Frequently asked questions


Xero Ecosystem Security Requirements Update



  • Important information about new global Xero ecosystem security requirements

    At Xero, we take the responsibility of managing our community’s data privacy and security seriously. As part of the work Xero has been doing with the Australian Tax Office and other industry players, we have developed a set of agreed security standards to be applied globally to our ecosystem. These come into effect for new app partners certified after 1 January 2020 and existing app partners have until 30 June 2020 to comply. We’re still working through all the details of our new process, but wanted to share this information with you early, so you can start to understand what these changes mean for your app.

    In preparation to meet these new requirements, Xero will be updating our security requirements for our app and developer partners, as well as Xero’s App and Developer Partner Terms of Agreement.

    All app partners will need to undertake a security assessment which will be reviewed by Xero’s security team. App partners who reach 1000 or more connections will be required to undertake an advanced security assessment which will also be reviewed by Xero’s security team. App partners will not be certified or listed in Xero’s app marketplace without passing these assessments. App partners will need to undertake and pass the security assessment on an annual basis.

    We’ll keep our app partners updated via developer.xero.com, our twitter account and our developer emails.



  • Which apps will be affected?

    • All app partners who wish to be certified and listed in the Xero app marketplace
    • New app partners need to comply from 1 January 2020
    • Existing app partners have until 30 June 2020 to comply


  • What will the security assessments involve?

    • An annual self assessment against the standard
    • These new requirements will include, but are not limited to, API risk rating, authentication, certification, personnel security, encryption and audit logging
    • 2SA will be the minimum level of account authentication but this will be provided already if your app connects with Sign in with Xero


  • How will I know if my app meets these standards?

    We’re still working through the details of the process, but we’ll contact you when you need to undertake the security assessment and let you know the outcome of that assessment.



  • How often do I need to do this?

    The security assessment will need to be undertaken annually.



  • Where can I find ABSIA add-on FAQ language and standards?