Platform Security
True end-to-end encryption. Even we can't read your data.
Everything on Hexiosec Transfer is encrypted on your device before it reaches our servers. We built the platform so we can never read what you share. Not by choice. By design.
Most encryption stops at the server. Yours shouldn’t.
Plenty of platforms encrypt your data in transit with TLS, then decrypt it the moment it lands. From there on, the vendor can read everything you store or exchange.
One breach, one subpoena, one rogue employee
If that vendor is breached, served a court order, or compromised from the inside, your data is exposed. That isn’t hypothetical — it’s an architectural reality.
US jurisdiction is a risk in itself
Platforms under US jurisdiction carry added exposure. Your data can be reached by US legal process even when you are a UK organisation on UK soil.
And most exposure is mundane, not cinematic
It is rarely an elaborate hack. It is a file sent to the wrong person, an inbox left open, a provider who could always read the data anyway. Encryption that stops at the server does nothing for any of it.
Zero-knowledge architecture: encrypted before it leaves your device.
Your data is encrypted on your device with a key only you hold. That key is shared only with the person or party you choose. Hexiosec never holds it, so Hexiosec can never read your data.
Your device
Data is encrypted here with your key. AES-256, client-side.
In transit
Only ciphertext travels, protected again over TLS 1.3.
Hexiosec servers
Stored as ciphertext. We never hold the key, so we can't read it.
Recipient or authorised party
Decrypted with the key. Readable only here.
AES-256, client-side
Your data is encrypted in the browser before it ever uploads.
TLS 1.3 in transit
Ciphertext is protected again while it moves across the network.
Keys in your control
A key-exchange mechanism means we never hold your keys.
Zero-knowledge servers
Our servers store unreadable ciphertext and nothing else.
The same architecture runs across the whole platform. Whether you send with Files, collect with Forms, share in a Space or message with Email, the encryption model is identical.
- Even we can't read it.
- Keys never leave your control.
- No mandatory recipient account.
- Built this way from day one.
What zero-knowledge encryption actually means for you
If Hexiosec is breached, your data is still safe
We never held the keys, so there’s nothing readable to take.
No court order can hand over readable data
We can’t decrypt what you share. That is an architectural fact, not a policy we could quietly change.
Your compliance position is stronger
The encryption is evidenceable and auditable. See the compliance page →
Anyone can take part, with no friction
Recipients, respondents and collaborators need no Hexiosec account.
What true end-to-end encryption is — and what it is not.
| Encryption approach | Who can read your data | If the vendor is breached | Jurisdiction risk |
|---|---|---|---|
| Encryption in transit only (TLS) | The vendor, readable at rest | Your data is exposed | Depends on hosting |
| At rest + in transit (vendor holds keys) | The vendor, they hold the keys | Exposed if keys are compromised | Depends on hosting |
| True end-to-end / zero-knowledge (Hexiosec Transfer) |
Only you and your authorised party | Nothing readable to take | UK-hosted, UK-sovereign |
Proof not promises
We work with clients where the security of data is paramount - Hexiosec Transfer has transformed how we handle sensitive information and move documents and information between our clients.
Trusted by UK Government · NCSC reference · DSIT Software Security Ambassador (one of 13, alongside Cisco, Palo Alto Networks, Sage, Santander, Lloyds, NCC Group, Accenture)
Built by engineers from the UK government and defence intelligence communities, in Cheltenham.
Data rooms, answered.
What does “zero-knowledge” mean?
It means we have zero knowledge of your data. It is encrypted with a key we never hold, so we can’t read it, even if we wanted to.
Can Hexiosec read my data?
No. It is encrypted on your device before it reaches us, and we never hold the key.
What encryption standards does the platform use?
AES-256 for client-side encryption, and TLS 1.3 in transit.
Where is my data hosted?
In the UK, on Google Cloud in London, and not subject to the US CLOUD Act. See the compliance page.
Does the other party need a Hexiosec account?
No. Recipients, respondents and collaborators can take part without one.
Is the platform OFFICIAL-SENSITIVE aligned?
The platform is built for OFFICIAL-SENSITIVE handling. See the compliance page.
Does the same encryption apply to Files, Forms and Spaces?
Yes. The zero-knowledge architecture is identical across every module.
How does this compare to standard email encryption?
Standard email encryption protects a message in transit, but the provider can still read it. Zero-knowledge means only you and your authorised party ever can.
Open a secure data room in minutes.
Trial a room free to see how it works. Run small deals on Business, substantial or recurring deals on Enterprise. Need it walked through against a live deal? Request a demo.