Solutions
AML
Support
Corporate
PEXA Blog

Location

Join
Sign In

Subscriber Security Policy

PEXA Subscriber Security Policy

Version 4.5 August 2025, effective from October 9th 2025.

1. Definitions and Interpretation

Unless the context requires otherwise, capitalised terms used in this Security Policy have the meaning given to them in the Participation Agreement or the Digital Signing Certificate Subscriber Agreement (as the case may be) between PEXA and your organisation.

Some terms used in this Policy that are defined in the ECNL, the Participation Rules or the Operating Requirements.  Such terms will have the meaning given to them in the ECNL, the Participation Rules or the Operating Requirements (as the case may be).

2. Purpose & Objectives of this Security Policy

This Subscriber Security Policy (Policy) outlines the security requirements that Subscribers must ensure that they and their Users adhere to when using the PEXA System in order to maintain the overall security of the PEXA System.

3. Scope of this Policy

This Policy applies to all Subscribers of the PEXA System, including the devices, credentials and Digital Certificates used when accessing and Digitally Signing documents in the PEXA System.

4. Key Subscriber Obligations

4.1 General 

4.1.1 Compliance  

Subscribers must comply with the security obligations outlined in this Policy and the Participation Rules. For a copy of the Participation Rules in each Active Jurisdiction refer to: 

  • Victoria (VIC)
  • New South Wale  (NSW) 
  • Queensland (QLD)
  • Western Australia (WA)
  • South Australia (SA)
  • Australian Capital Territory (ACT)
  • Tasmania (TAS)

4.1.2 Systems Security 

Subscribers must take all reasonable and prudent steps to: 

(a) ensure that all systems and facilities used to access the PEXA System are protected by the Logical Security controls (see section 4.2) and the Physical Security controls (see section 4.3) outlined in  this Policy; 

(b) prevent unauthorised access, damage or interference with PEXA’s electronic systems, Electronic Workspace or the ELN by any person employed or engaged by the Subscriber, or via any systems or access points owned or controlled by the Subscriber and through which the Subscriber can connect to PEXA, an Electronic Workspace or the ELN; and 

(c) ensure the integrity and confidentiality of information retrieved or received from PEXA, and information supplied to PEXA; and 

(d) Only download mobile signing applications from official sources (Apple App Store or Google Play Store). 

 Subscribers must, promptly, notify PEXA of any breach or suspected breach of this Policy and, to the extent permissible, of the security measures taken to address or mitigate the breach and any potential future breaches of a similar type, method or process.  

4.1.3 Supported Devices 

With the introduction of mobile signing, PEXA now supports full Subscriber mobility. It is possible to access the PEXA System using smartphones and tablets, however only Subscribers enrolled in mobile signing will be able to access full PEXA functionality (e.g. digital signing functionality). 

4.1.4 Loss Mitigation 

Subscribers must, immediately upon becoming aware of any theft, unauthorised disclosure or improper use of credentials and Digital Certificates, or mobile devices used for accessing the PEXA System, ensure that they implement appropriate measures to mitigate any loss that may arise as a result of such theft, unauthorised disclosure or improper use, including advising the Certificate Authority or PEXA of the need to suspend the relevant User(s) or revoke the relevant Digital Certificate(s). 

4.2 Requirements to access the PEXA System (Logical Security Measures) 

4.2.1 PEXA Approved Digital Certificates

Subscribers must provide Users who require signing permissions in the PEXA System with Digital Certificates that comply with the Operating Requirements. Digital Certificates must not be shared between Users.

Each user must use a Digital Certificate that is  individually issued and managed by the Subscriber. Certificates must not be shared.

4.2.2 Approved Technology for Storage of Digital Certificates  

Digital Certificates are available in a number of forms for Subscriber convenience, including: 

  • on mobile (Mobile Signing); or
  • whilst Hardware Tokens are available for use by Subscribers, on a secure USB token (Hardware Token); or
  • a Digital Certificate obtained from a Gatekeeper accredited provider, such as Digicert.  Where a Digicert Digital Certificate is obtained by a Subscriber, it must be stored in a manner which complies with the issuer’s (e.g. Digicert’s) requirements for storage of that Digital Certificate,

4.2.3 Virus Protection 

Viruses (and Malware) are forms of malicious software introduced into an electronic device with the malicious intent of causing harm to the IT systems to compromise the confidentiality, integrity or availability of any related IT system or data held on these systems.  

Subscribers must take prudent and reasonable steps to provide virus protection against any unauthorised intrusions or uncontrolled access to the systems and access points of the Subscriber through which the Subscriber may access PEXA, an Electronic Workspace or the ELN (regardless of whether such access occurs by means of the Internet or some other electronic form of communication). 

Subscribers must ensure that its virus protection must have, at a minimum, the following attributes: 

  • the ability to identify and remove viruses; 
  • the ability to identify and remove other types of harmful computer software, generally referred to as malware (or malicious software); 
  • the ability to automatically receive anti-Virus updates from the relevant anti-Virus software vendors; and 
  • the ability to automatically scan for viruses and malware in documents on servers and workstations. 
  • Subscribers must ensure that the anti-Virus software in use meets the criteria set out above. 

