council (HEISC) through EDUCAUSE. It's the standard vendor security assessment used by universities and colleges across the US.
It comes in three versions:
| Version | Questions | When it's used | Manual time |
|---|---|---|---|
| HECVAT Full | ~250 questions | High-risk vendors (student data, financial data, SSO integration) | 8–15 hours |
| HECVAT Lite | ~80 questions | Lower-risk vendors or initial screening | 3–5 hours |
| HECVAT On-Premise | ~150 questions | Software installed on university infrastructure | 5–10 hours |
Most SaaS vendors get the HECVAT Full. If you're handling student PII (FERPA-protected data), expect the full version every time.
HECVAT Domains
The HECVAT covers these areas:
| Domain | Focus | Key regulation |
|---|---|---|
| Company Information | Business basics, points of contact | — |
| Documentation | Security policies, certifications | SOC 2, ISO 27001 |
| Accessibility | WCAG compliance, Section 508 | ADA, Section 508 |
| Data | Data classification, handling, retention | FERPA |
| Privacy | Data subject rights, third-party sharing | FERPA, state privacy laws |
| Authentication & Access | SSO, MFA, RBAC | — |
| Application Security | SDLC, pen testing, vulnerability mgmt | — |
| Infrastructure | Cloud hosting, network security, encryption | — |
| Availability | SLA, disaster recovery, business continuity | — |
| Incident Response | Breach notification, forensics | FERPA breach rules |
| Subcontractors | Third-party risk, sub-processor management | — |
What makes HECVAT different from other questionnaires
FERPA is everywhere. Unlike SIG or CAIQ, the HECVAT focuses heavily on FERPA (Family Educational Rights and Privacy Act) compliance. If your product touches student records, expect detailed questions about:
- How you classify and protect student education records
- Breach notification timelines specific to FERPA
- Data deletion upon contract termination
- Whether you act as a "school official" under FERPA
If you have a FERPA compliance statement or a Data Protection Addendum (DPA) template for education clients, upload it — it dramatically increases auto-fill accuracy for these questions.
Accessibility is a scored section. Most security questionnaires don't ask about accessibility. The HECVAT does — it includes questions about WCAG 2.1 compliance, assistive technology support, and your VPAT (Voluntary Product Accessibility Template). Upload your VPAT if you have one.
University procurement is slow — your HECVAT response speed matters. University procurement cycles are notoriously long. A HECVAT that takes 2 weeks to complete adds 2 weeks to an already slow process. Responding in 48 hours can meaningfully accelerate the deal.
How to complete a HECVAT online
1. Build your knowledge base (10 minutes, one-time)
Upload to FillBase:
- SOC 2 Type II report — Covers infrastructure, access control, incident response, and availability sections
- Information Security Policy — Fills documentation and application security gaps
- Privacy Policy / DPA — Critical for FERPA-related questions
- FERPA compliance statement — If you have one, this is high-value
- VPAT / Accessibility conformance report — For the accessibility section
- Previously completed HECVATs — Gold for the education-specific questions that generic policies don't cover
2. Submit the HECVAT (1 minute)
Upload the HECVAT Excel file. FillBase recognizes the HECVAT structure — domain tabs, question numbering, response fields, evidence columns.
3. Review auto-generated answers (15–25 minutes for Full, 8–12 for Lite)
With a complete knowledge base:
- ~65–75% high confidence — Source-cited, ready to approve. Infrastructure, encryption, access control questions are almost always auto-filled correctly.
- ~15–20% medium confidence — Needs quick verification. Common for FERPA-specific questions where the AI found relevant info but wants you to confirm the education-specific angle.
- ~10–15% flagged — Company-specific questions (your VPAT details, specific SLA numbers, sub-processor list) that aren't in your documents yet.
After your first HECVAT, those flagged answers are in your knowledge base. Second HECVAT completion is significantly faster.
4. Export and submit (1 minute)
Export in HECVAT Excel format. Submit to the university's procurement or IT security team.
Tips for higher education sales
Build a HECVAT-ready knowledge base early. If higher education is a target market, invest 30 minutes upfront to upload FERPA-specific documents. This pays off across every university prospect.
Publish to the HECVAT Community Broker Index. EDUCAUSE maintains a community index where vendors can publish completed HECVATs. If your assessment is already public, some universities will skip sending you a new one. Less work for everyone.
Pair your HECVAT with proactive documentation. Universities appreciate vendors who provide a pre-completed HECVAT, VPAT, and DPA upfront. It signals security maturity and speeds up procurement. FillBase can help you build this package once and keep it updated.
Frequently asked questions
Can I complete a HECVAT online for free? FillBase's free tier covers 200 requirements per month. A HECVAT Lite (~80 questions) fits easily. A HECVAT Full (~250 questions) exceeds the free tier — the Starter plan ($149/mo) covers it.
I don't have a FERPA compliance statement. Can FillBase still help? Yes, but accuracy on FERPA-specific questions will be lower. FillBase flags these for your input. After you answer them once, they're stored for future HECVATs.
Does FillBase handle the accessibility section? If you upload a VPAT or accessibility conformance report, yes. Without it, accessibility questions are flagged for manual input.
What's the difference between HECVAT and a standard DDQ? Content overlap is about 60–70%. The HECVAT adds FERPA-specific questions, accessibility requirements, and education-specific procurement fields that standard DDQs don't include. See our DDQ types comparison for details.
Multiple universities are sending me HECVATs. Do I fill each one separately? Technically yes — each university wants their own completed copy. But since HECVATs are standardized, your second one takes a fraction of the time. Your knowledge base already has the answers from the first.
Win university deals faster
Higher education procurement is slow enough without a 2-week HECVAT bottleneck. Complete your HECVAT online with FillBase — upload your SOC 2, submit the questionnaire, respond in days instead of weeks.
Related: Complete a DDQ online · Complete a SIG questionnaire online · Fill security questionnaires online
