HEXASEC
Request a pilot
HexaSec/Legal/Security
Security

How HexaSec thinks about, builds and operates security.

DocumentHXS-LEGAL-SEC·Effective21 May 2026·StatusLive

01Product philosophy

HexaSec is built around two principles: local-first deployment and evidence-led assurance. We design products that customers can run inside their own environments, produce inspectable artefacts and defend under audit — rather than tools that require shipping sensitive data to vendor-controlled SaaS.

That posture extends to the marketing site you are reading now: we collect as little as possible, keep what we do collect minimal, and treat the website itself as in-scope for the same secure engineering practices we apply to product work.

02Secure development for our products

Across HexaSec's product work — currently the AI Assurance Gate — we aim to:

  • Treat security as a design requirement from the outset, not a final-pass concern.
  • Default to controlled execution, deterministic checks and policy-as-code over opaque scoring.
  • Produce evidence bundles that customers can independently verify.
  • Use the principle of least privilege for any integration points we introduce.
  • Document threat models and assumptions in the artefacts our products generate.

03Security controls for this website

The HexaSec website is intentionally simple — mostly static content with a single contact form. Hosted-environment controls include:

  • TLS in transit, enforced for all traffic.
  • HTTP security headers (CSP, HSTS, frame and referrer controls) tuned for a static marketing site.
  • Provider-managed DDoS mitigation and edge-level rate limiting.
  • No public administrative interfaces exposed from the marketing site.

Specific provider details and hardening configurations are not published here by design.

04Dependencies & vulnerability management

For both the marketing site and product work, we:

  • Pin third-party dependencies and review them before introduction.
  • Run automated dependency vulnerability scanning on a regular cadence.
  • Triage findings against actual exposure, not raw CVSS scores.
  • Patch critical issues promptly; track lower-severity issues with explicit ownership.

05Data collection on the marketing site

The marketing site does not run product workloads, does not connect to customer environments and does not process customer data. The only personal data routinely collected is what you choose to share through the contact form or by direct email. See our privacy notice for detail.

06Reporting a security issue

If you believe you have found a security issue affecting HexaSec's website or any HexaSec-owned system, please email info@hexasec.co.uk. See our responsible disclosure policy for guidance on what to include and what is in and out of scope.

07Scope & non-disclosure

For operational security reasons, we do not publicly disclose detailed internal security architecture, third-party vendor names, infrastructure topology or specific configurations. Customers and partners under appropriate agreements may request additional information through the contact channel above.