HECVAT — LiquidFiles Response
When prospective customers in higher education assess LiquidFiles, they often send the Higher Education Community Vendor Assessment Toolkit (HECVAT) for completion. This page explains how LiquidFiles responds to the HECVAT given that LiquidFiles is a self-hosted appliance rather than a cloud service, and provides a pre-completed HECVAT 4 response that customers can download, review and share with their procurement office.
A downloadable HECVAT 4 workbook with all relevant sections pre-filled is available at the bottom of this page.
What the HECVAT Is
The HECVAT is a standardised security, privacy and accessibility questionnaire maintained by EDUCAUSE that higher-education institutions send to technology vendors during procurement. Answers feed into the institution's vendor risk assessment.
The current version is HECVAT 4 (released February 2025). It rolls the previously separate Full, Lite and On-Premise variants into a single workbook. Solution providers answer gateway questions that determine which sections apply to their product, and the workbook then presents only the relevant questions.
Applicability to a Self-Hosted Appliance
A large portion of the HECVAT is written with cloud/SaaS vendors in mind — questions about shared data centres, multi-tenant isolation, the vendor's cloud sub-processors, operational controls the vendor exercises over the customer's data, and so on. None of that applies to LiquidFiles, because LiquidFiles is shipped as a virtual appliance that the customer installs and operates inside their own network. The vendor has no access to customer systems and no access to customer data.
HECVAT 4's branching logic handles this gracefully: once the relevant gateway questions are set, cloud-specific and operator-specific sections are marked not applicable and the spreadsheet focuses on the questions that relate to the product and the vendor's own organisation. Those are the questions LiquidFiles can answer, and that is what the downloadable response covers.
Gateway Answers (START HERE Tab)
The HECVAT 4 START HERE tab contains eight gateway questions (REQU-01 through REQU-08). These are how LiquidFiles answers them:
| ID | Question | LiquidFiles Answer |
|---|---|---|
| REQU-01 | Cloud-based product? | No — self-hosted appliance |
| REQU-02 | Has a user interface? | Yes — web UI, admin UI, Outlook add-in, API |
| REQU-03 | Consulting services? | No — product only |
| REQU-04 | AI features? | No — none implemented or planned for the next 12 months |
| REQU-05 | Processes PHI (HIPAA)? | No at the vendor level. The appliance can handle PHI; that is a customer decision inside their own environment. |
| REQU-06 | Designed for credit card data? | No — LiquidFiles is not a PCI DSS-scope system. |
| REQU-07 | Requires an appliance inside the institution's environment? | Yes — this is the on-premise branch of the HECVAT. |
| REQU-08 | Vendor has access to institutional data? | No — the vendor has no access to customer systems or data. |
Which Sections Apply
Given the gateway answers above, the HECVAT workbook activates the following response tabs for LiquidFiles:
- Organization — company documentation, third-party management, change management, policies, procedures and privacy.
- Product — authentication, authorisation, access, identity, data handling. LiquidFiles has strong coverage here: SAML 2.0, LDAP/AD, TOTP/SMS/Duo MFA, RBAC, audit logging, encrypted credential storage and more. See Security Overview.
- Infrastructure — application security, firewall, identity and data protection, vulnerability handling. Answered from the product posture — Rails security, CSP, CSRF, SSL Labs A+, OpenVAS and ZAP scans, Ubuntu hardening.
- IT Accessibility — WCAG, Section 508, accessibility feedback channels. LiquidFiles targets WCAG 2.1 Level A and AA; see the VPAT / Accessibility Conformance Report.
- Case-Specific — on-premise-specific questions. The CONS (consulting), HIPA (HIPAA) and PCID (PCI DSS) sub-sections are answered Not Applicable per the gateway. OPEM (On-Premises Data Solutions) covers RBAC, remote management, monitoring and vendor tenure.
The AI and Privacy tabs are gated off by REQU-04 and REQU-08 respectively — LiquidFiles has no AI features and the vendor does not process customer data — so every question on those tabs is answered Not Applicable with the gateway reason in Additional Information.
Caveats for Reviewers
A few practical notes for institutional reviewers working through the LiquidFiles HECVAT response:
- Self-hosted, not SaaS. The starting point matters. Questions about the vendor's operational controls over customer data, data centres, multi-tenancy and cloud sub-processors do not apply. These are the customer's own responsibility on the customer's own appliance. See Not a Cloud Service.
- Evidence links. Most answers in the HECVAT response link to a specific docs.liquidfiles.com page that contains primary-source evidence (configuration, screenshots, code references). Reviewers are encouraged to follow those links rather than accept bare assertions.
- Independent scans. LiquidFiles publishes recent external scan results (SSL Labs, SecurityHeaders, OWASP ZAP, OpenVAS) under Secure Development Practices › External Scanners & Validation.
- Compliance mappings. For HIPAA, PCI DSS, SOC 2, ISO 27001 and SOX, LiquidFiles publishes detailed control mappings — see the Compliance landing page. Those are more specific than the HECVAT's Case-Specific questions and are often what an institution's auditor actually needs.
Download Response
Download: LiquidFiles HECVAT 4.1.5 response (xlsx)
The downloadable workbook is the official EDUCAUSE HECVAT 4.1.5 template with LiquidFiles answers filled in across every response tab. The AI and Privacy tabs are populated with Not Applicable responses tied back to the relevant gateway question on the START HERE tab.
If your institution uses an earlier HECVAT version (Full, Lite or On-Premise 3.x), please raise a support ticket at support.liquidfiles.com and we will provide a version-specific response.