Subscribers must maintain their anti-virus software with the latest updates /definitions from their respective antivirus provider. These updates provide protections which are used to determine viruses and/or malware and prevent them from compromising your system.

Without limitation, PEXA has identified the following anti-Virus and firewall software vendors who provide products that meet these criteria: 

  • Symantec; 
  • McAfee; 
  • Trend Micro; 
  • Kaspersky Lab; and 
  • Sophos 
  • Microsoft Defender 

PEXA does not endorse any specific anti-virus software vendors listed in this Policy. Subscribers are responsible for ensuring  their chosen solution meets the criteria outlined above. PEXA disclaims any liability arising in connection with the use of any anti-Virus software used by Subscribers. 

If you require further assistance in respect of virus protection please refer to www.staysmartonline.gov.au 

4.2.4 Operating System Requirements 

Subscribers are required to maintain the security of their computer systems. This includes maintaining a currently supported operating system. 

Operating system manufacturers (such as Microsoft and Apple) regularly supply operating system patches and updates to repair broken functionalities, add new functionalities, or fix security vulnerabilities in software. Subscribers must take reasonable steps to install patches and operating system updates when available. Where a Subscriber does not update its operating system in a timely manner or after being notified by PEXA, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk. 

4.2.5 Application Updates 

Subscribers must maintain the security of their web browser, including taking reasonable steps to install updates in a reasonable timeframe when available and ensuring that the browser is supported. Where a Subscriber does not update its browser in a timely manner, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk. 

Subscribers must maintain the security of their Signing Application, including taking reasonable steps to install updates in a reasonable timeframe when available and ensuring that the Application is supported. Where a Subscriber does not update its Signing Application in a timely manner, PEXA may suspend the Subscriber’s access to the PEXA System unless satisfied that measures have been implemented to mitigate the security risk. 

4.2.6 Secure Communication 

The Subscriber acknowledges that email can be an insecure means of sharing bank account details and phishing can occur which can result in fraudulent payments. PEXA recommends that Subscribers and their clients do not communicate bank account details using email. If email is used to communicate bank account details external to the Subscriber’s organisation, Subscribers must separately verify those details by phone, in person or by using some other means. 

PEXA recommends that Subscribers and their clients use PEXA Key to communicate bank account details securely 

4.3 Protecting Security Items (Physical Security Measures) 

4.3.1 Protecting Access Credentials 

Subscribers must ensure that they and their Users follow the requirements as set out in Section 4.7 of this Policy. 

4.3.2 Protecting Digital Certificates 

Subscribers must implement and enforce appropriate security measures to protect Digital Certificates. These measures must: 

  • restrict Users from storing Digital Certificates in places that may be accessed by unauthorised persons.  This includes protecting the devices containing the certificates, mobile devices, (hard tokens, whilst hard tokens are available for use by /Subscribers),or certificates obtained from Gatekeeper accredited providers, such as Digicert; 
  • ensure both the mobile device and the mobile signing application are protected by different PINs; 
  • ensure User’s Mobile Devices are locked while not in use; 
  • ensure Users protect mobile devices from unauthorised use or access; 
  • whilst Hardware Tokens are available for use by Subscribers:
  • ensure Hardware Tokens are protected from unauthorised use or access;
  • ensure Hardware Token are protected by a PIN or passphrase; and 
  • ensure that Users disconnect any Hardware Token from their computer when the User is no longer accessing the PEXA System.        

4.3.3 Prevent Caching of Credentials 

Subscribers must ensure that their systems and applications are not configured to cache passwords, PINs or passphrases needed to access the PEXA System. PEXA may deploy software to prevent Subscribers from caching passwords, PINs and passphrases. 

4.4 Training and Monitoring 

4.4.1 Compliance with and Access to this Policy 

Subscribers must provide a copy of this Policy to Users prior to allowing them access to the PEXA System. 

Subscribers must take reasonable steps to ensure Users understand and comply with this Policy. 

4.4.2 Compliance with Certificate Authority policies 

Subscribers must take reasonable steps to ensure Users issued with Digital Certificates have access to, and comply with, any agreements, policies and practice statements provided by the relevant Certification Authority. 

4.4.3 Monitoring 

Subscribers must take reasonable steps to monitor the usage of systems and activities of Users who are accessing the PEXA System to identify unusual or suspicious activities. 

4.4.4 Training Obligation 

Subscribers must take reasonable steps to provide Users with the training required to enable Users to comply with this Policy, including but not limited to training that covers cyber security awareness. Cyber security awareness training must cover secure use of the ELN and secure use of email and other electronic communication. 

4.4.5 PEXA Assistance to Understand Security Obligations 

PEXA will assist Subscribers and Users to understand this Policy and their obligations in relation to security of the PEXA System, including the ELN, by: 

  • making training resources and information available that cover topics (including but not limited to) secure use of the ELN and secure use of email and other electronic communications, which will 
  • be made available on the PEXA Community and other channels as determined by PEXA; 
  • delivering awareness webinars annually; and 
  • delivery of an annual cyber security awareness newsletter to all PEXA Subscribers and Users. 

