Brought to you by

Xero Security

Posted 10 years ago in Tech by Craig Walker
Posted by Craig Walker

I seem to be on a bit of a speaking tour at present with the CIO Summit in Auckland being my most recent event. I was there to talk about our security work with Aura Software Security and how they’ve been critical to the success of our security story.

Our reputation depends on providing airtight security and from the early days of Xero we have been working with the experts at Aura to continually audit our security and provide us independent expertise on how to integrate secure practices throughout our organisation. Aura have been highly impressed by Xero because “the security of Xero was embedded in the company’s mindset and filtered down from the CEO right through to the admin team”. It is this “holistic” view of security throughout Xero that has been the driving force behind this success.

Below are some of the security precautions we take. There are many more that we won’t publish because, as you might expect, that wouldn’t be good security policy:

  • We model our security on the policies and measures taken by banks. To be as “secure as a bank” is an aspirational goal for us and one we continually strive for.
  • We use 128 bit SSL encryption, the same used for internet banking.
  • Our servers are hosted with a world leading hosting provider, delivering the highest levels of availability, performance and security.
  • Only a select few authorised personnel at Xero have access to the Xero production environment and all access is actively monitored and logged.
  • No one has access to your organisation unless you’ve invited them. You can remove any invited users whenever you want. You have the option to invite Customer Care, but it’s for support purposes only and completely at your discretion.
  • There is an audit trail of everything a user has done in Xero and you can monitor the activity of all your invited users.
  • Users must choose a strong password and we enforce automatic lockouts when incorrect usernames and passwords are entered, alerting us to any attempts to hack in.
  • We don’t allow the browser to save your login information which mitigates unauthorised access from a stolen or compromised computer.
  • If you are logged in and don’t use Xero for an extended period you will be automatically logged out in case you’ve left your computer unattended.
  • Security is an ongoing process, not a singular event – we continuously reinforce our defences.

How is Xero more secure than desktop software?

  • Unlike desktop applications your data isn’t stored on your computer, so if your laptop is lost or stolen no one can access your data without a login.
  • Providing access to your data by inviting specific users into your organisation and controlling their access is much more secure than emailing your data around or giving out discs with your data on it.

While we continually work very hard to keep Xero and your data secure there are some simple steps you can take to stay protected as well:

  • Create a password nobody can guess, so no dictionary words or family names. Be cryptic or use multi-word pass phrases – easy to remember, hard to crack.
  • Don’t write your password on a sticky note and attach it to your computer.
  • Don’t share your email address and password with anyone else. Xero allows for unlimited users for each organisation: that feature is there for your security – use it!
  • Keep your browser software up to date. For enhanced security we recommend Internet Explorer 7 (download here) or Firefox 3 (download here)
  • Make sure you have anti-virus software installed and kept up to date.
  • Make sure you only login at


Business Tracking Software
July 25, 2008 at 7.34 am

Sounds like a good software application. I found the last part of your article helpful as you outline ways for users to help keep the software secure.

This seems like general advice that would be good to apply to any type of secure software or application employees may be working with. Thanks for the good ideas.

July 27, 2008 at 10.08 pm

Well done on attacking it front on. Security is turning into another hygiene factor for all software, forcing us all (reqs, arch, design, code, test) to be more security aware.

PS. Surely “foolproof” not “full proof”?

Leave a reply

Your email address will not be published. Required fields are marked *