Skip to Main Content

Authentication Policy

Policy updated: May 2026
Version: 2.0
 

1. Overview

This policy sets out the authentication requirements for Single Sign-On (SSO) as referenced in either:

(i) the Data & Technology Terms for Lenders (as referenced in PEXA Standard Terms and Conditions (UK) for Lenders; and

(ii) and Data & Technology Terms for Law Firms & Conveyancers (as referenced in the PEXA Standard Terms and Conditions (UK) for Law Firms & Conveyancers) and each  r Subscriber.

PEXA” is the trading name of Digital Completion UK Ltd.  Smoove Limited is a holding company which comprises the following wholly owned trading subsidiary companies: United Legal Services Limited, Legal-Eye Limited, and Amity Law Limited (Smoove Limited and its Subsidiaries, hereinafter “Smoove”). 

PEXA, Smoove, and Optima Legal Services Limited (“Optima Legal“) are all owned directly by DigCom UK Holdings Limited, which is a wholly owned Subsidiary of PEXA Group Limited in Australia (ACN 140 677 792; ASX: PXA). 

PEXA Group Limited and its wholly owned Subsidiaries, including Property Exchange Australia Limited, are hereinafter referred to as “PEXA Australia”.

For the purposes of this Policy, PEXA, Smoove and Optima Legal comprise the “UK PEXA Group”.  In this Policy, where relevant, we refer to the UK PEXA Group as “we”, “us”, or “our”. 

2. Single Sign-On Requirements

The Participant or Customer (as applicable) must ensure that:

  1. User passwords contain a minimum of eight (8) characters and satisfy at least three of the following:

    a. the password includes at least one (1) uppercase letter;
    b. the password includes at least one (1) lowercase letter;
    c. the password includes at least one (1) number (0-9); and
    d. the password includes at least one (1) special character;

  2. Users cannot use a previously used password when setting a new password;

  3. Users are locked out after multiple consecutive incorrect login attempts;

  4. The unlock process is secure and involves user verification;

  5. The password reset process is secure;

  6. Password expiry periods are enforced;

  7. There is a system idle lockout duration in place;

  8. Multi-factor authentication is required for application access;

  9. Users require an organisational VPN for application access; and

  10. Users who have left the organisation are deactivated from the organisation’s network in a timely manner.