Security – requirements for developer partners

Certified Xero Developer partners must at all times ensure that any Xero data held in their systems is stored in a secure way. These requirements are mandatory for Add-on partners and other developer partners that maintain active API connections. Other partners should ensure the requirements relevant to them are followed. In the event of any breach of security or possible breach of security which has the potential to expose information such as Xero customer data, public/private key certificates, tokens or other sensitive details, the partner must immediately advise Xero by emailing

Sensitive data

Highly sensitive data such as signing certificates used to sign requests should be stored in a secure manner where access is strictly controlled and not publicly accessed (such as being stored within the web root).

Access Control

Ensure access control mechanisms exist for your Operational staff, and appropriate policies are set about appropriate use of data.


Hosting environments – don’t use shared hosts, as there’s a chance that other users will be able to access your Xero API credentials and access the API, or that they will be able to access the data once it arrives in your database.


At a minimum, SSL should be used for application logins, though it is recommended all logged in pages are secured with SSL.

Privacy policy

All Xero Add-on partners should have a privacy policy which can be accessed from their website.

Software Development

We encourage you to follow the security best practices for your programming language and platform, and to become familiar with web security issues you may encounter (e.g. The OWASP top 10).