Achieve Compliance · ASM + Transfer
Achieve compliance. See your exposure, exchange data lawfully.
Two tools, mapped to the frameworks that matter. Hexiosec ASM shows you the exposure attackers and auditors can see, so you can reduce it. Hexiosec Transfer keeps the data you exchange encrypted, lawful and auditable.
- UK Sovereign
- Cyber Essentials Plus
- DSIT Software Security Ambassador
- NCSC ACD 2.0 (ASM)
- Trusted by UK Government
Two questions sit under every framework.
UK cyber and data regulation is expanding. The Cyber Security and Resilience Bill is progressing through Parliament and expected to come into force in 2028, widening the rules to more organisations, including managed service providers, data centres and their supply chains. Cyber Essentials is already a procurement floor.
Whatever your framework — whether the NCSC Cyber Assessment Framework (CAF), NIS2, DORA, the Data Security and Protection Toolkit (DSPT) or UK GDPR — compliance comes down to two questions: can you see and reduce your exposure, and can you exchange sensitive data lawfully? Most organisations are better at the second than the first, and the new rules push hard on both.
We help you meet requirements. We don't make you compliant.
No tool makes you compliant. Compliance is your programme: your policies, your processes, your evidence. What good tools do is help you meet specific requirements and produce the evidence to prove it. Hexiosec maps to named requirements across the frameworks below. It does not replace your compliance function, and we won't pretend it does.
See and reduce exposure. Exchange data lawfully.
Hexiosec ASM
See and reduce your exposure
Know what attackers and auditors can see: your assets, vulnerabilities, exposed services, and your supply chain. The evidence base for asset management, vulnerability management and supply chain requirements.
Hexiosec Transfer
Exchange data lawfully
Collect and share sensitive data with encryption only the recipients you choose can read, no recipient account, and a full audit trail. The evidence base for data protection and secure exchange requirements.
Most frameworks require both. The map below shows which is which.
Named frameworks, specific requirements, and how Hexiosec helps.
Find your framework. Each row maps a specific requirement to the product that provides the evidence — not a promise of compliance.
| Hexiosec ASM — Asset, vulnerability and configuration visibility | |||
|---|---|---|---|
| Framework | The requirement | How Hexiosec helps | Product |
| NCSC CAF | Asset management and understanding your estate, and identifying vulnerabilities across what you operate. | Provides evidence for asset discovery and vulnerability identification outcomes through continuous external asset discovery and exposure visibility. | ASM |
| Cyber Essentials / CE Plus | Secure configuration and patch and update management of internet-facing services. | Helps you meet these controls by finding exposed, unpatched and misconfigured internet-facing assets before an assessor does. | ASM |
| NIS2 / Resilience Bill | Risk management and estate security under an expanded regulated scope. | Supports risk management duties with attack-surface and vulnerability visibility across your external estate. | ASM |
| Both products — Supply chain and operational resilience requirements | |||
|---|---|---|---|
| Framework | The requirement | How Hexiosec helps | Product |
| NIS2 · DORA · Resilience Bill | Supply chain and third-party risk: assess and manage the security of your suppliers and the data you exchange with them. | ASM supply chain scanning assesses third-party external exposure; Transfer secures the data you exchange with those third parties. | ASM Transfer |
| DORA | ICT risk management and operational resilience, including third-party ICT. | ASM provides ICT asset and third-party exposure visibility; Transfer supports secure third-party data exchange and regulatory submission. | ASM Transfer |
| Hexiosec Transfer — Data protection and secure exchange requirements | |||
|---|---|---|---|
| Framework | The requirement | How Hexiosec helps | Product |
| UK GDPR / DPA 2018 | Security of processing (Article 32), data protection by design and by default, data minimisation, secure collection. | Provides evidence for these duties through zero-knowledge encryption, secure Forms collection, and expiry-based erasure: data protection in the architecture, not a setting. | Transfer |
| DSPT (health & social care) | Secure patient data exchange and subject access requests (SARs). | Supports secure exchange with Hexiosec Transfer Forms, Files and Spaces: encrypted, audited, UK-hosted. | Transfer |
| Sector confidentiality (SRA / Lexcel · FCA) | Client confidentiality and secure communication expectations in regulated sectors. | Supports these expectations with confidential exchange. See the Legal and Wealth hubs for the sector detail. | Transfer |
You can't protect, or evidence, what you can't see.
