SECURE ONBOARDING · ASSESS AND COLLECT

Onboard clients and suppliers, securely.

Collect KYC, identity, financial and compliance data through encrypted onboarding forms — no respondent account, branded as your firm, encrypted on their device before it reaches anyone. And when you onboard a supplier, assess their external security posture first — because their risk becomes your risk. Secure collection with Hexiosec Transfer; supplier risk assessment with Hexiosec ASM.

  • End-to-end encrypted
  • No respondent account
  • UK Sovereign
  • Supply-chain visibility
  • Cyber Essentials Plus
The two jobs of onboarding

Collect the data safely. Assess the risk you take on.

Transfer · Every onboarding

Collect the data safely

Every onboarding involves collecting sensitive data: KYC, identity, financials, compliance documents. Collect it through encrypted forms that even we can't read, for clients, investors, applicants and suppliers alike.

ASM · Organisations only

Assess the supplier's risk

When you onboard an organisation, you take on their security risk. Before you let a supplier into your estate, see what attackers can see: their external exposure, unpatched services and forgotten assets.

Collecting data safely applies to every onboarding. Assessing security posture applies when you're onboarding an organisation: a merger, supplier, vendor or partner.

The problem

Insecure collection, and the supplier blind spot.

Collection risk

Standard form tools aren't built for sensitive data

Microsoft Forms and Google Forms encrypt in transit, but the provider can read responses at rest, so a breach exposes the KYC and identity data you collected.

Collection risk

Email and PDF are unstructured and indefensible

Asking clients to email their documents scatters sensitive data across inboxes with no structure, no audit and no control.

Collection risk

The liability is yours

The moment you ask for identity documents or source of funds, you become responsible for protecting that data. The collection method matters as much as the storage method.

Supplier blind spot

A questionnaire isn't a view of a supplier's exposure

A compliance questionnaire tells you what a supplier says about its security. Its unpatched server or forgotten subdomain becomes your supply chain risk, and DORA, NIS2 and the incoming Cyber Security and Resilience Bill increasingly expect you to have looked.

You can't manage a risk you can't see. This is something worth knowing, not a reason to fear your suppliers.

A quick clarification, because it matters

ASM assesses organisations, not individuals.

Supplier risk assessment applies when you're onboarding an organisation: a supplier, vendor or partner with a digital footprint you can assess. It does not apply to onboarding an individual client, investor or applicant; you don't scan a person. For individual onboarding, the secure collection half is what you need. For supplier onboarding, you get both.

How it works

Two flows: assess and collect for suppliers, collect for individuals.

Supplier · Assess + Collect

Supplier onboarding

  1. Assess
    Run a Hexiosec ASM scan of the supplier's external footprint to see their exposure before you engage, with their awareness or consent as appropriate.
  2. Collect
    Send a branded, encrypted onboarding form for their compliance documents, financials and identity, encrypted on their device, no account.
  3. Review and record
    Export to your procurement or onboarding system, and keep the assessment and the documentation together as your due diligence record.

Client / Investor · Collect

Individual onboarding

  1. Build
    Build a branded onboarding form, with field types including file upload.
  2. Share a secure link
    Completed in the browser, encrypted on the device, no account for the respondent.
  3. Review and export
    Delegate review access and export to your CRM or practice management system.
Hexiosec Transfer · Collection

Secure collection, for every onboarding.

End-to-end encrypted responses

Encrypted on the respondent's device, so no one but you can read them.

No respondent account

Clients and suppliers complete the form in the browser, with no sign-up.

Build from scratch or templates

Start from onboarding templates or build your own.

File upload & field types

Collect identity and compliance documents alongside structured fields.

Own branding & custom domain

The respondent sees your brand (Enterprise tier).

Export

Export to CRM, procurement or onboarding systems.

UK sovereign hosting

Collected data stays in the UK, on Google Cloud Platform in London.

Hexiosec ASM · Supplier Assessment

See a supplier's exposure before you let them in.

External attack surface discovery

See the supplier's assets, exposed services and unpatched or misconfigured systems: an independent view of the risk you're taking on, beyond their self-reported questionnaire. Organisations only.

Supply chain scanning

Extends this across your suppliers and third parties on an ongoing basis, supporting the supply chain requirements in DORA, NIS2 and the incoming Cyber Security and Resilience Bill.

