Security at Xero
Xero is certified as compliant with ISO/IEC 27001:2013 which is globally recognized as the premier information security management system (ISMS) standard. Xero achieved certification by developing and implementing a robust security management program, including a comprehensive Information Security Management System (ISMS).
Xero has produced a Service Organization Control (SOC 2) report. The report is the result of an independent auditor's examination of Xero's cloud based accounting system relevant to the Trust Services Criteria for Security, Availability, and Confidentiality.
Xero complies with the Payment Card Industry Data Security Standard (PCI DSS). We're a level 3 merchant and outsource our credit card processing functions to PCI DSS-compliant level 1 service providers. Xero is compliant with PCI DSS v3.2, SAQ A.
If you have questions, or would like to request the latest available Security Assurance Reports, please choose one of the options below.
Protecting your data
We’re committed to the security of our customers’ data and provide multiple layers of protection for the personal and financial information you trust to Xero.
You control access
We provide standard access to the Xero software through a login and password. In addition we offer the option of using multi-factor authentication. This provides a second layer of security for your Xero account. It combines something you know (your user name and password) with something you have (an authentication app on your smartphone or tablet). This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password.
We encrypt all data that goes between you and Xero using industry-standard TLS (Transport Layer Security), protecting your personal and financial data. Your data is also encrypted at rest when it is stored on our servers, and encrypted when we transfer it between data centres for backup and replication.
Xero takes a “defence in depth” approach to protecting our systems and your data. Multiple layers of security controls protect access to and within our environment, including firewalls, intrusion protection systems and network segregation. Xero’s security services are configured, monitored and maintained according to industry best practice. We partner with industry-leading security vendors to leverage their expertise and global threat intelligence to protect our systems.
Secure data centres
Xero’s servers are located within enterprise-grade hosting facilities that employ robust physical security controls to prevent physical access to the servers they house. These controls include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits. Xero maintains multiple geographically separated data replicas and hosting environments to minimise the risk of data loss or outages.
Xero’s Security team continuously monitors security systems, event logs, notifications and alerts from all systems to identify and manage threats.