Hexiosec for legal
Two risks every law firm carries. We cover both.
The client data you send out: disclosure, case files, mergers and acquisitions (M&A). And the digital estate attackers can see: domains, servers, the systems you inherited through a merger. Hexiosec Transfer secures the first with end-to-end encryption. Hexiosec ASM maps the second the way an attacker would. Both UK-sovereign, both built by ex-government engineers.
- UK Sovereign
- Cyber Essentials Plus
- NCSC ACD 2.0 (ASM)
- DSIT Ambassador
- Trusted by UK Government and regulated industry
Same client data. Two directions of risk.
The data that leaves the firm
Every matter sends confidential material out, to counsel, courts, clients and counterparties. The everyday defaults each carry risk relevant to your SRA obligations:
- Email and ZIP files: readable, forwardable, and impossible to recall
- Secure-email links: control weakens once the message has gone
- SharePoint guest links: shared beyond the recipient, with no expiry
What attackers can see of the firm
The firm's external estate is larger and less understood than most people think. Attackers enumerate it, and most firms cannot:
- Forgotten subdomains and shadow systems
- Exposed services and open ports
- Expired or mis-issued certificates
- Systems inherited through mergers
You can't defend what you can't see.
Same client data. Two directions of risk. Hexiosec covers both.
Two products, one sector. Start where your risk is.
Hexiosec Transfer: Secure the data you exchange
Disclosure, client onboarding, per-matter workspaces and M&A data rooms, exchanged with end-to-end encryption.
Hexiosec ASM: See what attackers see
Continuous external attack-surface mapping, and a defensible answer to client security questionnaires.
Secure the work that leaves the firm.
Every matter involves sending confidential material to clients, counsel, courts, regulators and counterparties. Hexiosec Transfer is the encrypted channel for all of it, with no account required on the other side.
Your document management system does what it does. We handle the bit between it and the outside world.
Hexiosec Transfer is built for external-party exchange: documents and data leaving the firm to clients, counsel, courts, regulators and counterparties. Your document management system (iManage, NetDocuments or otherwise) remains the system of record. Transfer is the controlled, audited, encrypted channel for everything that leaves it.
Files
Send disclosure packs and documents to counsel, courts and clients with end-to-end encryption, and no account on the other side. This is the bulk of external exchange work.
Spaces
Persistent encrypted workspaces: per-matter workspaces, disclosure rooms, sub-£100m M&A data rooms. Admin-verified users, full audit, branded for the firm.
Forms
Encrypted intake for what clients send you: KYC/AML checks, identity documents, matter-opening information, subject access requests both ways. Structured, audited, and unreadable by us.
Encrypted correspondence to and from clients and counsel. Business and Enterprise tiers.
Disclosure and document delivery
Send a 200MB pack to opposing counsel without a quarantine bounce or a SharePoint guest link. Secure link, no account, download once, automatic expiry. You see who accessed what and when, and can revoke at any time.
Per-matter workspaces
A persistent encrypted Space per matter: client, fee-earners, and where appropriate counsel, in one controlled environment. Files and folders flow both ways under admin control. This is external exchange around the matter, not a document-management replacement.
Sub-£100m M&A data rooms
A virtual data room with admin-controlled access and full audit, at a tier price the partner signs off without convening the management committee. The mid-market, UK-sovereign alternative to enterprise data rooms that charge upwards of £20,000 per deal.
Client onboarding and SARs
Collect KYC/AML and identity information through an encrypted, branded form, with no account for the client. Fulfil subject access requests securely both ways. Encrypted on the client's device before it reaches us.
See what attackers could exploit, before they do.
Hexiosec ASM continuously maps your external attack surface the way an attacker would: every domain, subdomain, exposed service and certificate, using a proprietary enumeration engine that finds more, with fewer false positives. The NCSC chose Hexiosec ASM to be part of its Active Cyber Defence 2.0 trials.
