Hexiosec for legal

Two risks every law firm carries. We cover both.

The client data you send out: disclosure, case files, mergers and acquisitions (M&A). And the digital estate attackers can see: domains, servers, the systems you inherited through a merger. Hexiosec Transfer secures the first with end-to-end encryption. Hexiosec ASM maps the second the way an attacker would. Both UK-sovereign, both built by ex-government engineers.

  • UK Sovereign
  • Cyber Essentials Plus
  • NCSC ACD 2.0 (ASM)
  • DSIT Ambassador
  • Trusted by UK Government and regulated industry
The two risks in legal practice

Same client data. Two directions of risk.

The data that leaves the firm

Every matter sends confidential material out, to counsel, courts, clients and counterparties. The everyday defaults each carry risk relevant to your SRA obligations:

  • Email and ZIP files: readable, forwardable, and impossible to recall
  • Secure-email links: control weakens once the message has gone
  • SharePoint guest links: shared beyond the recipient, with no expiry

What attackers can see of the firm

The firm's external estate is larger and less understood than most people think. Attackers enumerate it, and most firms cannot:

  • Forgotten subdomains and shadow systems
  • Exposed services and open ports
  • Expired or mis-issued certificates
  • Systems inherited through mergers

You can't defend what you can't see.

Same client data. Two directions of risk. Hexiosec covers both.

Two products, one sector. Start where your risk is.

Hexiosec Transfer: Secure the data you exchange

Disclosure, client onboarding, per-matter workspaces and M&A data rooms, exchanged with end-to-end encryption.

Hexiosec ASM: See what attackers see

Continuous external attack-surface mapping, and a defensible answer to client security questionnaires.

Hexiosec Transfer for legal

Secure the work that leaves the firm.

Every matter involves sending confidential material to clients, counsel, courts, regulators and counterparties. Hexiosec Transfer is the encrypted channel for all of it, with no account required on the other side.

Your document management system does what it does. We handle the bit between it and the outside world.

Hexiosec Transfer is built for external-party exchange: documents and data leaving the firm to clients, counsel, courts, regulators and counterparties. Your document management system (iManage, NetDocuments or otherwise) remains the system of record. Transfer is the controlled, audited, encrypted channel for everything that leaves it.

Transfer modules, mapped to legal work

Files

Send disclosure packs and documents to counsel, courts and clients with end-to-end encryption, and no account on the other side. This is the bulk of external exchange work.

Spaces

Persistent encrypted workspaces: per-matter workspaces, disclosure rooms, sub-£100m M&A data rooms. Admin-verified users, full audit, branded for the firm.

Forms

Encrypted intake for what clients send you: KYC/AML checks, identity documents, matter-opening information, subject access requests both ways. Structured, audited, and unreadable by us.

Email

Encrypted correspondence to and from clients and counsel. Business and Enterprise tiers.

Four ways legal teams use Transfer

Disclosure and document delivery

Send a 200MB pack to opposing counsel without a quarantine bounce or a SharePoint guest link. Secure link, no account, download once, automatic expiry. You see who accessed what and when, and can revoke at any time.

Per-matter workspaces

A persistent encrypted Space per matter: client, fee-earners, and where appropriate counsel, in one controlled environment. Files and folders flow both ways under admin control. This is external exchange around the matter, not a document-management replacement.

Sub-£100m M&A data rooms

A virtual data room with admin-controlled access and full audit, at a tier price the partner signs off without convening the management committee. The mid-market, UK-sovereign alternative to enterprise data rooms that charge upwards of £20,000 per deal.

Client onboarding and SARs

Collect KYC/AML and identity information through an encrypted, branded form, with no account for the client. Fulfil subject access requests securely both ways. Encrypted on the client's device before it reaches us.

Hexiosec ASM for legal

See what attackers could exploit, before they do.

Hexiosec ASM continuously maps your external attack surface the way an attacker would: every domain, subdomain, exposed service and certificate, using a proprietary enumeration engine that finds more, with fewer false positives. The NCSC chose Hexiosec ASM to be part of its Active Cyber Defence 2.0 trials.

