// Trust & Security Report

    Xero Limited logo

    Xero Limited

    Xero cloud accounting platform for small businesses, accountants and bookkeepers (Starter/Standard/Premium plans), with JAX ("Just Ask Xero") as an embedded AI finance companion feature (chat-based Q&A, automated bank reconciliation, financial insights) rather than a separate standalone AI product

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 (Type II)
    HELD

    If you want more detailed information, we've produced a Service Organization Control (SOC 2) report, which is available on request. The SOC 2 report was produced after an independent auditor's examination of our service controls.

    Verify on xero.com
    ISO/IEC 27001:2022
    HELD

    Xero is certified as compliant with ISO/IEC 27001:2022, which is globally recognised as the premier information security management system (ISMS) standard.

    Verify on xero.com
    PCI DSS
    HELD

    Xero complies with the Payment Card Industry Data Security Standard (PCI DSS), and is a level 2 merchant that outsources credit card processing functions to PCI DSS-compliant level 1 service providers.

    Verify on xero.com
    GDPR (compliance posture, not a certification)
    HELD

    Additional information if you're in the European Economic Area ("EEA") or United Kingdom ("UK") ... UK Controller. If you're in the UK, Xero (UK) Limited is the controller of your personal data ... when we transfer personal data to another country, we put safeguards in place to protect your personal data.

    Verify on xero.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence. Xero's own trust/security and privacy pages make no HIPAA reference; Xero is a general small-business accounting platform, not a healthcare/PHI processor, and offers no BAA program.

    source: xero.com
    ISO 27017 / ISO 27018 (cloud security / PII in cloud)
    NOT CONFIRMED

    No public evidence found for these certifications; only ISO/IEC 27001:2022 is documented on Xero's security page.

    source: xero.com
    ISO 27701 (privacy information management)
    NOT CONFIRMED

    No public evidence found.

    source: xero.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found. Searched specifically for Xero + ISO 42001; no vendor page, press release, or third-party audit registry entry located.

    source: xero.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found.

    source: xero.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; Xero's go-to-market is SMB/accountant-focused (AU/NZ/UK/US/global), not US federal government, and it does not appear on the FedRAMP marketplace.

    source: xero.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Global platform; HQ in New Zealand with entities/data hosting across Australia, New Zealand, UK, US and elsewhere. For EEA/UK personal data transferred internationally, Xero states it applies safeguards (Standard Contractual Clauses per third-party reporting) rather than offering customer-selectable data residency.

    Xero's privacy notice states personal data is used 'to deliver our services ... (including using AI/ML)' and 'to improve our services ... (including using AI/ML)', which covers general product AI/ML use. For the JAX AI feature specifically, third-party and support reporting (not a direct vendor-page fetch, since https://www.xero.com/us/ai-in-accounting/jax/ returned HTTP 503 to this review's crawler) states JAX does not use customer data to train the underlying LLMs, and that data sent to model providers (AWS, Azure, GCP, OpenAI) is not retained for training. During the JAX beta an explicit opt-out toggle existed; post-beta, opting out means simply not sending messages to JAX chat (per-feature opt-in/opt-out, e.g. per bank account for auto-reconciliation). This should be re-verified directly against the live JAX page before being surfaced as a hard guarantee.

    // Security controls

    SOC 2 report availability

    Produced annually via independent auditor examination of service controls; available on request (or by direct download for logged-in Xero Central users). External reporting places the program running since 2016 and covering Security, Availability, and Confidentiality Trust Services Criteria (Type II), though the vendor's own privacy notice text captured directly does not itself state the report type.

    xero.com

    Encryption / data protection

    Xero states it has 'appropriate technical and organisational measures' in place and directs users to its dedicated security pages for details; specific in-transit/at-rest algorithm details were not captured directly (vendor page returned HTTP 503 to this review's fetch).

    xero.com

    Phishing / account protection

    Multi-factor authentication (MFA) is available combining username/password with an authenticator app; genuine Xero email only comes from @xero.com and related subdomains.

    central.xero.com

    International data transfers

    Personal data may be processed in countries other than the user's home country (e.g. Australia, New Zealand, United States) due to team/hosting locations; Xero states it puts safeguards in place for such transfers.

    xero.com

    Security incident / threat monitoring

    Xero states it uses malware and monitoring tools to detect suspicious activity and block unauthorised access as part of its personal-data security management purpose.

    xero.com

    // Products & data scope

    Xero Accounting (Starter / Standard / Premium)Cloud accounting software (SMB)

    data: Core financial data: invoices, bank feeds, payroll, expenses, contacts, billing/payment data.

    Flagship product; over 4.9 million customers per vendor homepage. Certifications (SOC 2, ISO 27001, PCI DSS) apply at the platform level and cover this core product.

    JAX (Just Ask Xero) - AI finance partnerEmbedded AI assistant / agent

    data: Reads the subscriber's Xero organization financial and business data to answer questions, surface insights, and (for enabled accounts) perform automated bank reconciliation.

    Rolling out from beta to general availability; per-feature and per-bank-account opt-in/opt-out. Reported to route data to third-party model providers (e.g. OpenAI, plus cloud infra AWS/Azure/GCP) without retaining it for model training, per third-party reporting; verify directly on the live JAX page before publishing as a guarantee (page returned HTTP 503 to this review's crawler).

    Xero for Accountants & BookkeepersPractice management / multi-client tooling

    data: Aggregated access to multiple client organizations' financial data under practice-level permissions.

    Same underlying platform and compliance posture as core Xero Accounting; distinguished by role/permission scope, not a separate security tier.

    Xero App Store integrationsThird-party app marketplace

    data: Third-party apps integrated via the Xero App Store are governed by each integrator's own terms and privacy policy, not Xero's certifications.

    Data shared with connected third-party apps falls outside Xero's own compliance scope; assess each integration separately.

    // What to watch

    • Recommend a follow-up direct fetch/manual confirmation of exact cert scope, dates and audit period before displaying a 'verified' badge.
    • SOC 2 report type (Type II) and Trust Services Criteria scope (Security/Availability/Confidentiality) come from third-party/search reporting, not from the literal text captured in the evidence file (which confirms a SOC 2 report exists and is available on request, but does not itself state 'Type II').
    • Naming/identity note for the directory: the listing name 'Xero AI' refers to Xero Limited's JAX AI feature bundled into its accounting platform, not a standalone AI company. Do not confuse with 'Xerox' (a different company, trust.corp.xerox.com) which appeared adjacent in search results for 'Xero trust center'.
    • AI-training no-train claim for JAX is sourced from third-party/support reporting, not a directly fetched vendor statement in this session (page 503'd) - re-verify before using as a hard compliance claim.
    • No evidence of AI-governance certs (ISO/IEC 42001, CSA STAR) despite Xero shipping an AI feature (JAX); this is common for the current market but worth periodic re-check as JAX matures out of beta.

    // At a glance

    Pricing model

    Subscription tiers (Starter/Standard/Premium), promotional first-3-months pricing, 30-day free trial; no credit card required for trial

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Xero Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    xero.com

    > Browse all vendor trust reports