Version 4.5 August 2025, effective from October 9th 2025.
1. Definitions and Interpretation
Unless the context requires otherwise, capitalised terms used in this Security Policy have the meaning given to them in the Participation Agreement or the Digital Signing Certificate Subscriber Agreement (as the case may be) between PEXA and your organisation.
Some terms used in this Policy that are defined in the ECNL, the Participation Rules or the Operating Requirements. Such terms will have the meaning given to them in the ECNL, the Participation Rules or the Operating Requirements (as the case may be).
2. Purpose & Objectives of this Security Policy
This Subscriber Security Policy (Policy) outlines the security requirements that Subscribers must ensure that they and their Users adhere to when using the PEXA System in order to maintain the overall security of the PEXA System.
3. Scope of this Policy
This Policy applies to all Subscribers of the PEXA System, including the devices, credentials and Digital Certificates used when accessing and Digitally Signing documents in the PEXA System.
4. Key Subscriber Obligations
4.1 General
4.1.1 Compliance
Subscribers must comply with the security obligations outlined in this Policy and the Participation Rules. For a copy of the Participation Rules in each Active Jurisdiction refer to:
4.1.2 Systems Security
Subscribers must take all reasonable and prudent steps to:
(a) ensure that all systems and facilities used to access the PEXA System are protected by the Logical Security controls (see section 4.2) and the Physical Security controls (see section 4.3) outlined in this Policy;
(b) prevent unauthorised access, damage or interference with PEXA’s electronic systems, Electronic Workspace or the ELN by any person employed or engaged by the Subscriber, or via any systems or access points owned or controlled by the Subscriber and through which the Subscriber can connect to PEXA, an Electronic Workspace or the ELN; and
(c) ensure the integrity and confidentiality of information retrieved or received from PEXA, and information supplied to PEXA; and
(d) Only download mobile signing applications from official sources (Apple App Store or Google Play Store).
Subscribers must, promptly, notify PEXA of any breach or suspected breach of this Policy and, to the extent permissible, of the security measures taken to address or mitigate the breach and any potential future breaches of a similar type, method or process.
4.1.3 Supported Devices
With the introduction of mobile signing, PEXA now supports full Subscriber mobility. It is possible to access the PEXA System using smartphones and tablets, however only Subscribers enrolled in mobile signing will be able to access full PEXA functionality (e.g. digital signing functionality).
4.1.4 Loss Mitigation
Subscribers must, immediately upon becoming aware of any theft, unauthorised disclosure or improper use of credentials and Digital Certificates, or mobile devices used for accessing the PEXA System, ensure that they implement appropriate measures to mitigate any loss that may arise as a result of such theft, unauthorised disclosure or improper use, including advising the Certificate Authority or PEXA of the need to suspend the relevant User(s) or revoke the relevant Digital Certificate(s).
4.2 Requirements to access the PEXA System (Logical Security Measures)
4.2.1 PEXA Approved Digital Certificates
Subscribers must provide Users who require signing permissions in the PEXA System with Digital Certificates that comply with the Operating Requirements. Digital Certificates must not be shared between Users.
Each user must use a Digital Certificate that is individually issued and managed by the Subscriber. Certificates must not be shared.
4.2.2 Approved Technology for Storage of Digital Certificates
Digital Certificates are available in a number of forms for Subscriber convenience, including:
4.2.3 Virus Protection
Viruses (and Malware) are forms of malicious software introduced into an electronic device with the malicious intent of causing harm to the IT systems to compromise the confidentiality, integrity or availability of any related IT system or data held on these systems.
Subscribers must take prudent and reasonable steps to provide virus protection against any unauthorised intrusions or uncontrolled access to the systems and access points of the Subscriber through which the Subscriber may access PEXA, an Electronic Workspace or the ELN (regardless of whether such access occurs by means of the Internet or some other electronic form of communication).
Subscribers must ensure that its virus protection must have, at a minimum, the following attributes:
Subscribers must maintain their anti-virus software with the latest updates /definitions from their respective antivirus provider. These updates provide protections which are used to determine viruses and/or malware and prevent them from compromising your system.
Without limitation, PEXA has identified the following anti-Virus and firewall software vendors who provide products that meet these criteria:
PEXA does not endorse any specific anti-virus software vendors listed in this Policy. Subscribers are responsible for ensuring their chosen solution meets the criteria outlined above. PEXA disclaims any liability arising in connection with the use of any anti-Virus software used by Subscribers.
If you require further assistance in respect of virus protection please refer to www.staysmartonline.gov.au
4.2.4 Operating System Requirements
Subscribers are required to maintain the security of their computer systems. This includes maintaining a currently supported operating system.
Operating system manufacturers (such as Microsoft and Apple) regularly supply operating system patches and updates to repair broken functionalities, add new functionalities, or fix security vulnerabilities in software. Subscribers must take reasonable steps to install patches and operating system updates when available. Where a Subscriber does not update its operating system in a timely manner or after being notified by PEXA, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk.
4.2.5 Application Updates
Subscribers must maintain the security of their web browser, including taking reasonable steps to install updates in a reasonable timeframe when available and ensuring that the browser is supported. Where a Subscriber does not update its browser in a timely manner, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk.
