Overview:
This feature enables you to:
Password-protect PDF documents (payslips, annual statements, and financial year payment summaries) sent as email attachments using AES-256 encryption
Override the payslip delivery method per employee — choose between encrypted email attachment or a secure portal link, independent of your organisation-level default
Specify a dedicated payslip email address for individual employees, separate from their user account email
These capabilities are particularly valuable for organisations with enterprise agreements or union obligations that require encrypted email payslips, while maintaining portal-based delivery for the broader workforce.
Required Permissions
The following permissions are required to configure and manage this feature:
Permission | Purpose | Scope | 2FA Required |
Manage App Settings | Enable/disable document encryption and select the encryption method in Application Settings | Global | Yes |
View Employee Payslip Delivery Information | View the Payslip Information section on the Employee Details screen (read-only) | Global | No |
Edit Employee Payslip Delivery Information | Modify the payslip email and delivery method for individual employees | Global | Yes |
Manage App Settings is an existing permission. The two Employee Payslip Delivery Information permissions are new and are automatically enabled on upgrade for roles that already have relevant payroll permissions (see Step 3 below for details).
Important: The Edit Employee Payslip Delivery Information permission requires two-factor authentication (2FA) due to the sensitivity of controlling where employees' financial documents are sent. Ensure relevant users have 2FA configured before attempting to modify these settings.
Key Concepts
How Delivery is Resolved
Definitiv uses a layered configuration model to determine how each employee receives their documents:
Application-level encryption policy — Controls whether PDF encryption is enabled across the entire application.
Organisation-level delivery default — Your existing organisation setting (e.g., "Attachment Within Email" or "Link to Definitiv Portal")
Employee-level delivery override — An optional per-employee setting that overrides the organisation default.
When an employee's delivery override is set to "Use Default", the organisation-level setting applies. When set to a specific option, that employee's setting takes precedence.
Payslip Email Address
Each employee can optionally have a dedicated payslip email address configured. When set, all payslip-related documents (payslips, annual statements, and financial year payment summaries) are sent to this address instead of the employee's primary account email. This applies regardless of the delivery method — whether the employee receives an encrypted PDF attachment or a portal link, the email is directed to the payslip email address.
If the Payslip Email field is left blank, documents continue to be sent to the employee's primary account email as they are today.
Encryption Method
The initial encryption method uses the employee's date of birth in DD/MM/YYYY format as the password. When encryption is enabled and documents are sent as email attachments, the email will include a hint informing the employee that the password is their date of birth.
Safety Fallback
If encryption is enabled and an employee's effective delivery method is "Attachment Within Email", but their date of birth is not recorded in Definitiv, the system will automatically send a portal link instead of an unencrypted attachment. This ensures sensitive documents are never sent unprotected via email.
Setting Up Document Encryption
Step 1: Enable Document Encryption (System Administrator)
Prerequisite: You must have the Manage App Settings permission (Global, requires 2FA) to access Application Settings.
Navigate to Application Settings under the profile menu.
Select the Document Encryption tab.
Toggle Enable Document Encryption to On.
Select the encryption method from the dropdown — Employee Date of Birth (DD/MM/YYYY) is available as the default method.
Click Save.
Note: Document encryption is an application-wide setting. When enabled, it applies across all organisations within your Definitiv instance. The encryption toggle defaults to Off, so there is no impact to your existing setup until you choose to enable it.
Step 2: Review Organisation-Level Delivery Default (Payroll Administrator)
Before configuring employee-level overrides, review and confirm the organisation-level payslip delivery method for each of your organisations. This setting determines the default delivery method for all employees in the organisation, so it should reflect the most common delivery method for the majority of your workforce.
Navigate to Admin > Configuration > Organisation Settings for each organisation
Select the Payslip tab, then locate the Payslip Email Mode setting (also referred to as "Email As")
Confirm the setting is appropriate for the majority of your employees:
Attachment Within Email — If most employees should receive PDF attachments (which will be encrypted if encryption is enabled)
Link to Definitiv Portal — If most employees should receive a link to view their documents in the portal.
