Compliance & data sovereignty

UK-sovereign. GDPR-aligned. Your data stays in the UK.

Hexiosec Transfer is built, hosted and run entirely within UK jurisdiction. Everything you process through it stays in Google Cloud’s London data centres, and our zero-knowledge architecture means even we cannot read it. For regulated organisations, that is a requirement met, not a nice-to-have.

  • UK Data Residency
  • GDPR & DPA 2018
  • OFFICIAL-SENSITIVE Aligned
  • Cyber Essentials Plus
  • Crown Commercial Service
  • DSIT Ambassador

All data is hosted in the UK

Everything processed through Transfer is stored in Google Cloud's London data centres, with no replication outside the UK. EU residency is available on request for specific Enterprise customers.

All data in Google Cloud's London data centres

No replication outside the UK by default. EU residency available on request for specific Enterprise customers.

Hexiosec is a UK company, with no US parent

Hexiosec Limited is UK-registered. No US parent or investor has access to your data, and the platform is not subject to the US CLOUD Act.

We can't access your data, by design

The platform is zero-knowledge: your data is encrypted before it reaches us. See the security architecture for the technical detail.

Outside the reach of US legal process

UK ownership and UK hosting together mean your data cannot be compelled by US authorities under the CLOUD Act.

What the US CLOUD Act actually means

The CLOUD Act lets US authorities compel US-based providers to hand over data they hold, wherever in the world it sits. Because Hexiosec is UK-owned and UK-hosted with no US parent, it falls entirely outside that reach. Your data is not accessible to US legal process through Hexiosec.

Frameworks

Regulatory framework alignment

How the platform aligns with the rules you work under.

UK GDPR & DPA 2018

Article 17 erasure through expiry controls, Chapter V cover for international transfers, and a clear lawful basis. Data minimisation built in.

OFFICIAL-SENSITIVE

Built to handle UK government OFFICIAL-SENSITIVE material, for exchange between public-sector teams and the parties they work with.

NCSC Cyber Assessment Framework (CAF)

Maps to the relevant CAF objectives for protecting sensitive data in organisations subject to the Network and Information Systems regulations.

Cyber Essentials Plus

Independently certified. The platform meets the full Cyber Essentials Plus control set, assessed and verified by an accredited certification body.

DSIT Software Security Code of Practice

Aligned with the DSIT Software Security Code of Practice. Hexiosec is one of 13 Software Security Ambassadors, alongside Cisco, Palo Alto Networks, Sage and Santander.

By Sector

Compliance, sector by sector.

Public Sector

OFFICIAL-SENSITIVE handling, alignment with NCSC CAF and GovAssure, Crown Commercial Service availability, and Data Sharing Agreement support. Files handles OFFICIAL-SENSITIVE exchange; Spaces supports multi-agency case conferences and inter-authority sharing.

Legal

SRA and Lexcel expectations, and the Legal Aid Agency breach context. Spaces provides disclosure rooms and data rooms; Files delivers single packs to counsel and courts. Transfer is for external-party exchange, not internal document-management link-sharing.

Wealth & Asset Management

FCA Consumer Duty, DORA third-party risk under Article 28, PRA expectations, and CASS client-asset rules where relevant. Spaces supports capital-markets exchange; Forms handles KYC and onboarding.

Education

KCSIE safeguarding duties, DfE data protection expectations, and Jisc security alignment across colleges and universities. Forms collects admissions and safeguarding information; Files sends records to local authorities and partners.

Procurement

Procurement frameworks and certifications

Crown Commercial Service
JOSCAR registered
DSIT Software Security Ambassador
Cyber Essentials Plus
Jisc
Jurisdiction

How providers compare on sovereignty

Provider type Hosting location Parent jurisdiction CLOUD Act exposure Vendor data access UK-sovereign
US-HQ SaaS US (global regions) United States Yes Vendor can access No
US-acquired UK platform UK / mixed US parent Yes (via parent) Vendor can access No
EU-HQ platform EU EU member state Limited Vendor can access No
UK-built zero-knowledge
(Hexiosec Transfer)
UK (GCP London) United Kingdom No None, not even Hexiosec Yes
Switching from a US-owned provider?
See the detailed comparison →
Trusted in Government

Built by people who protect governments

Built by engineers from the UK government and defence intelligence communities. DSIT Software Security Ambassador, one of 13, alongside Cisco, Palo Alto Networks, Sage, Santander, Lloyds, NCC Group and Accenture.

FAQ

Compliance, answered.

Where is my data hosted?

In Google Cloud's London data centres, with no replication outside the UK. EU residency is available on request for specific Enterprise customers.

Is Hexiosec Transfer GDPR compliant?

It is aligned with UK GDPR and the DPA 2018, including Article 17 erasure through expiry controls and Chapter V provisions for international transfers. Compliance is a shared responsibility, and the platform is built to support yours.

Can the platform handle OFFICIAL-SENSITIVE data?

Yes. It is built for handling UK government OFFICIAL-SENSITIVE material, for exchange between public-sector teams and the parties they work with.

Is Hexiosec subject to the US CLOUD Act?

No. Hexiosec is UK-owned and UK-hosted, with no US parent, so it falls outside the CLOUD Act's reach.

Is Hexiosec Cyber Essentials Plus certified?

Yes. Cyber Essentials Plus is held and independently certified by an accredited certification body.

What procurement frameworks is Hexiosec listed on?

Crown Commercial Service and JOSCAR, with Jisc CHEST availability, Cyber Essentials Plus certification, and DSIT Software Security Ambassador status.

Does the same compliance posture apply to all Transfer modules?

Yes. The architecture and compliance posture are uniform across every module — Files, Forms and Spaces — and across every tier.

Can I get a Data Processing Agreement?

Yes. A Data Processing Agreement (DPA) is available. Ask for one when you book a demo.

How does Hexiosec handle data retention and deletion?

You control retention and expiry. Data is deleted on expiry, and zero-knowledge encryption keeps it unreadable to anyone but you in the meantime.

Ready to simplify your compliance?

Try Hexiosec Transfer free, or talk to us about a demo and a Data Processing Agreement. For the technical detail, see the security architecture.