The exposure you can't see

A forgotten subdomain, a development server someone left running, an expired certificate, a marketing microsite from a campaign three years ago: attackers find these first. ASM finds them for you, continuously.

Post-merger estate discovery

Mid-tier legal grows by merger, and mergers leave sprawling, poorly-documented digital estates. ASM maps what the firm inherited: the systems, domains and exposures that came with the deal but were never catalogued.

Defensible answers to client questionnaires

Corporate and financial clients increasingly send security questionnaires before instructing a firm. ASM gives a defensible, continuously-updated answer to questions about your external attack surface.

Compliance for legal

Mapped to the frameworks a Risk Partner answers to.

SRA: client confidentiality

Hexiosec Transfer and ASM help you evidence the SRA's Principle 6 confidentiality, sound data handling and breach reporting. Transfer's zero-knowledge architecture strengthens the confidentiality position; ASM evidences that the firm monitors its own exposure.

Lexcel

Lexcel is the Law Society's practice-management quality standard. Hexiosec helps you evidence its information-management and risk-management requirements.

Legal Aid Agency breach context

The 2024–2025 legal-sector breaches raised the bar on how firms protect and exchange client data, and on the assurances clients now expect.

UK GDPR / DPA 2018

Aligned with UK GDPR and the Data Protection Act 2018. See the compliance page for how both products support your compliance position.

  • Cyber Essentials Plus
  • DSIT Software Security Ambassador
  • NCSC ACD 2.0 (ASM)
  • UK sovereign hosting
  • UK-registered, no US parent
Trusted at brand level

Built by ex-government engineers. Trusted across government and regulated industry.

UK Government
Cabinet Office
NHS
York St John Logo
Jisc

Find your tier on each product.

A quick fit guide, not a pricing table. Each card routes to the full pricing.

Transfer

Hexiosec Transfer

  • Professional £15/user/mo — Small firms and teams getting started.
  • Business £25/user/mo — Co-branding, 1-year audit retention, admin controls. The common tier for Top 101–200.
  • Enterprise custom pricing — Own domain, SSO, signed DPA + residency guarantee, framework procurement, 99.9% SLA, named CSM. The common tier for Top 51–100.

ASM

Hexiosec ASM

  • Free weekly scans, no card — See your external attack surface at no cost.
  • Essential from £99/mo — Up to 200 assets, weekly monitoring.
  • Premium from £249/mo — Up to 300 assets, continuous monitoring.
  • Enterprise custom pricing — Larger estates and advanced needs.

FAQ

Both products, answered.

Is Transfer a replacement for our DMS (iManage / NetDocuments)?

No. Hexiosec Transfer is for external-party exchange — the channel between your document management system and the outside world. Your DMS remains the system of record.

Is it SRA compliant?

Zero-knowledge encryption strengthens your client-confidentiality position. See /transfer/compliance/ for the full mapping.

Does the recipient need an account?

No. Recipients, respondents and counterparties take part without a Hexiosec account.

Can we use it for sub-£100m M&A data rooms?

Yes. Admin-controlled access and full audit, at a tier price the partner signs off. See /transfer/spaces/.

Do you integrate with iManage / NetDocuments?

Native integration is a Q1 2027 roadmap item. Today, Transfer is used alongside the document management system for external exchange.

How does this compare to Egress?

See the comparison at /switch-from-egress/.

What is attack surface management, in plain terms?

The outside-in view of everything attackers can see of your firm online: domains, servers, certificates, mapped continuously.

We already have a pen test — why ASM?

A pen test is a point in time. ASM is continuous, and finds the assets a scoped pen test never knew existed.

Can ASM help us answer client security questionnaires?

Yes. A defensible, continuously-updated view of your external exposure.

Is data stored in the UK?

Yes. Both products are UK-hosted; Transfer on Google Cloud Platform, London, with a signed DPA and residency guarantee on Enterprise.

Do the products work together?

They address two different risks — outbound exchange and inbound exposure — and share the same UK-sovereign, ex-government engineering. Most firms start with one and add the other.

Cover both risks. Start with the one that brought you here.

Most firms start with the risk that's top of mind — securing what they send out, or seeing what attackers can see — and add the other when they're ready. Both are free to start.