SECURE ONBOARDING · ASSESS AND COLLECT
Onboard clients and suppliers, securely.
Collect KYC, identity, financial and compliance data through encrypted onboarding forms — no respondent account, branded as your firm, encrypted on their device before it reaches anyone. And when you onboard a supplier, assess their external security posture first — because their risk becomes your risk. Secure collection with Hexiosec Transfer; supplier risk assessment with Hexiosec ASM.
- End-to-end encrypted
- No respondent account
- UK Sovereign
- Supply-chain visibility
- Cyber Essentials Plus
Collect the data safely. Assess the risk you take on.
Transfer · Every onboarding
Collect the data safely
Every onboarding involves collecting sensitive data: KYC, identity, financials, compliance documents. Collect it through encrypted forms that even we can't read, for clients, investors, applicants and suppliers alike.
ASM · Organisations only
Assess the supplier's risk
When you onboard an organisation, you take on their security risk. Before you let a supplier into your estate, see what attackers can see: their external exposure, unpatched services and forgotten assets.
Collecting data safely applies to every onboarding. Assessing security posture applies when you're onboarding an organisation: a merger, supplier, vendor or partner.
Insecure collection, and the supplier blind spot.
Collection risk
Standard form tools aren't built for sensitive data
Microsoft Forms and Google Forms encrypt in transit, but the provider can read responses at rest, so a breach exposes the KYC and identity data you collected.
Collection risk
Email and PDF are unstructured and indefensible
Asking clients to email their documents scatters sensitive data across inboxes with no structure, no audit and no control.
Collection risk
The liability is yours
The moment you ask for identity documents or source of funds, you become responsible for protecting that data. The collection method matters as much as the storage method.
Supplier blind spot
A questionnaire isn't a view of a supplier's exposure
A compliance questionnaire tells you what a supplier says about its security. Its unpatched server or forgotten subdomain becomes your supply chain risk, and DORA, NIS2 and the incoming Cyber Security and Resilience Bill increasingly expect you to have looked.
You can't manage a risk you can't see. This is something worth knowing, not a reason to fear your suppliers.
ASM assesses organisations, not individuals.
Supplier risk assessment applies when you're onboarding an organisation: a supplier, vendor or partner with a digital footprint you can assess. It does not apply to onboarding an individual client, investor or applicant; you don't scan a person. For individual onboarding, the secure collection half is what you need. For supplier onboarding, you get both.
Two flows: assess and collect for suppliers, collect for individuals.
Supplier · Assess + Collect
Supplier onboarding
-
Assess
Run a Hexiosec ASM scan of the supplier's external footprint to see their exposure before you engage, with their awareness or consent as appropriate. -
Collect
Send a branded, encrypted onboarding form for their compliance documents, financials and identity, encrypted on their device, no account. -
Review and record
Export to your procurement or onboarding system, and keep the assessment and the documentation together as your due diligence record.
Client / Investor · Collect
Individual onboarding
-
Build
Build a branded onboarding form, with field types including file upload. -
Share a secure link
Completed in the browser, encrypted on the device, no account for the respondent. -
Review and export
Delegate review access and export to your CRM or practice management system.
Secure collection, for every onboarding.
End-to-end encrypted responses
Encrypted on the respondent's device, so no one but you can read them.
No respondent account
Clients and suppliers complete the form in the browser, with no sign-up.
Build from scratch or templates
Start from onboarding templates or build your own.
File upload & field types
Collect identity and compliance documents alongside structured fields.
Own branding & custom domain
The respondent sees your brand (Enterprise tier).
Export
Export to CRM, procurement or onboarding systems.
UK sovereign hosting
Collected data stays in the UK, on Google Cloud Platform in London.
See a supplier's exposure before you let them in.
External attack surface discovery
See the supplier's assets, exposed services and unpatched or misconfigured systems: an independent view of the risk you're taking on, beyond their self-reported questionnaire. Organisations only.
Supply chain scanning
Extends this across your suppliers and third parties on an ongoing basis, supporting the supply chain requirements in DORA, NIS2 and the incoming Cyber Security and Resilience Bill.
NCSC ACD 2.0
The National Cyber Security Centre included Hexiosec ASM in its Active Cyber Defence 2.0 trials — a strong credibility marker for an independent external view.
