Xero Ecosystem Security Requirements Update
How long will the assessment take?
The process is not immediate. We need to understand the details of your implementation and may have additional questions once you have returned the assessment. Typically the assessment takes around 5 working days to complete, followed by 5-10 working days for us to assess your answers. We may then ask you to remediate any items that don’t meet the requirements.
How often do I need to do this?
The security assessment will need to be undertaken annually.
How will I know if my app meets these standards?
Once you’ve filled out the security assessment and submitted it to us we will review your answers. We’ll let you know via email whether you have passed.
If you have work to do in order to achieve a pass we will provide you with a remediation report. You will then have 30 days to provide us with a remediation plan detailing how you will address the items in the report followed by 60 days to implement the changes. Once the changes are implemented we will re-review your app and determine if the standards have now been met.
Important information about new global Xero ecosystem security requirements
At Xero, we take the responsibility of managing our community’s data privacy and security seriously. As part of the work Xero has been doing with the Australian Tax Office and other industry players, we have developed a set of agreed security standards to be applied globally to our ecosystem. These come into effect for new app partners certified after 1 January 2020 and existing app partners have until 30 June 2020 to comply. We’re still working through all the details of our new process, but wanted to share this information with you early, so you can start to understand what these changes mean for your app.
In preparation to meet these new requirements, Xero will be updating our security requirements for our app and developer partners, as well as Xero’s App and Developer Partner Terms of Agreement.
All app partners will need to undertake a security assessment which will be reviewed by Xero’s security team. App partners who reach 1000 or more connections will be required to undertake an advanced security assessment which will also be reviewed by Xero’s security team. App partners will not be certified or listed in Xero’s app marketplace without passing these assessments. App partners will need to undertake and pass the security assessment on an annual basis.
We’ll keep our app partners updated via developer.xero.com, our twitter account and our developer emails.
What will the security assessments involve?
An annual self assessment against the standard
These new requirements will include, but are not limited to, API risk rating, authentication, certification, personnel security, encryption and audit logging
2SA will be the minimum level of account authentication but this will be provided already if your app connects with Sign in with Xero
Where can I find ABSIA add-on FAQ language and standards?
https://www.absia.asn.au/industry-standards/addon-security-standard/
Where can I find the standard?
https://developer.xero.com/partner/security-standard-for-xero-api-consumers/
Which apps will be affected?
Consumers of the Xero Accounting API, Payroll APIs, Fixed Assets API, Projects API, Files API, Bank feeds API or WorkflowMax API with more than 1,000 connections
All consumers of the Xero Practice Manager, Xero HQ, and Xero Tax APIs
Any other consumer outside of the above criteria that Xero determines is in need of a security assessment