The exposure you can't see
A forgotten subdomain, a development server someone left running, an expired certificate, a marketing microsite from a campaign three years ago: attackers find these first. ASM finds them for you, continuously.
Post-merger estate discovery
Mid-tier legal grows by merger, and mergers leave sprawling, poorly-documented digital estates. ASM maps what the firm inherited: the systems, domains and exposures that came with the deal but were never catalogued.
Defensible answers to client questionnaires
Corporate and financial clients increasingly send security questionnaires before instructing a firm. ASM gives a defensible, continuously-updated answer to questions about your external attack surface.
Mapped to the frameworks a Risk Partner answers to.
SRA: client confidentiality
Hexiosec Transfer and ASM help you evidence the SRA's Principle 6 confidentiality, sound data handling and breach reporting. Transfer's zero-knowledge architecture strengthens the confidentiality position; ASM evidences that the firm monitors its own exposure.
Lexcel
Lexcel is the Law Society's practice-management quality standard. Hexiosec helps you evidence its information-management and risk-management requirements.
Legal Aid Agency breach context
The 2024–2025 legal-sector breaches raised the bar on how firms protect and exchange client data, and on the assurances clients now expect.
UK GDPR / DPA 2018
Aligned with UK GDPR and the Data Protection Act 2018. See the compliance page for how both products support your compliance position.
- Cyber Essentials Plus
- DSIT Software Security Ambassador
- NCSC ACD 2.0 (ASM)
- UK sovereign hosting
- UK-registered, no US parent
Built by ex-government engineers. Trusted across government and regulated industry.
Find your tier on each product.
A quick fit guide, not a pricing table. Each card routes to the full pricing.
Transfer
Hexiosec Transfer
- Professional £15/user/mo — Small firms and teams getting started.
- Business £25/user/mo — Co-branding, 1-year audit retention, admin controls. The common tier for Top 101–200.
- Enterprise custom pricing — Own domain, SSO, signed DPA + residency guarantee, framework procurement, 99.9% SLA, named CSM. The common tier for Top 51–100.
ASM
Hexiosec ASM
- Free weekly scans, no card — See your external attack surface at no cost.
- Essential from £99/mo — Up to 200 assets, weekly monitoring.
- Premium from £249/mo — Up to 300 assets, continuous monitoring.
- Enterprise custom pricing — Larger estates and advanced needs.
Both products, answered.
Is Transfer a replacement for our DMS (iManage / NetDocuments)?
No. Hexiosec Transfer is for external-party exchange — the channel between your document management system and the outside world. Your DMS remains the system of record.
Is it SRA compliant?
Zero-knowledge encryption strengthens your client-confidentiality position. See /transfer/compliance/ for the full mapping.
Does the recipient need an account?
No. Recipients, respondents and counterparties take part without a Hexiosec account.
Can we use it for sub-£100m M&A data rooms?
Yes. Admin-controlled access and full audit, at a tier price the partner signs off. See /transfer/spaces/.
Do you integrate with iManage / NetDocuments?
Native integration is a Q1 2027 roadmap item. Today, Transfer is used alongside the document management system for external exchange.
How does this compare to Egress?
See the comparison at /switch-from-egress/.
What is attack surface management, in plain terms?
The outside-in view of everything attackers can see of your firm online: domains, servers, certificates, mapped continuously.
We already have a pen test — why ASM?
A pen test is a point in time. ASM is continuous, and finds the assets a scoped pen test never knew existed.
Can ASM help us answer client security questionnaires?
Yes. A defensible, continuously-updated view of your external exposure.
Is data stored in the UK?
Yes. Both products are UK-hosted; Transfer on Google Cloud Platform, London, with a signed DPA and residency guarantee on Enterprise.
Do the products work together?
They address two different risks — outbound exchange and inbound exposure — and share the same UK-sovereign, ex-government engineering. Most firms start with one and add the other.
Cover both risks. Start with the one that brought you here.
Most firms start with the risk that's top of mind — securing what they send out, or seeing what attackers can see — and add the other when they're ready. Both are free to start.