Subscribers must maintain the security of their Signing Application, including taking reasonable steps to install updates in a reasonable timeframe when available and ensuring that the Application is supported. Where a Subscriber does not update its Signing Application in a timely manner, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk.
4.2.6 Secure Communication
The Subscriber acknowledges that email can be an insecure means of sharing bank account details and phishing can occur which can result in fraudulent payments. PEXA recommends that Subscribers and their clients do not communicate bank account details using email. If email is used to communicate bank account details external to the Subscriber’s organisation, Subscribers must separately verify those details by phone, in person or by using some other means.
PEXA recommends that Subscribers and their clients use PEXA Key to communicate bank account details securely
4.3 Protecting Security Items (Physical Security Measures)
4.3.1 Protecting Access Credentials
Subscribers must ensure that they and their Users follow the requirements as set out in Section 4.7 of this Policy.
4.3.2 Protecting Digital Certificates
Subscribers must implement and enforce appropriate security measures to protect Digital Certificates. These measures must:
4.3.3 Prevent Caching of Credentials
Subscribers must ensure that their systems and applications are not configured to cache passwords, PINs or passphrases needed to access the PEXA System. PEXA may deploy software to prevent Subscribers from caching passwords, PINs and passphrases.
4.4 Training and Monitoring
4.4.1 Compliance with and Access to this Policy
Subscribers must provide a copy of this Policy to Users prior to allowing them access to the PEXA System.
Subscribers must take reasonable steps to ensure Users understand and comply with this Policy.
4.4.2 Compliance with Certificate Authority policies
Subscribers must take reasonable steps to ensure Users issued with Digital Certificates have access to, and comply with, any agreements, policies and practice statements provided by the relevant Certification Authority.
4.4.3 Monitoring
Subscribers must take reasonable steps to monitor the usage of systems and activities of Users who are accessing the PEXA System to identify unusual or suspicious activities.
4.4.4 Training Obligation
Subscribers must take reasonable steps to provide Users with the training required to enable Users to comply with this Policy, including but not limited to training that covers cyber security awareness. Cyber security awareness training must cover secure use of the ELN and secure use of email and other electronic communication.
4.4.5 PEXA Assistance to Understand Security Obligations
PEXA will assist Subscribers and Users to understand this Policy and their obligations in relation to security of the PEXA System, including the ELN, by:
4.5 Users
4.5.1 User Access
Subscribers must ensure that each authorised User accesses the ELN using their own User profile and access credentials. Subscribers must take reasonable steps to ensure that User profiles and access credentials are not shared between different Users.
4.5.2 User Management
Subscribers must perform regular checks of its User profiles and, where applicable, de-activate inactive profiles. Subscribers must regularly validate that details relating to each of its Users are correct.
4.5.3 Compromised Access Credentials
Subscribers must immediately revoke a User’s access to the PEXA System for any suspected or confirmed compromise of the credentials which they use to access the PEXA System (“Access Credentials”).
4.5.4 Digital Certificate Compromise
The Subscriber must:
4.5.5 Re-enabling Access
Subscribers must only re-enable access to the PEXA System after taking reasonable steps to mitigate the risk of the compromise re-occurring.
In case of a Digital Certificate compromise, access to the PEXA System must only be re-enabled after receiving confirmation from the Certification Authority that the affected Digital Certificate has been revoked.
4.6 Revoking Authorisation
4.6.1 Access to the PEXA System
When a Subscriber no longer requires a User to access the PEXA System at all, or in a particular capacity (e.g. Signers and Administrators), then the Subscriber must promptly update the User’s access privileges accordingly.
Subscribers must regularly (and in any event, at least annually) review access privileges granted to Users. These access privileges must be promptly updated if they are no longer accurate.
4.7 Subscriber Obligations
Subscribers must comply, and must take reasonable steps to ensure that Users comply, with the following requirements:
4.7.1 Protecting Passwords
Subscribers must make, and take reasonable steps to ensure Users make, passwords as strong as possible. Passwords used to access the PEXA System must be at least eight characters long and must contain a combination of all 4 of the following categories: upper case [A-Z] letters, lower case letters [a-z] numbers [0-9] and special characters [e.g. @#$%]. User name or personal details must not be used in passwords.
Subscribers must ensure that passwords, PINs and passphrases used in the PEXA System by Users are:
4.7.2 Reporting Non-compliance
Subscribers must take reasonable steps to ensure that Users promptly report all suspected or actual breaches of this Policy to the Subscriber.
5. Secure Authentication
All Users are required to use multi-factor authentication (MFA) to access the PEXA System or perform certain actions within it.
PEXA reserves the right to determine the method and frequency of MFA, which may change from time to time. PEXA may grant an exemption to the MFA requirement where Subscribers are unable to perform MFA.
Any exemption to the MFA requirement will be assessed on a case by case basis and will be reviewed annually. As a condition of an exemption to the MFA requirement PEXA will require Subscribers to enter into IP white listing arrangements with PEXA as a secondary form of authentication.
6. Reporting Obligations
Subscribers must, immediately upon becoming aware, notify PEXA of any breach of this Policy that may affect the PEXA System or the integrity or security of the ELN.
7. Ongoing Review of this Policy
This Policy may be reviewed and amended by PEXA as required from time to time in accordance with the change management provisions contained in the Participation Agreement.