INSIGHTS · SECURITY & COMPLIANCE

How to fill out the HECVAT as a small vendor

Field notes from a solo founder who answered 300+ security questions without a compliance team — and what higher-ed reviewers are actually looking for.

Arvi Habicht · Founder, Tervik LLC · July 2026

Short version: the HECVAT is not a pass/fail exam, and you don't need a compliance department to complete it credibly. You need honest answers, a hosting stack that does the heavy lifting, and clear notes on the controls you don't have yet. Here's how it actually goes as a one-person vendor.

What the HECVAT is, and why you just got asked for one

The HECVAT (Higher Education Community Vendor Assessment Toolkit) is the standard security questionnaire that colleges and universities send to software vendors before buying anything that touches institutional data. It's maintained by EDUCAUSE and shared across institutions — which is good news for you: fill it out once, carefully, and you can hand the same document to every campus that asks.

It comes in flavors. The Full version runs several hundred questions across security, privacy, and operations. The Lite version is a shorter subset many schools accept from smaller vendors or lower-risk products. If a school gives you a choice, ask whether Lite is acceptable — but don't fear the Full version. I completed a Full HECVAT (300+ answers) alone, in days not months, because most questions fall into patterns you'll recognize by the third screen.

The mindset shift that makes it manageable

Small vendors freeze because they read each question as a bar they must clear. Reviewers don't read it that way. The person on the other end — usually a campus information-security analyst — is building a risk picture, not grading a test. What sinks vendors isn't a "No." It's vague answers, contradictions, and overclaiming that unravels on the follow-up call.

A clear "No, and here's the compensating control" consistently beats an unsupported "Yes."

Answer as if the reviewer will check. Sometimes they do.

Start with an inventory — you have more than you think

Before answering anything, list what your stack already gives you. If you build on a serious cloud platform, a surprising share of the questionnaire is answered by your provider's controls, inherited by you:

Between inherited controls and things you already do without calling them "controls" (code review, backups, least-privilege access), a solo vendor typically walks in with 50–60% of the questionnaire already answerable.

The controls reviewers actually weight for small vendors

Nobody expects a one-person company to look like Microsoft. Reviewers scale expectations to vendor size — but a handful of controls are effectively non-negotiable, and all of them are within a small vendor's reach:

How to answer the ones you don't have

You will hit questions about SOC 2 reports, penetration tests, dedicated security staff, and formal training programs. A solo vendor has none of these, and pretending otherwise is the one genuinely fatal move. Three honest patterns cover nearly every gap:

If you serve education: the FERPA section is your moment

For student-facing products, the privacy sections carry as much weight as the security ones. Know the difference between being a "school official" under FERPA and needing state-specific agreements — in New York, Education Law §2-d adds its own requirements, including a parents' bill of rights and specific contract language. You don't need a lawyer to fill in the questionnaire, but you do need to describe accurately: what student data you hold, where it lives, who can see it, how it's deleted on request, and that you don't sell or mine it. If your product genuinely minimizes data collection, say so loudly — small vendors with narrow data footprints are often lower risk than the big platforms, and reviewers know it.

Logistics nobody tells you

Why we can write this

Tervik is a one-person software company. Our platform runs the daily operations of a higher-education support program — hosted on hardened cloud infrastructure with multi-factor authentication, audit logging, and session controls — and we completed the Full HECVAT solo, exactly the way described above. The questionnaire didn't require becoming a big company. It required being able to say, truthfully and specifically, how the system protects the people who use it.

Facing a HECVAT, security review, or procurement process of your own?

Whether you're a small vendor staring at the spreadsheet or a program that wants software with the compliance answers already written — that's the work we do. Start with a free Workflow Audit.

Get your free Workflow Audit