The first thing that my father, a small business owner, wanted to know about Xero was its security.
Security, and also privacy, is the biggest things to get right when building an online software product. We believe that Xero is a mission-critical business information system – mission critical because your financial data is sacred and important. And it’s imperative for us to make sure your financial data is both secure and private from outside attackers.
Integrated into our core software framework is a security system that permeates through our entire system. The security model is structured in layers as follows:
privacy » sandboxing » authentication » segmentation » authorisation
Each of these steps aids in reducing the attack surface, and making it almost impossible to infiltrate our system and compromise data integrity and privacy:
Privacy: All access to Xero runs through a secure link which enables full encryption of all communication between the browser and our servers. To know you’re browsing a secure site, just check the padlock at either the bottom right of your browser, or in the address bar.
Sandboxing: Sandboxing is a technique to reduce the attack surface and prevent attackers from gaining access to the lower layers of our system.
Authentication: All access to Xero requires authentication through our membership system. All web pages in the Xero system require secure access – there are no parts of the system that are open to the public.
Segmentation: Our database is designed utilising a multi-tenanted architecture. This means that the data for each individual organisation is separated from the data of every other organisation. No other Xero customer can access your data through Xero – our architecture doesn’t allow it and cannot be manipulated in any way to allow it.
Authorisation: Our membership system has been designed to make full use of role-based security. Each user has a role within an organisation and each page is tailored specifically to that role so that each user is restricted to see and do what you want them to see and do.
That’s a basic outline of what we do to protect you and your data. So what can you do? Choose a strong password and don’t put it on a sticky note attached to your monitor!