1.1 In these Technical Integration Standards:

(a) Authorised User means a Participant or an Integrating Party as applicable.

(b) Participant means a financial institution or law firm that: (i) is authorised to access and use the PEXA Platform; and (ii) requires access to and use of the PEXA APIs to integrate the platform it operates and manages with the PEXA Platform.

(c) Integrating Party means a software provider that requires access to and use of the PEXA APIs to integrate the platform it operates and manages on behalf of its Customer with the PEXA Platform.

(d) Customer means a financial institution or law firm that: (i) is authorised to access and use the PEXA Platform; and (ii) has engaged the Integrating Party for its services.

2.1 PEXA API Material

(a) The PEXA APIs Material made available to the Authorised User by PEXA may be updated from time to time. The most recent version of the PEXA API Material will be published on the PEXA API Developer Portal.

(b) PEXA may also from time to time publish guidance on design and coding standards (Published Materials) to support effective use of the PEXA APIs and the Authorised User is required to observe these Published Materials.

2.2 Access to the PEXA APIs

(a) The Authorised User has advised PEXA that it has completed appropriate development and testing in a non-production environment (made available by PEXA).

2.3 API Versioning, Sunset Notice and Availability

(a) PEXA may, for any reason:

(i) change any PEXA API, which may include the release of a new version of the PEXA API; or

(ii) remove any PEXA APIs;

(b) Where changes are made to the PEXA APIs, PEXA may release the following versions:

(i) to support changes that are incompatible or breaking, PEXA will release a major version (Major Version). The Major Version will be defined in the URL for the relevant PEXA API and will be present in the fully qualified API version returned in the response header.

(ii) to support changes that are delivered in a backwards-compatible manner PEXA will release a minor version (Minor Version). The Minor Version will be present in the fully qualified API version returned in the response header; and

(iii) to support bug fixes that are delivered in a backwards-compatible manner. PEXA will release a patch version (Patch Version). The Patch Version will be present in the fully qualified API version returned in the response header.

(c) PEXA may additionally determine that certain APIs need to be varied or discontinued in accordance with the following procedures:

(i) PEXA will provide a written 3-month notice (Sunset Notice) to the Authorised User with sufficient detail of the change(s) to complete an impact assessment.

(ii) Upon expiry of the term in the Sunset Notice, PEXA may provide a further 12- month period for the Integration Party to migrate away from the older version of the API before API support is formally terminated.

(iii) PEXA will support up to 3 Major Versions of each PEXA API at any given point in time.

(d) If the Authorised User uses an unsupported version of a PEXA API, it does so at its own risk and PEXA will not be liable for any losses, costs, damages, fees, or other liabilities (whether direct or indirect) suffered by the Authorised User in connection with the use of that PEXA API, or for any failures of unsupported versions of any of the PEXA APIs.

(e) PEXA may charge the Authorised User an amount in the circumstances if PEXA maintains an unsupported version of the PEXA APIs at the Authorised User’s request and that notwithstanding, PEXA will not be liable for any losses, costs, damages, fees or other liabilities (whether direct or indirect) suffered by the Authorised User in connection with the use of that PEXA API despite such charges made to the Authorised User.

(f) The Authorised User acknowledges and agrees that availability of the PEXA APIs is not guaranteed, and PEXA will not be responsible for any losses, costs, damages, fees or other liabilities under these standards for any unavailability of a PEXA API or any interruption, impaction or restriction to the Authorised User’s access to a PEXA API.

2.4 PEXA API – Security Measures Compliance

(a) On and from the date that PEXA provides the Authorised User with access to the Production Environment, the Authorised User must:

(i) comply with the Participant’s Security Obligations (“Security Measures”) specified the Standard Terms and Conditions (UK) for Lenders or Standard Terms and Conditions (UK) for Law Firms (as relevant); and

(ii) immediately notify PEXA if the Authorised User ceases to comply with the Security Measures.

(b) The Authorised User must provide a written attestation to PEXA’s reasonable satisfaction of the Authorised User’s compliance with the Security Measures:

(i) at least once every year or every three years (risk profile dependent); and

(ii) within 7 (seven) days if PEXA notifies the Authorised User that PEXA suspects that the Authorised User no longer complies with the Security Measures, provided PEXA has reasonable grounds for such suspicion.

2.5 General Obligations in the Use of PEXA APIs

(a) The Authorised User must not:

(i) where the Authorised User is an Integrating Party, allow persons other than their Customers to access and use the PEXA Platform;

(ii) allow any other platform (other than the Authorised User’s platform) to access the PEXA Platform using the PEXA APIs;

(iii) integrate with or use the APIs for a purpose other than the intended use communicated by PEXA;

(iv) reverse compile, reverse engineer, modify, obscure, circumvent, or disable any element of the PEXA APIs or the PEXA Platform or their access control features;

(v) distribute the PEXA APIs or provide any information about the PEXA APIs or PEXA Platform to third parties unless expressly authorised by PEXA;

(vi) create an interface which is the same as, or materially comparable or similar to, the PEXA APIs;

(vii) disrupt, interfere with, or adversely impact the access or use of the PEXA APIs or PEXA Platform by PEXA or others;

(viii) re-direct traffic from the PEXA Platform or impede performance of the PEXA Platform;

(ix) use the PEXA APIs or PEXA Platform in connection with an application that is offensive, abusive, libellous, harassing, threatening, discriminatory, vulgar, pornographic, unethical, unlawful, or otherwise inappropriate as determined by PEXA in its sole discretion;

