Get Started
Isora Lite
Unleash the HECVAT
Retire the spreadsheet and focus on the third-party vendor risk insights that matter most with Isora Lite from SaltyCloud. 100% free to EDU.
Trusted by established higher education institutions
How it works
Start scaling your third-party security risk management (TPSRM) program in no time
Signup with InCommon

Easily signup with the InCommon Federation. Not a member? Request a manual account provision.

Assess third-parties

Send HECVAT questionnaire assessments to third-party vendors with a single, secure link


Access existing HECVAT assessments in the community database and share your own

Create scorecard reports

Identify critical risks, compare vendor scores, and inform your procurement process

Before, we were managing compliance with spreadsheets: it was costly, unscalable, and untrustworthy. Isora GRC makes it easier to prove compliance and manage risks across our large, complex campus.

Cam Beasley, Chief Information Security Officer

The University of Texas at Austin
Frequently Asked Questions
How can we help?
Find the answers you need here, or chat with us.
Ask a Question
What is the HECVAT?

The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a standardized questionnaire developed by the Higher Education Information Security Council (HEISC) to streamline the process of evaluating and assessing the data security and privacy capabilities of third-party vendors within the higher education sector.

Our latest content
Stay ahead of the curve with cutting-edge articles from our research team on a diverse range of topics exploring the ever-changing world of governance, risk, and compliance.

This Complete Guide explores the basics and infosec compliance checklist for the GLBA Safeguards Rule in higher education.

Analyzing changes in HECVAT v3.05 for higher education infosec teams evaluating vendors. Includes text tweaks, logic shifts, and errors.

Discover how The University of Chicago Information Assurance team designed, launched, and scaled their enterprise-wide information security risk...

Modern higher education institutions face a unique mix of cybersecurity and regulatory compliance challenges. Today, striking the right balance all...

Discover the key steps to building a risk-based infosec risk management program in higher ed for regulatory compliance and cyber resilience.

SaltyCloud attended the 2022 EDUCAUSE Cybersecurity and Privacy Professionals Conference (CPPC and did a lot. These are our highlights

Get Started
Manage assessments
confidently with
collaborative GRC tooling