Why this matters:
The employee-level Payslip Delivery override defaults to "Use Default" for all employees, which means every employee inherits the organisation-level setting. By ensuring the organisation default reflects the most common delivery method, you only need to configure individual overrides for the exceptions — significantly reducing the setup effort.
Example:
If your organisation has 500 employees and 450 should receive portal links while 50 (covered by an enterprise agreement) need encrypted email attachments, set the organisation default to "Link to Definitiv Portal". Then only configure the 50 exception employees with an override of "Attachment Within Email" in Step 5.
Step 3: Configure Security Permissions (System Administrator)
Two new security permissions control access to the employee-level payslip delivery settings:
Permission | Description | 2FA Required |
View Employee Payslip Delivery Information | Allows users to see the Payslip Information section on the Employee Details screen (read-only) | No |
Edit Employee Payslip Delivery Information | Allows users to modify the payslip email and delivery method for individual employees | Yes |
These permissions are located within the Employee Details permission group in User Roles. Both permissions are configured at the Global level.
Note: On upgrade, these permissions are automatically enabled for roles that already have relevant payroll permissions. Specifically:
View Employee Payslip Delivery Information is enabled for all roles that currently have the "View Employee Payslips" permission at the Global level.
Edit Employee Payslip Delivery Information is enabled for all roles that currently have both "View Employee Payslips" and "Manage Pay Runs" permissions at the Global level.
For newly provisioned instances, both permissions are included in the default Admin role.
Step 4: Review Employee Date of Birth Records
If you have enabled document encryption (Step 1) and employees will be receiving PDF attachments, review your employee records to ensure dates of birth are recorded for those employees.
When encryption is enabled and a PDF attachment would be sent, the system uses the employee's date of birth as the encryption password. If an employee does not have a date of birth recorded, the system will automatically fall back to sending a portal link instead of an unencrypted attachment.
🤓Tip: It is recommended to run a review of employee records to identify any employees missing a date of birth, particularly for employees who are expected to receive encrypted email attachments. This ensures those employees receive their documents as intended rather than being redirected to the portal.
Step 5: Configure Employee-Level Delivery Overrides (Payroll Administrator)
Prerequisite: You must have the Edit Employee Payslip Delivery Information permission (Global, requires 2FA) to modify these settings. Users with only the View Employee Payslip Delivery Information permission can see the settings but cannot make changes.
This step is only required for employees who need a different delivery method from the organisation-level default set in Step 2. Employees who should follow the organisation default do not need any changes, their Payslip Delivery setting defaults to "Use Default".
Navigate to the employee's Employee Details screen.
Locate the Payslip Information section (below Contact Information).
Set the Payslip Delivery dropdown to the appropriate option:
Option | Behaviour |
Use Default | The employee receives documents using the organisation-level delivery setting. This is the default for all employees. |
Link to Definitiv Portal | The employee receives an email with a link to view their documents in the Definitiv portal, regardless of the organisation setting. |
Attachment Within Email | The employee receives their documents as a PDF attachment in the email. If encryption is enabled and the employee has a date of birth recorded, the PDF will be password-protected. |
4. Click Save.
🤓Tip: Focus on the exceptions. If your organisation default is set to "Link to Definitiv Portal" (Step 2), you only need to override employees who specifically require "Attachment Within Email" — and vice versa.
Step 6: Configure Payslip Email Address Overrides (Payroll Administrator)
Prerequisite: You must have the Edit Employee Payslip Delivery Information permission (Global, requires 2FA) to modify this setting.
By default, all payslip-related documents are sent to the employee's email address linked to their user account. If an employee needs their documents sent to a different email address — for example, a personal email rather than their work email — you can configure a dedicated payslip email address.
Navigate to the employee's Employee Details screen.
Locate the Payslip Information section (below Contact Information).
In the Payslip Email field, enter the employee's preferred email address for payslip delivery.
Click Save.
The Payslip Email field displays placeholder text "Use Account Email" when blank, indicating the employee's user account email will be used.
Key points about the Payslip Email field:
When a payslip email address is configured, all payslip-related documents are sent to that address — this includes payslips, annual statements, and financial year payment summaries.