(x) store any Transaction Information outside of the Authorised User’s platform unless required by applicable law or explicit permission is given by PEXA;

(xi) where the Authorised User is an Integrating Party use, reproduce or disclose (or do anything that allows or causes another person to do any of these things) any Transaction Information for a Conveyancing Transaction, other than that required or requested by the relevant Customers in completing Conveyancing Transactions; or

(xii) create data or other products which are the same as or materially comparable or similar to the Transaction Information or include the Transaction Information, or reverse assemble, reverse compile, reverse engineer or recreate or rework the Transaction Information in any way or otherwise re-use the Transaction Information for the benefit of the Authorised User or any third parties;

(b) PEXA may rate limit API calls for technical efficiency. The Authorised User must not allow API calls at a frequency or volume that is more than the rate advised by PEXA, unless otherwise agreed in writing.

(c) The Authorised User must ensure that any Transaction Information (or any part of any Transaction Information) that is accessed or obtained by the Authorised User as a result of the Integration and is stored on the Authorised User’s platform or on any other database operated by the Authorised User:

(i) is stored securely;

(ii) cannot be accessed or used by any person other than a person authorised by the Authorised User; and

(iii) is encrypted (and must not be decrypted for the Authorised User’s own use).

(d) The Authorised User must ensure that the Authorised User’s platform:

(i) accurately presents and uses all data received from PEXA via the Integration or any other source;

(ii) does not change data received from PEXA via the Integration; and

(iii) accurately checks, collates and processes the data received from the PEXA Platform.

(e) Where the Authorised User utilises the Approval APIs, the Authorised User must:

(i) Ensure that the approver’s email address is captured and submitted with each approval request made via the Approval APIs, for the purposes of audit and compliance monitoring by PEXA;

(ii) Take sole responsibility for implementing and enforcing an appropriate segregation of duties approval process within their own systems; preventing the same Authorised User from completing both preparation and approval activities on a single Workspace; and

(iii) Acknowledge and agree that PEXA may routinely audit approval requests made via the Approval APIs, and must cooperate with any such audits.

2.6 Information Security Policy

The Authorised User must maintain an information security policy that governs Authorised User’s staff practices around IT security which is in line with industry best practice having regard to the nature and size of Authorised User’s organisation.

2.7 PEXA API Access Credentials

(a) PEXA will provide PEXA API Access Credentials to the Authorised User to enable the Authorised User to access the PEXA APIs (on behalf of itself where the Authorised User is a Participant, or on behalf of a Customer where the Authorised User is an Integrating Party).

(b) The Authorised User must not, without PEXA’s prior written approval:

(i) disclose the PEXA API Access Credentials to any third party; or

(ii) embed the PEXA API Access Credentials in any applications other than an Authorised User’s platform.

(c) Despite paragraph (b), where the Authorised User is an Integrating Party, the Integrating Party may distribute the PEXA API Access Credentials to a Customer if software is required to be installed on a Customer’s system provided that the Integrating Party takes reasonable steps to embed the PEXA API Access Credentials in the software so as to not be readily accessible to the Customer.

(d) The Authorised User must:

(i) store its PEXA API Access Credentials securely, including where appropriate, by ensuring that access to PEXA API Access Credentials is monitored and controlled by an administrator.

(ii) only use the PEXA API Access Credentials for the Permitted Purpose.

(iii) only grant access to the PEXA API Access Credentials to the Authorised User’s employees, officers, agents, or contractors where that access is reasonably required.

(e) The Authorised User must immediately notify PEXA if it becomes aware that the confidentiality of its PEXA API Access Credentials has or may have been Compromised.

(f) If PEXA at any time considers that the confidentiality of the Authorised User’s PEXA API Access Credentials has been Compromised, PEXA may cancel those PEXA API Access Credentials and, subject to PEXA being satisfied that the Authorised User’s platform is not Compromised, issue new PEXA API Access Credentials to the Authorised User.

2.8 Authentication

(a) Unless otherwise notified by PEXA in accordance with paragraph 2.8(b):

(i) the Participant must use OAuth 2.0 (or any authentication method mandated by PEXA) at the time of integration as the authentication method to access the PEXA Platform using the Integration; and

(ii) the Integrating Party must use OAuth 2.0 (or any authentication method mandated by PEXA) at the time of integration as the authentication method when providing Customers with access to the PEXA Platform using the Integration.

(b) PEXA may change the authentication method described in paragraph 2.8(a) following integration. In which case PEXA must:

(i) provide the Authorised User with at least three months’ notice of a change to the authentication method; and

(ii) ensure that the PEXA Platform supports and is compatible with the method of authentication immediately preceding the current method for a period of not less than three months from the date the relevant authentication method was superseded.

(c) The Authorised User acknowledges that PEXA may from time to time change the Authorised User’s PEXA API Access Credentials.

(d) For B2B connections to PEXAGo, the protocol and cipher requirement is:

(i) TLS versions 1.3 and modern implementation of TLS 1.2, or

(ii) Supported protocols outlined for the TLSv1.2_2021 security policy as per Supported protocols and ciphers between viewers and CloudFront

2.9 Customer Support and Training

(a) The Authorised User acknowledges that:

(i) It must provide its staff with appropriate cyber security training; and

(ii) PEXA is not required to provide support to the Authorised User or Customers for use of the Integration; and

(iii) PEXA may charge the Authorised User fees for any support required to be provided by PEXA to the Authorised User or Customers as a result of the Authorised User’s failure to comply with these standards.