Short version: the HECVAT is not a pass/fail exam, and you don't need a compliance department to complete it credibly. You need honest answers, a hosting stack that does the heavy lifting, and clear notes on the controls you don't have yet. Here's how it actually goes as a one-person vendor.
What the HECVAT is, and why you just got asked for one
The HECVAT (Higher Education Community Vendor Assessment Toolkit) is the standard security questionnaire that colleges and universities send to software vendors before buying anything that touches institutional data. It's maintained by EDUCAUSE and shared across institutions — which is good news for you: fill it out once, carefully, and you can hand the same document to every campus that asks.
It comes in flavors. The Full version runs several hundred questions across security, privacy, and operations. The Lite version is a shorter subset many schools accept from smaller vendors or lower-risk products. If a school gives you a choice, ask whether Lite is acceptable — but don't fear the Full version. I completed a Full HECVAT (300+ answers) alone, in days not months, because most questions fall into patterns you'll recognize by the third screen.
The mindset shift that makes it manageable
Small vendors freeze because they read each question as a bar they must clear. Reviewers don't read it that way. The person on the other end — usually a campus information-security analyst — is building a risk picture, not grading a test. What sinks vendors isn't a "No." It's vague answers, contradictions, and overclaiming that unravels on the follow-up call.
A clear "No, and here's the compensating control" consistently beats an unsupported "Yes."
Answer as if the reviewer will check. Sometimes they do.
Start with an inventory — you have more than you think
Before answering anything, list what your stack already gives you. If you build on a serious cloud platform, a surprising share of the questionnaire is answered by your provider's controls, inherited by you:
- Encryption in transit — TLS everywhere is table stakes on modern platforms.
- Encryption at rest — most managed databases give you this by default; find the documentation page and cite it.
- DDoS protection, WAF, network security — if you're behind Cloudflare or an equivalent, whole sections resolve to "provided by hosting platform" with a link.
- Physical security and data-center controls — inherited entirely; reference your provider's certifications (SOC 2, ISO 27001).
Between inherited controls and things you already do without calling them "controls" (code review, backups, least-privilege access), a solo vendor typically walks in with 50–60% of the questionnaire already answerable.
The controls reviewers actually weight for small vendors
Nobody expects a one-person company to look like Microsoft. Reviewers scale expectations to vendor size — but a handful of controls are effectively non-negotiable, and all of them are within a small vendor's reach:
- Multi-factor authentication — on your own admin accounts (hosting console, code repository, email) and available in your product. If you implement one thing before submitting, make it this.
- Audit logging — who logged in, when, and what they touched. Reviewers ask about it repeatedly across sections.
- Access control and role separation — even in a small product, show that a student account can't see admin data and describe how roles are enforced.
- Session management — idle timeouts, session invalidation on logout.
- Backups and recovery — automated, tested at least once, with a stated recovery expectation. "Nightly automated backups, restore tested quarterly" is a complete answer.
- An incident-response answer — not a 40-page plan. Who detects, who is notified, in what timeframe, and how the institution hears about it. One honest page beats boilerplate.
How to answer the ones you don't have
You will hit questions about SOC 2 reports, penetration tests, dedicated security staff, and formal training programs. A solo vendor has none of these, and pretending otherwise is the one genuinely fatal move. Three honest patterns cover nearly every gap:
- "No, planned" — with a real trigger: "A third-party penetration test is planned and will be funded within our first institutional contract." Schools see this from small vendors constantly; some will even negotiate it into the contract, which is exactly what you want.
- "No, with compensating control" — "No dedicated 24/7 SOC; however the platform sits behind a managed WAF with automated bot mitigation and rate limiting, and authentication events are logged and reviewed."
- "N/A, with justification" — many questions assume enterprise architecture (multiple data centers, employee badge systems). State plainly why the question doesn't apply. Justified N/As are normal; blank cells are not.
If you serve education: the FERPA section is your moment
For student-facing products, the privacy sections carry as much weight as the security ones. Know the difference between being a "school official" under FERPA and needing state-specific agreements — in New York, Education Law §2-d adds its own requirements, including a parents' bill of rights and specific contract language. You don't need a lawyer to fill in the questionnaire, but you do need to describe accurately: what student data you hold, where it lives, who can see it, how it's deleted on request, and that you don't sell or mine it. If your product genuinely minimizes data collection, say so loudly — small vendors with narrow data footprints are often lower risk than the big platforms, and reviewers know it.
Logistics nobody tells you
- It's a spreadsheet. Hundreds of rows, dropdowns plus a comments column. The comments column is where credibility is won — use it on every answer that isn't a plain yes.
- Keep a master copy. Your HECVAT becomes a living document. Update it as controls improve, and every future institution gets the current version in minutes instead of days.
- Time-box realistically. My Full version took a few focused sessions: one pass for everything answerable from the stack inventory, one for the honest-gap answers, and a final pass for consistency (the same question is asked slightly differently in multiple sections — reviewers notice mismatches).
- Expect a follow-up conversation. A short call with campus security is standard, and it's an opportunity: small vendors who can explain every answer personally make a better impression than a compliance team reading from a script.
Why we can write this
Tervik is a one-person software company. Our platform runs the daily operations of a higher-education support program — hosted on hardened cloud infrastructure with multi-factor authentication, audit logging, and session controls — and we completed the Full HECVAT solo, exactly the way described above. The questionnaire didn't require becoming a big company. It required being able to say, truthfully and specifically, how the system protects the people who use it.
Whether you're a small vendor staring at the spreadsheet or a program that wants software with the compliance answers already written — that's the work we do. Start with a free Workflow Audit.
Get your free Workflow Audit