4.5 Users 

4.5.1 User Access 

Subscribers must ensure that each authorised User accesses the ELN using their own User profile and access credentials. Subscribers must take reasonable steps to ensure that User profiles and access credentials are not shared between different Users. 

4.5.2 User Management 

Subscribers must perform regular checks of its User profiles and, where applicable, de-activate inactive profiles. Subscribers must regularly validate that details relating to each of its Users are correct. 

4.5.3 Compromised Access Credentials 

Subscribers must immediately revoke a User’s access to the PEXA System for any suspected or confirmed compromise of the credentials which they use to access the PEXA System (“Access Credentials”). 

4.5.4 Digital Certificate Compromise 

The Subscriber must: 

  • promptly revoke a User’s access to the PEXA System for any suspected or confirmed compromise of a Digital Certificate; 
  • immediately check all Electronic Workspaces in which the Digital Certificate has been used to Digitally Sign any Workspace items that require signature, including (without limitation) any and all electronic documents, Financial Settlement Schedules or any Line Items, and unsign them in accordance with Participation Rule 7.9.2; and 
  • promptly notify the Certification Authority and revoke or cancel the relevant Digital Certificate (including doing everything reasonably necessary to cause the Certification Authority to revoke or cancel it).

4.5.5 Re-enabling Access 

Subscribers must only re-enable access to the PEXA System after taking reasonable steps to mitigate the risk of the compromise re-occurring. 

In case of a Digital Certificate compromise, access to the PEXA System must only be re-enabled after receiving confirmation from the Certification Authority that the affected Digital Certificate has been revoked. 

4.6 Revoking Authorisation 

4.6.1 Access to the PEXA System 

When a Subscriber no longer requires a User to access the PEXA System at all, or in a particular capacity (e.g. Signers and Administrators), then the Subscriber must promptly update the User’s access privileges accordingly. 

Subscribers must regularly (and in any event, at least annually) review access privileges granted to Users. These access privileges must be promptly updated if they are no longer accurate. 

4.7 Subscriber Obligations

Subscribers must comply, and must take reasonable steps to ensure that Users comply, with the following requirements: 

4.7.1 Protecting Passwords 

Subscribers must make, and take reasonable steps to ensure Users make, passwords as strong as possible. Passwords used to access the PEXA System must be at least eight characters long and must contain a combination of all 4 of the following categories: upper case [A-Z] letters, lower case letters [a-z] numbers [0-9] and special characters [e.g. @#$%]. User name or personal details must not be used in passwords. 

Subscribers must ensure that passwords, PINs and passphrases used in the PEXA System by Users are: 

  • not disclosed to anyone, including a colleague, supervisor, family member or friend; 
  • not disclosed to anyone whilst being entered into electronic equipment or systems; 
  • immediately changed if the Subscriber or the User becomes aware that a particular password, PIN or passphrase has become known or used by someone else; 
  • comprise a minimum 6 digits or characters for Digital Certificates;
  • not be closely associated with the User’s identity such that it may be easily guessed by others. This means avoiding the use of the User’s date of birth, name, phone numbers or similar items as passwords, passphrases or PINs; and be different from other existing Access Credentials.

4.7.2 Reporting Non-compliance 

Subscribers must take reasonable steps to ensure that Users promptly report all suspected or actual breaches of this Policy to the Subscriber.

5. Secure Authentication

All Users are required to use multi-factor authentication (MFA) to access the PEXA System or perform certain actions within it.             

PEXA reserves the right to determine the method and frequency of MFA, which may change from time to time. PEXA may grant an exemption to the MFA requirement where Subscribers are unable to perform MFA.          

Any exemption to the MFA requirement will be assessed on a case by case basis and will be reviewed annually. As a condition of an exemption to the MFA requirement PEXA will require Subscribers to enter into IP white listing arrangements with PEXA as a secondary form of authentication. 

6. Reporting Obligations

Subscribers must, immediately upon becoming aware, notify PEXA of any breach of this Policy that may affect the PEXA System or the integrity or security of the ELN.

7. Ongoing Review of this Policy

This Policy may be reviewed and amended by PEXA as required from time to time in accordance with the change management provisions contained in the Participation Agreement. 

 

 

 

 

Product Suite
PEXA Exchange
PEXA Key
PEXA Projects
PEXA Planner
PEXA Tracker
Value Australia
.id (informed decisions)
API Integration
Solutions for
Lawyers & Conveyancers
Financial Institutions
Government
Property Developers
Practice Management Software Providers
Buyers & Sellers
AML
AML for Practitioners
Blog
Support
Overview
Pricing
System Status
Help Centre
Compliance Hub
Mobile Signing
Security
Digital Signing Software
Corporate
About PEXA
Management Team
Board of Directors
ESG
Careers
Investor Centre
Contact Us
Australia Map

In the spirit of reconciliation PEXA acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander people today.

Pexa
© Property Exchange Australia Ltd. ABN 92 140 677 792.
Terms
Privacy Policy
We use cookies to improve your experience. You consent to the use of our cookies if you proceed. Visit our Privacy policy for more information.
OK