Continuous attack surface discovery
Continuously discover your internet-facing assets: the evidence base for asset management requirements you can't meet by hand.
Vulnerability & exposure identification
Surface exposed services, unpatched and misconfigured systems before an assessor - or an attacker - finds them.
Asset inventory
A live external inventory that supports the asset management outcomes in CAF and the expanding NIS2 and Resilience Bill scope.
Supply chain scanning
Assess the external posture of your suppliers and third parties, directly serving the supply chain requirements in NIS2, DORA and the Resilience Bill.
The NCSC included Hexiosec ASM in its ACD 2.0 trials — a specific, verifiable credibility marker for the compliance audience.
Lawful data exchange, with the evidence to prove it.
Zero-knowledge encryption
End-to-end encryption: security of processing under Article 32, evidenced.
Data protection by design
Protection is the architecture, not a setting you can forget to switch on.
Secure collection via Forms
Collect sensitive data lawfully, encrypted on the respondent's device.
Expiry & revocation
Time-limited access supports data minimisation and erasure duties.
Full audit trail
Who accessed what, and when: the evidence auditors ask for.
UK sovereign hosting
Google Cloud Platform, London: a compliance requirement in itself for regulated and public buyers.
Helping you comply only works if the tools meet the bar. They do.
This page is about helping you comply, and you'll also ask whether the tools themselves are up to standard. The vendor evidence sits on the trust pillar: Transfer's sovereignty and data protection proof, and the security architecture behind the zero-knowledge claim.
- Cyber Essentials Plus
- UK sovereign
- DSIT Software Security Ambassador
- NCSC ACD 2.0 (ASM)
Built by the engineers who protect governments.
Built by ex-government and defence-intelligence engineers, Cheltenham.
- DSIT Software Security Ambassador
- NCSC ACD 2.0 (ASM)
- Cyber Essentials Plus
Entry points on both products.
Compliance-relevant features — audit retention, admin controls, signed DPA and UK residency — sit on the higher tiers. See your exposure with a free scan, trial data exchange free.
Transfer · Exchange data lawfully
Hexiosec Transfer
- Free / Professional / Business / Enterprise — All modules on every tier.
- Business+ — Audit retention and admin controls: the compliance-relevant features.
- Enterprise — Signed DPA and UK residency guarantee for procurement and regulated buyers.
ASM · See & reduce exposure
Hexiosec ASM
- Free scan — See your external exposure at no cost: evidence of your current state.
- Premium from £249/mo — Continuous monitoring across your estate.
- Enterprise custom pricing — Larger estates; ongoing supply chain scanning when live.
Compliance, answered honestly.
Does Hexiosec make my organisation compliant?
No. We help you meet specific requirements and produce the evidence. Compliance is your programme, your policies and your processes. No tool makes you compliant.
Which regulations does this help with?
CAF, Cyber Essentials, UK GDPR and the Data Protection Act 2018, NIS2, DORA, DSPT, and the incoming Cyber Security and Resilience Bill. See the regulation map above.
What is the Cyber Security and Resilience Bill, and does it affect me?
It is progressing through Parliament and expected to become law in 2026, widening scope to more organisations and their supply chains, including managed service providers and data centres. The advice across the market is to prepare now.
How does ASM help with compliance?
Visibility of your assets, vulnerabilities, exposure and supply chain risk: the evidence base for asset management, vulnerability and supply chain requirements.
How does Transfer help?
Lawful, encrypted data exchange and collection with a full audit trail: the evidence base for data protection requirements like Article 32 and data protection by design.
Do I need both products?
Many frameworks need both — exposure and data exchange — but you can start with either, depending on where your gap is.
Are the tools themselves compliant or certified?
Cyber Essentials Plus, and UK sovereign hosting. See /transfer/compliance/ for the full vendor evidence.
Can you help with supply chain / third-party requirements?
Yes. ASM supply chain scanning assesses third-party exposure, and Transfer secures the data you exchange with them. See /solutions/secure-onboarding/.
Be ready for what's coming.
New rules are widening the net, and the advice is the same everywhere: prepare now. See your exposure with a free ASM scan or exchange data lawfully with Transfer.