Achieve Compliance · ASM + Transfer

Achieve compliance. See your exposure, exchange data lawfully.

Two tools, mapped to the frameworks that matter. Hexiosec ASM shows you the exposure attackers and auditors can see, so you can reduce it. Hexiosec Transfer keeps the data you exchange encrypted, lawful and auditable.

  • UK Sovereign
  • Cyber Essentials Plus
  • DSIT Software Security Ambassador
  • NCSC ACD 2.0 (ASM)
  • Trusted by UK Government
The compliance challenge

Two questions sit under every framework.

UK cyber and data regulation is expanding. The Cyber Security and Resilience Bill is progressing through Parliament and expected to come into force in 2028, widening the rules to more organisations, including managed service providers, data centres and their supply chains. Cyber Essentials is already a procurement floor.

Whatever your framework — whether the NCSC Cyber Assessment Framework (CAF), NIS2, DORA, the Data Security and Protection Toolkit (DSPT) or UK GDPR — compliance comes down to two questions: can you see and reduce your exposure, and can you exchange sensitive data lawfully? Most organisations are better at the second than the first, and the new rules push hard on both.

Let's be straight

We help you meet requirements. We don't make you compliant.

No tool makes you compliant. Compliance is your programme: your policies, your processes, your evidence. What good tools do is help you meet specific requirements and produce the evidence to prove it. Hexiosec maps to named requirements across the frameworks below. It does not replace your compliance function, and we won't pretend it does.

The two dimensions of compliance

See and reduce exposure. Exchange data lawfully.

Hexiosec ASM

See and reduce your exposure

Know what attackers and auditors can see: your assets, vulnerabilities, exposed services, and your supply chain. The evidence base for asset management, vulnerability management and supply chain requirements.

Hexiosec Transfer

Exchange data lawfully

Collect and share sensitive data with encryption only the recipients you choose can read, no recipient account, and a full audit trail. The evidence base for data protection and secure exchange requirements.

Most frameworks require both. The map below shows which is which.

The regulation map

Named frameworks, specific requirements, and how Hexiosec helps.

Find your framework. Each row maps a specific requirement to the product that provides the evidence — not a promise of compliance.

Hexiosec ASM — Asset, vulnerability and configuration visibility
Framework The requirement How Hexiosec helps Product
NCSC CAF Asset management and understanding your estate, and identifying vulnerabilities across what you operate. Provides evidence for asset discovery and vulnerability identification outcomes through continuous external asset discovery and exposure visibility. ASM
Cyber Essentials / CE Plus Secure configuration and patch and update management of internet-facing services. Helps you meet these controls by finding exposed, unpatched and misconfigured internet-facing assets before an assessor does. ASM
NIS2 / Resilience Bill Risk management and estate security under an expanded regulated scope. Supports risk management duties with attack-surface and vulnerability visibility across your external estate. ASM
Both products — Supply chain and operational resilience requirements
Framework The requirement How Hexiosec helps Product
NIS2 · DORA · Resilience Bill Supply chain and third-party risk: assess and manage the security of your suppliers and the data you exchange with them. ASM supply chain scanning assesses third-party external exposure; Transfer secures the data you exchange with those third parties. ASM Transfer
DORA ICT risk management and operational resilience, including third-party ICT. ASM provides ICT asset and third-party exposure visibility; Transfer supports secure third-party data exchange and regulatory submission. ASM Transfer
Hexiosec Transfer — Data protection and secure exchange requirements
Framework The requirement How Hexiosec helps Product
UK GDPR / DPA 2018 Security of processing (Article 32), data protection by design and by default, data minimisation, secure collection. Provides evidence for these duties through zero-knowledge encryption, secure Forms collection, and expiry-based erasure: data protection in the architecture, not a setting. Transfer
DSPT (health & social care) Secure patient data exchange and subject access requests (SARs). Supports secure exchange with Hexiosec Transfer Forms, Files and Spaces: encrypted, audited, UK-hosted. Transfer
Sector confidentiality (SRA / Lexcel · FCA) Client confidentiality and secure communication expectations in regulated sectors. Supports these expectations with confidential exchange. See the Legal and Wealth hubs for the sector detail. Transfer
Hexiosec ASM · See & reduce exposure

You can't protect, or evidence, what you can't see.