NCSC ACD 2.0

The National Cyber Security Centre included Hexiosec ASM in its Active Cyber Defence 2.0 trials — a strong credibility marker for an independent external view.

Use cases

Onboarding across sectors: collection only, or assess and collect.

Transfer · Collection

Legal: client onboarding

Collect KYC, anti-money laundering (AML), identity and source of funds when opening a matter: encrypted, branded, no client account.

Transfer · Collection

Wealth: investor onboarding

Collect KYC and AML, suitability and source of wealth when taking on an investor: frictionless, branded, readable only by the firm.

Cross-Product · Assess + Collect

Public sector and regulated: supplier onboarding

Assess a new supplier's external security posture with Hexiosec ASM, and collect their compliance documentation, financial standing and identity with Hexiosec Transfer. Tied to supply chain compliance.

Cross-Product · Assess + Collect

Any sector: vendor and partner onboarding

Onboarding any third party with a digital footprint — contractors, technology vendors or outsourced providers: assess their exposure, collect their documentation.

Why a form tool, or a questionnaire, isn't enough

Collect securely. Assess independently.

Dimension Mainstream form tools Email + PDF Hexiosec secure collection
Encryption In transit only Ad hoc / none End-to-end, on the device
Who can read responses The provider, at rest Anyone with the inbox Only you — zero knowledge
Data controller liability Yours, on their infrastructure Yours, unmanaged Yours, strengthened by end-to-end encryption
Respondent account Sometimes No No
Branding Limited None Own branded (Enterprise tier)
UK sovereignty Often US-hosted Wherever your mail is UK, Google Cloud Platform London
Structured & exportable Varies No Yes, with CRM or procurement export

A questionnaire tells you what a supplier says. An external scan shows you what attackers can see.

Use both: the questionnaire for their policies, Hexiosec ASM for their actual exposure. The scan complements the questionnaire — it does not replace it.

See the full comparison →
Trusted across government and regulated industry

The engineers who protect governments.

Cabinet Office
UK Government
NHS

Built by ex-government and defence-intelligence engineers, Cheltenham.

  • DSIT Software Security Ambassador
  • NCSC ACD 2.0 (ASM)
  • Cyber Essentials Plus

Entry points on both products.

Trial collection free; assess a supplier with a free scan. Each card routes to the full pricing.

Transfer · Collection

Hexiosec Transfer

  • Free — Trial it — One form, ten submissions.
  • Business £25/user/mo — Ten forms, unlimited submissions, branding, audit retention. The realistic tier for ongoing onboarding.
  • Enterprise custom pricing — Own domain, unlimited forms, SSO, signed DPA, framework procurement.

ASM · Supplier Assessment

Hexiosec ASM

  • Free scan — See a supplier's external exposure at no cost.
  • Premium from £99/mo — Up to 300 assets, continuous monitoring.
  • Enterprise from £1,200/mo — Larger estates; ongoing supply chain scanning.

FAQ

Onboarding, answered.

How is this more secure than Microsoft Forms or Google Forms?

Those encrypt in transit, but the provider can read responses at rest. Hexiosec encrypts on the respondent's device, so no one but you can read it.

Does the client or supplier need an account?

No. They complete the form in the browser, with no sign-up.

Can I assess a supplier's security before onboarding them?

Yes. A Hexiosec ASM scan shows their external exposure, and supply chain scanning extends this across suppliers on an ongoing basis. Organisations only, not individuals.

Can I collect documents as well as data?

Yes. File upload fields collect identity and compliance documents alongside structured data.

Can I brand the onboarding form?

Yes. Own branding with your own domain on the Business tier.

Does this reduce our data controller liability?

The collected data is encrypted on the respondent's device and unreadable to us, which strengthens your data-protection position. See /transfer/compliance/. This is not legal advice.

Does supplier assessment work for onboarding individual clients?

No. You don't scan a person. For individuals, the secure collection half is what you need.

How does this help with supply chain compliance?

Assessing supplier exposure and securing the data you exchange supports the supply chain requirements in DORA, NIS2 and the incoming Resilience Bill. See /solutions/compliance/.

Is the data stored in the UK?

Yes. Google Cloud Platform, London. See /transfer/compliance/.

What encryption is used?

End-to-end and zero knowledge. See /transfer/security/.

Onboard your next client or supplier securely.

Build a secure onboarding form free in minutes. Onboarding a supplier? Run a free scan to see their exposure first. Need it tailored to your intake and due diligence process? Request a demo.