Platform Security

True end-to-end encryption. Even we can't read your data.

Everything on Hexiosec Transfer is encrypted on your device before it reaches our servers. We built the platform so we can never read what you share. Not by choice. By design.

The Problem

Most encryption stops at the server. Yours shouldn’t.

Plenty of platforms encrypt your data in transit with TLS, then decrypt it the moment it lands. From there on, the vendor can read everything you store or exchange.

One breach, one subpoena, one rogue employee

If that vendor is breached, served a court order, or compromised from the inside, your data is exposed. That isn’t hypothetical — it’s an architectural reality.

US jurisdiction is a risk in itself

Platforms under US jurisdiction carry added exposure. Your data can be reached by US legal process even when you are a UK organisation on UK soil.

And most exposure is mundane, not cinematic

It is rarely an elaborate hack. It is a file sent to the wrong person, an inbox left open, a provider who could always read the data anyway. Encryption that stops at the server does nothing for any of it.

Zero-knowledge architecture: encrypted before it leaves your device.

Your data is encrypted on your device with a key only you hold. That key is shared only with the person or party you choose. Hexiosec never holds it, so Hexiosec can never read your data.

Your device

Data is encrypted here with your key. AES-256, client-side.

In transit

Only ciphertext travels, protected again over TLS 1.3.

Hexiosec servers

Stored as ciphertext. We never hold the key, so we can't read it.

Recipient or authorised party

Decrypted with the key. Readable only here.

Under the hood

AES-256, client-side

Your data is encrypted in the browser before it ever uploads.

TLS 1.3 in transit

Ciphertext is protected again while it moves across the network.

Keys in your control

A key-exchange mechanism means we never hold your keys.

Zero-knowledge servers

Our servers store unreadable ciphertext and nothing else.

The same architecture runs across the whole platform. Whether you send with Files, collect with Forms, share in a Space or message with Email, the encryption model is identical.

  • Even we can't read it.
  • Keys never leave your control.
  • No mandatory recipient account.
  • Built this way from day one.

What zero-knowledge encryption actually means for you

If Hexiosec is breached, your data is still safe

We never held the keys, so there’s nothing readable to take.

No court order can hand over readable data

We can’t decrypt what you share. That is an architectural fact, not a policy we could quietly change.

Your compliance position is stronger

The encryption is evidenceable and auditable. See the compliance page →

Anyone can take part, with no friction

Recipients, respondents and collaborators need no Hexiosec account.

What true end-to-end encryption is — and what it is not.

Encryption approach Who can read your data If the vendor is breached Jurisdiction risk
Encryption in transit only (TLS) The vendor, readable at rest Your data is exposed Depends on hosting
At rest + in transit (vendor holds keys) The vendor, they hold the keys Exposed if keys are compromised Depends on hosting
True end-to-end / zero-knowledge
(Hexiosec Transfer)
Only you and your authorised party Nothing readable to take UK-hosted, UK-sovereign
Considering a switch from your current provider?
See how Hexiosec Transfer compares →
Why believe us

Proof not promises

We work with clients where the security of data is paramount - Hexiosec Transfer has transformed how we handle sensitive information and move documents and information between our clients.

Professor John Parkinson OBE

Executive Director · Crown Integrated Services Ltd

Trusted by UK Government · NCSC reference · DSIT Software Security Ambassador (one of 13, alongside Cisco, Palo Alto Networks, Sage, Santander, Lloyds, NCC Group, Accenture)

Built by engineers from the UK government and defence intelligence communities, in Cheltenham.

FAQ

Data rooms, answered.

What does “zero-knowledge” mean?

It means we have zero knowledge of your data. It is encrypted with a key we never hold, so we can’t read it, even if we wanted to.

Can Hexiosec read my data?

No. It is encrypted on your device before it reaches us, and we never hold the key.

What encryption standards does the platform use?

AES-256 for client-side encryption, and TLS 1.3 in transit.

Where is my data hosted?

In the UK, on Google Cloud in London, and not subject to the US CLOUD Act. See the compliance page.

Does the other party need a Hexiosec account?

No. Recipients, respondents and collaborators can take part without one.

Is the platform OFFICIAL-SENSITIVE aligned?

The platform is built for OFFICIAL-SENSITIVE handling. See the compliance page.

Does the same encryption apply to Files, Forms and Spaces?

Yes. The zero-knowledge architecture is identical across every module.

How does this compare to standard email encryption?

Standard email encryption protects a message in transit, but the provider can still read it. Zero-knowledge means only you and your authorised party ever can.

Open a secure data room in minutes.

Trial a room free to see how it works. Run small deals on Business, substantial or recurring deals on Enterprise. Need it walked through against a live deal? Request a demo.