Compliance & data sovereignty
UK-sovereign. GDPR-aligned. Your data stays in the UK.
Hexiosec Transfer is built, hosted and run entirely within UK jurisdiction. Everything you process through it stays in Google Cloud’s London data centres, and our zero-knowledge architecture means even we cannot read it. For regulated organisations, that is a requirement met, not a nice-to-have.
- UK Data Residency
- GDPR & DPA 2018
- OFFICIAL-SENSITIVE Aligned
- Cyber Essentials Plus
- Crown Commercial Service
- DSIT Ambassador
All data is hosted in the UK
Everything processed through Transfer is stored in Google Cloud's London data centres, with no replication outside the UK. EU residency is available on request for specific Enterprise customers.
All data in Google Cloud's London data centres
No replication outside the UK by default. EU residency available on request for specific Enterprise customers.
Hexiosec is a UK company, with no US parent
Hexiosec Limited is UK-registered. No US parent or investor has access to your data, and the platform is not subject to the US CLOUD Act.
We can't access your data, by design
The platform is zero-knowledge: your data is encrypted before it reaches us. See the security architecture for the technical detail.
Outside the reach of US legal process
UK ownership and UK hosting together mean your data cannot be compelled by US authorities under the CLOUD Act.
What the US CLOUD Act actually means
The CLOUD Act lets US authorities compel US-based providers to hand over data they hold, wherever in the world it sits. Because Hexiosec is UK-owned and UK-hosted with no US parent, it falls entirely outside that reach. Your data is not accessible to US legal process through Hexiosec.
Regulatory framework alignment
How the platform aligns with the rules you work under.
UK GDPR & DPA 2018
Article 17 erasure through expiry controls, Chapter V cover for international transfers, and a clear lawful basis. Data minimisation built in.
OFFICIAL-SENSITIVE
Built to handle UK government OFFICIAL-SENSITIVE material, for exchange between public-sector teams and the parties they work with.
NCSC Cyber Assessment Framework (CAF)
Maps to the relevant CAF objectives for protecting sensitive data in organisations subject to the Network and Information Systems regulations.
Cyber Essentials Plus
Independently certified. The platform meets the full Cyber Essentials Plus control set, assessed and verified by an accredited certification body.
DSIT Software Security Code of Practice
Aligned with the DSIT Software Security Code of Practice. Hexiosec is one of 13 Software Security Ambassadors, alongside Cisco, Palo Alto Networks, Sage and Santander.
Compliance, sector by sector.
Public Sector
OFFICIAL-SENSITIVE handling, alignment with NCSC CAF and GovAssure, Crown Commercial Service availability, and Data Sharing Agreement support. Files handles OFFICIAL-SENSITIVE exchange; Spaces supports multi-agency case conferences and inter-authority sharing.
Legal
SRA and Lexcel expectations, and the Legal Aid Agency breach context. Spaces provides disclosure rooms and data rooms; Files delivers single packs to counsel and courts. Transfer is for external-party exchange, not internal document-management link-sharing.
Wealth & Asset Management
FCA Consumer Duty, DORA third-party risk under Article 28, PRA expectations, and CASS client-asset rules where relevant. Spaces supports capital-markets exchange; Forms handles KYC and onboarding.
Education
KCSIE safeguarding duties, DfE data protection expectations, and Jisc security alignment across colleges and universities. Forms collects admissions and safeguarding information; Files sends records to local authorities and partners.
Procurement frameworks and certifications
How providers compare on sovereignty
| Provider type | Hosting location | Parent jurisdiction | CLOUD Act exposure | Vendor data access | UK-sovereign |
|---|---|---|---|---|---|
| US-HQ SaaS | US (global regions) | United States | Yes | Vendor can access | No |
| US-acquired UK platform | UK / mixed | US parent | Yes (via parent) | Vendor can access | No |
| EU-HQ platform | EU | EU member state | Limited | Vendor can access | No |
| UK-built zero-knowledge (Hexiosec Transfer) |
UK (GCP London) | United Kingdom | No | None, not even Hexiosec | Yes |
Built by people who protect governments
Built by engineers from the UK government and defence intelligence communities. DSIT Software Security Ambassador, one of 13, alongside Cisco, Palo Alto Networks, Sage, Santander, Lloyds, NCC Group and Accenture.
Compliance, answered.
Where is my data hosted?
In Google Cloud's London data centres, with no replication outside the UK. EU residency is available on request for specific Enterprise customers.
Is Hexiosec Transfer GDPR compliant?
It is aligned with UK GDPR and the DPA 2018, including Article 17 erasure through expiry controls and Chapter V provisions for international transfers. Compliance is a shared responsibility, and the platform is built to support yours.
Can the platform handle OFFICIAL-SENSITIVE data?
Yes. It is built for handling UK government OFFICIAL-SENSITIVE material, for exchange between public-sector teams and the parties they work with.
Is Hexiosec subject to the US CLOUD Act?
No. Hexiosec is UK-owned and UK-hosted, with no US parent, so it falls outside the CLOUD Act's reach.
Is Hexiosec Cyber Essentials Plus certified?
Yes. Cyber Essentials Plus is held and independently certified by an accredited certification body.
What procurement frameworks is Hexiosec listed on?
Crown Commercial Service and JOSCAR, with Jisc CHEST availability, Cyber Essentials Plus certification, and DSIT Software Security Ambassador status.
Does the same compliance posture apply to all Transfer modules?
Yes. The architecture and compliance posture are uniform across every module — Files, Forms and Spaces — and across every tier.
Can I get a Data Processing Agreement?
Yes. A Data Processing Agreement (DPA) is available. Ask for one when you book a demo.
How does Hexiosec handle data retention and deletion?
You control retention and expiry. Data is deleted on expiry, and zero-knowledge encryption keeps it unreadable to anyone but you in the meantime.
Ready to simplify your compliance?
Try Hexiosec Transfer free, or talk to us about a demo and a Data Processing Agreement. For the technical detail, see the security architecture.