Continuous attack surface discovery

Continuously discover your internet-facing assets: the evidence base for asset management requirements you can't meet by hand.

Vulnerability & exposure identification

Surface exposed services, unpatched and misconfigured systems before an assessor - or an attacker - finds them.

Asset inventory

A live external inventory that supports the asset management outcomes in CAF and the expanding NIS2 and Resilience Bill scope.

Supply chain scanning

Assess the external posture of your suppliers and third parties, directly serving the supply chain requirements in NIS2, DORA and the Resilience Bill.

The NCSC included Hexiosec ASM in its ACD 2.0 trials — a specific, verifiable credibility marker for the compliance audience.

Hexiosec Transfer · Exchange data lawfully

Lawful data exchange, with the evidence to prove it.

Zero-knowledge encryption

End-to-end encryption: security of processing under Article 32, evidenced.

Data protection by design

Protection is the architecture, not a setting you can forget to switch on.

Secure collection via Forms

Collect sensitive data lawfully, encrypted on the respondent's device.

Expiry & revocation

Time-limited access supports data minimisation and erasure duties.

Full audit trail

Who accessed what, and when: the evidence auditors ask for.

UK sovereign hosting

Google Cloud Platform, London: a compliance requirement in itself for regulated and public buyers.

Evidence the tools meet the bar

Helping you comply only works if the tools meet the bar. They do.

This page is about helping you comply, and you'll also ask whether the tools themselves are up to standard. The vendor evidence sits on the trust pillar: Transfer's sovereignty and data protection proof, and the security architecture behind the zero-knowledge claim.

  • Cyber Essentials Plus
  • UK sovereign
  • DSIT Software Security Ambassador
  • NCSC ACD 2.0 (ASM)
Trusted across government and regulated industry

Built by the engineers who protect governments.

Cabinet Office
UK Government
NHS

Built by ex-government and defence-intelligence engineers, Cheltenham.

  • DSIT Software Security Ambassador
  • NCSC ACD 2.0 (ASM)
  • Cyber Essentials Plus

Entry points on both products.

Compliance-relevant features — audit retention, admin controls, signed DPA and UK residency — sit on the higher tiers. See your exposure with a free scan, trial data exchange free.

Transfer · Exchange data lawfully

Hexiosec Transfer

  • Free / Professional / Business / Enterprise — All modules on every tier.
  • Business+ — Audit retention and admin controls: the compliance-relevant features.
  • Enterprise — Signed DPA and UK residency guarantee for procurement and regulated buyers.

ASM · See & reduce exposure

Hexiosec ASM

  • Free scan — See your external exposure at no cost: evidence of your current state.
  • Premium from £249/mo — Continuous monitoring across your estate.
  • Enterprise custom pricing — Larger estates; ongoing supply chain scanning when live.

FAQ

Compliance, answered honestly.

Does Hexiosec make my organisation compliant?

No. We help you meet specific requirements and produce the evidence. Compliance is your programme, your policies and your processes. No tool makes you compliant.

Which regulations does this help with?

CAF, Cyber Essentials, UK GDPR and the Data Protection Act 2018, NIS2, DORA, DSPT, and the incoming Cyber Security and Resilience Bill. See the regulation map above.

What is the Cyber Security and Resilience Bill, and does it affect me?

It is progressing through Parliament and expected to become law in 2026, widening scope to more organisations and their supply chains, including managed service providers and data centres. The advice across the market is to prepare now.

How does ASM help with compliance?

Visibility of your assets, vulnerabilities, exposure and supply chain risk: the evidence base for asset management, vulnerability and supply chain requirements.

How does Transfer help?

Lawful, encrypted data exchange and collection with a full audit trail: the evidence base for data protection requirements like Article 32 and data protection by design.

Do I need both products?

Many frameworks need both — exposure and data exchange — but you can start with either, depending on where your gap is.

Are the tools themselves compliant or certified?

Cyber Essentials Plus, and UK sovereign hosting. See /transfer/compliance/ for the full vendor evidence.

Can you help with supply chain / third-party requirements?

Yes. ASM supply chain scanning assesses third-party exposure, and Transfer secures the data you exchange with them. See /solutions/secure-onboarding/.

Be ready for what's coming.

New rules are widening the net, and the advice is the same everywhere: prepare now. See your exposure with a free ASM scan or exchange data lawfully with Transfer.