Onboarding across sectors: collection only, or assess and collect.
Transfer · Collection
Legal: client onboarding
Collect KYC, anti-money laundering (AML), identity and source of funds when opening a matter: encrypted, branded, no client account.
Transfer · Collection
Wealth: investor onboarding
Collect KYC and AML, suitability and source of wealth when taking on an investor: frictionless, branded, readable only by the firm.
Cross-Product · Assess + Collect
Public sector and regulated: supplier onboarding
Assess a new supplier's external security posture with Hexiosec ASM, and collect their compliance documentation, financial standing and identity with Hexiosec Transfer. Tied to supply chain compliance.
Cross-Product · Assess + Collect
Any sector: vendor and partner onboarding
Onboarding any third party with a digital footprint — contractors, technology vendors or outsourced providers: assess their exposure, collect their documentation.
Collect securely. Assess independently.
| Dimension | Mainstream form tools | Email + PDF | Hexiosec secure collection |
|---|---|---|---|
| Encryption | In transit only | Ad hoc / none | End-to-end, on the device |
| Who can read responses | The provider, at rest | Anyone with the inbox | Only you — zero knowledge |
| Data controller liability | Yours, on their infrastructure | Yours, unmanaged | Yours, strengthened by end-to-end encryption |
| Respondent account | Sometimes | No | No |
| Branding | Limited | None | Own branded (Enterprise tier) |
| UK sovereignty | Often US-hosted | Wherever your mail is | UK, Google Cloud Platform London |
| Structured & exportable | Varies | No | Yes, with CRM or procurement export |
A questionnaire tells you what a supplier says. An external scan shows you what attackers can see.
Use both: the questionnaire for their policies, Hexiosec ASM for their actual exposure. The scan complements the questionnaire — it does not replace it.
The engineers who protect governments.
Built by ex-government and defence-intelligence engineers, Cheltenham.
- DSIT Software Security Ambassador
- NCSC ACD 2.0 (ASM)
- Cyber Essentials Plus
Entry points on both products.
Trial collection free; assess a supplier with a free scan. Each card routes to the full pricing.
Transfer · Collection
Hexiosec Transfer
- Free — Trial it — One form, ten submissions.
- Business £25/user/mo — Ten forms, unlimited submissions, branding, audit retention. The realistic tier for ongoing onboarding.
- Enterprise custom pricing — Own domain, unlimited forms, SSO, signed DPA, framework procurement.
ASM · Supplier Assessment
Hexiosec ASM
- Free scan — See a supplier's external exposure at no cost.
- Premium from £99/mo — Up to 300 assets, continuous monitoring.
- Enterprise from £1,200/mo — Larger estates; ongoing supply chain scanning.
Onboarding, answered.
How is this more secure than Microsoft Forms or Google Forms?
Those encrypt in transit, but the provider can read responses at rest. Hexiosec encrypts on the respondent's device, so no one but you can read it.
Does the client or supplier need an account?
No. They complete the form in the browser, with no sign-up.
Can I assess a supplier's security before onboarding them?
Yes. A Hexiosec ASM scan shows their external exposure, and supply chain scanning extends this across suppliers on an ongoing basis. Organisations only, not individuals.
Can I collect documents as well as data?
Yes. File upload fields collect identity and compliance documents alongside structured data.
Can I brand the onboarding form?
Yes. Own branding with your own domain on the Business tier.
Does this reduce our data controller liability?
The collected data is encrypted on the respondent's device and unreadable to us, which strengthens your data-protection position. See /transfer/compliance/. This is not legal advice.
Does supplier assessment work for onboarding individual clients?
No. You don't scan a person. For individuals, the secure collection half is what you need.
How does this help with supply chain compliance?
Assessing supplier exposure and securing the data you exchange supports the supply chain requirements in DORA, NIS2 and the incoming Resilience Bill. See /solutions/compliance/.
Is the data stored in the UK?
Yes. Google Cloud Platform, London. See /transfer/compliance/.
What encryption is used?
End-to-end and zero knowledge. See /transfer/security/.
Onboard your next client or supplier securely.
Build a secure onboarding form free in minutes. Onboarding a supplier? Run a free scan to see their exposure first. Need it tailored to your intake and due diligence process? Request a demo.