From the early days of Xero, we have been working with the experts at Aura Security to continually audit our security. One way Aura assesses our security is by conducting penetrative testing, unannounced and deliberate attacks to measure our vulnerability to outside hackers. Aura have been highly impressed by Xero because "the security of Xero was embedded in the company's mindset and filtered down from the CEO right through to the admin team."

Below are some of the security precautions we take. There are many more that we won't publish because, as you might expect, that wouldn't be good security policy.

1. We model our security on the policies and measures taken by banks.
2. We use 128 bit SSL encryption, the same used for internet banking.
3. Our servers are hosted on a tier-one hosting provider who monitors our servers and firewalls 24/7/365 at a guarded facility.
4. Only a select few authorised personnel at Xero have admin access to the Xero servers.
5. There is an audit trail of everything a user has done in Xero and you can monitor the activity of all your invited users.
6. No one has access to your organisation unless you invited them. You can remove any invited users whenever you want. You have the option to invite Customer Care, but it's for support purposes only and completely at your discretion.
7. Users must choose a strong password and we enforce automatic lockouts when incorrect passwords are entered - alerting us to any attempts to hack in.
8. We don't allow the browser to save your login, which eliminates access from a stolen or compromised computer.
9. If you are logged in and don't use Xero for an extended period you will be automatically logged out, in case you left your computer unattended.
10. Security is an ongoing process, not a singular event – we continuously reinforce our defences.

How is Xero more secure than desktop software?

• Unlike desktop applications, your data isn't stored on your computer, so if your laptop is lost or stolen no one can access your data without a login.
• Online applications are much more secure than emailing your accounting data or giving out discs with your data on it.

We work very hard to keep Xero secure. Here are some simple steps you can take to stay protected:

• Create a password nobody can guess, so no dictionary words or family names, be cryptic or use multi-word pass phrases - easy to remember, hard to crack.
• Don't share your password with anybody.
• Don't write your password on a sticky note and attach it to your computer.
• Keep your browser software up to date.
• Make sure you only login at xero.com.

---