The payslip email address applies regardless of the delivery method. Whether the employee receives an encrypted PDF attachment or a portal link, the email is sent to the payslip email address.
The payslip email address is used exclusively for payslip-related documents. All other system emails (onboarding invitations, user invitations, password resets, 2FA notifications) continue to be sent to the employee's user account email.
To revert to using the employee’s user account email, simply clear the Payslip Email field and save — the placeholder text "Use Account Email" will reappear.
The field validates email format on save — an invalid email address will be rejected with a validation error.
Common use cases:
Employees who prefer payslips at a personal email address rather than their work email.
Employees whose work email is a shared or generic mailbox not suitable for receiving sensitive financial documents.
Organisations where the employee's Definitiv account email is an internal system address and payslips need to go to a separate inbox.
Current Limitations
The following channels and capabilities are not included in this release. All payslip delivery and payslip email configuration must be performed by an administrator via the Employee Details screen in the Definitiv web application.
Employee Self-Service
Employees cannot view or modify their own payslip delivery settings or payslip email address. These fields are not available through:
Definitiv web portal (Employee Self-Service) — The Payslip Information section is not displayed on the employee's own profile or self-service screens
Mobile ESS app — The payslip delivery and payslip email fields are not available in the mobile employee self-service application
If an employee needs to change their payslip delivery method or update their payslip email address, they must request the change through their payroll administrator, who can update the settings on the employee's behalf via the Employee Details screen.
API Access
The Payslip Delivery and Payslip Email fields are not available via the Definitiv API in this release. API consumers (integration partners and direct customers) cannot read or update these fields programmatically. API extension is planned for a future release.
Employee Workbook (Bulk Import/Export)
The Payslip Delivery and Payslip Email fields are not included in the Employee Workbook in this release. These fields cannot be imported or exported via the Employee Details tab of the workbook. Workbook extension is planned for a future release.
In summary:
For this release, the Payslip Delivery and Payslip Email fields can only be configured by an administrator with the appropriate permissions via the Employee Details screen in the Definitiv web application. Self-service, API, and bulk import/export capabilities for these fields are planned for future releases.
Document Types Covered
Encryption and delivery overrides apply consistently across the following document types:
Document Type | Description |
Payslips | Generated when a pay run is published |
Annual Statements | STP v1 and STP v2 annual statements |
Financial Year Payment Summaries | PAYG payment summaries and ETP (Employment Termination Payment) summaries |
All document types follow the same encryption and delivery resolution logic. If an employee has multiple documents in a single email (e.g., both a PAYG summary and an ETP summary), all PDFs are encrypted with the same password.
What Your Employees Need to Know
When an employee receives an encrypted PDF document via email, the email body will include the following message:
"The document attached is password protected. The password is your date of birth in DD/MM/YYYY format."
This hint text is only included when the attached PDF is encrypted. It does not appear when documents are delivered as portal links or when encryption is disabled.
Opening an Encrypted PDF
Open the email and download the attached PDF
When prompted for a password, enter your date of birth in DD/MM/YYYY format (e.g., 15/03/1985)
The document will open and display the full content.
🤓Tip: Most PDF readers (Adobe Acrobat, Preview on Mac, Microsoft Edge, Google Chrome) support opening password-protected PDFs. If your employees have difficulty opening encrypted documents, ensure they are entering their date of birth exactly as recorded in Definitiv, including leading zeros (e.g., 05/01/1990, not 5/1/1990).
Delivery Behaviour Quick Reference
The table below summarises how documents are delivered based on the combination of encryption setting, organisation default, employee override, and date of birth availability.
Encryption | Organisation Default | Employee Override | DOB Recorded | Result |
Off | Attachment Within Email | Use Default | Yes | Unencrypted PDF attached |
Off | Attachment Within Email | Link to Definitiv Portal | Yes | Portal link sent |
Off | Link to Definitiv Portal | Use Default | Yes | Portal link sent |
Off | Link to Definitiv Portal | Attachment Within Email | Yes | Unencrypted PDF attached |
On | Attachment Within Email | Use Default | Yes | Encrypted PDF attached |
On | Attachment Within Email | Link to Definitiv Portal | Yes | Portal link sent |
On | Link to Definitiv Portal | Use Default | Yes | Portal link sent |
On | Link to Definitiv Portal | Attachment Within Email | Yes | Encrypted PDF attached |
On | Attachment Within Email | Use Default | No | Portal link sent (fallback) |
On | Attachment Within Email | Attachment Within Email | No | Portal link sent (fallback) |
Key point:
When encryption is off, the system behaves exactly as it does today — there is no change to your current delivery workflow. The missing date of birth fallback only applies when encryption is enabled.
In all cases above, if a Payslip Email address is configured for the employee, the email is sent to that address. If the Payslip Email field is blank, the email is sent to the employee's user account email.
Frequently Asked Questions
Q: Will enabling encryption change how documents are delivered for all our employees?
No. Encryption only affects employees whose effective delivery method is "Attachment Within Email". Employees receiving portal links are not affected. Additionally, the encryption toggle defaults to Off, so your current setup is unchanged until you explicitly enable it.
Q: What happens if we enable encryption but some employees don't have a date of birth recorded?
Those employees will automatically receive a portal link instead of an unencrypted attachment. This safety fallback ensures sensitive documents are never sent unprotected. We recommend reviewing your employee records to ensure dates of birth are captured for employees who need to receive encrypted email attachments.
Q: Can different employees in the same organisation receive documents differently?
Yes. The employee-level override allows you to set individual delivery preferences. For example, employees covered by an enterprise agreement can receive encrypted email attachments, while the rest of your workforce uses the portal — all within the same organisation.
Q: If I set a payslip email address, does it affect the employee's login or other system emails?
No. The Payslip Email field is used exclusively for delivering payslips, annual statements, and financial year payment summaries. The employee's user account email remains unchanged and continues to be used for all other system communications including onboarding invitations, password resets, and 2FA notifications. The employee still logs in with their existing account email.
Q: Can employees update their own payslip email address or delivery preference?
Not in this release. The Payslip Delivery and Payslip Email fields are only available to administrators via the Employee Details screen. They are not exposed through Employee Self-Service (web or mobile). If an employee needs to update their payslip email address or change their delivery preference, they should contact their payroll administrator to make the change on their behalf.
Q: Can I configure delivery overrides and payslip email addresses in bulk?
Not in this release. These settings are configured individually on each employee's Employee Details screen. Bulk configuration via the Employee Workbook and API access are planned for future releases.
Q: Are announcements also encrypted?
No. Announcement attachments are not included in this release. Encryption currently applies to payslips, annual statements, and financial year payment summaries only.
Q: Who can change an employee's payslip delivery settings?
Only users with the "Edit Employee Payslip Delivery Information" permission, which requires two-factor authentication (2FA). This protects against unauthorised changes to where employees' financial documents are sent.
Important Considerations
Administrator-only configuration: Payslip delivery and payslip email settings can only be modified by administrators via the Employee Details screen. Employees cannot update these settings themselves through self-service (web or mobile), and the fields are not available via the API or Employee Workbook in this release.
Date of birth accuracy: The encryption password is the employee's date of birth exactly as recorded in Definitiv. Ensure employee records are accurate to avoid employees being unable to open their documents. If a date of birth is changed, then previously encrypted documents will be encrypted with the old date of birth (unless this was missing) so we recommend a review of employee records before using this feature.
Payslip email accuracy: If a payslip email address is configured for an employee, ensure it is correct and accessible by the employee. Documents sent to an incorrect address cannot be recalled once delivered.
2FA requirement: Editing payslip delivery settings and payslip email addresses requires two-factor authentication. Ensure relevant users have 2FA configured before attempting to modify these settings.
Backward compatibility: Enabling this feature with encryption set to Off results in no change to your current workflows. You can enable encryption when you are ready.
Application-wide scope: Encryption is an application-wide setting — it cannot be enabled for some organisations and disabled for others within the same instance.