// Trust & Security Report
Xero Limited
Xero cloud accounting platform for small businesses, accountants and bookkeepers (Starter/Standard/Premium plans), with JAX ("Just Ask Xero") as an embedded AI finance companion feature (chat-based Q&A, automated bank reconciliation, financial insights) rather than a separate standalone AI product
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on xero.com“If you want more detailed information, we've produced a Service Organization Control (SOC 2) report, which is available on request. The SOC 2 report was produced after an independent auditor's examination of our service controls.”
Verify on xero.com“Xero is certified as compliant with ISO/IEC 27001:2022, which is globally recognised as the premier information security management system (ISMS) standard.”
Verify on xero.com“Xero complies with the Payment Card Industry Data Security Standard (PCI DSS), and is a level 2 merchant that outsources credit card processing functions to PCI DSS-compliant level 1 service providers.”
Verify on xero.com“Additional information if you're in the European Economic Area ("EEA") or United Kingdom ("UK") ... UK Controller. If you're in the UK, Xero (UK) Limited is the controller of your personal data ... when we transfer personal data to another country, we put safeguards in place to protect your personal data.”
> Show 6 unconfirmed / not-held certifications
source: xero.comNo public evidence. Xero's own trust/security and privacy pages make no HIPAA reference; Xero is a general small-business accounting platform, not a healthcare/PHI processor, and offers no BAA program.
source: xero.comNo public evidence found for these certifications; only ISO/IEC 27001:2022 is documented on Xero's security page.
source: xero.comNo public evidence found. Searched specifically for Xero + ISO 42001; no vendor page, press release, or third-party audit registry entry located.
source: xero.comNo public evidence found; Xero's go-to-market is SMB/accountant-focused (AU/NZ/UK/US/global), not US federal government, and it does not appear on the FedRAMP marketplace.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Global platform; HQ in New Zealand with entities/data hosting across Australia, New Zealand, UK, US and elsewhere. For EEA/UK personal data transferred internationally, Xero states it applies safeguards (Standard Contractual Clauses per third-party reporting) rather than offering customer-selectable data residency.
Xero's privacy notice states personal data is used 'to deliver our services ... (including using AI/ML)' and 'to improve our services ... (including using AI/ML)', which covers general product AI/ML use. For the JAX AI feature specifically, third-party and support reporting (not a direct vendor-page fetch, since https://www.xero.com/us/ai-in-accounting/jax/ returned HTTP 503 to this review's crawler) states JAX does not use customer data to train the underlying LLMs, and that data sent to model providers (AWS, Azure, GCP, OpenAI) is not retained for training. During the JAX beta an explicit opt-out toggle existed; post-beta, opting out means simply not sending messages to JAX chat (per-feature opt-in/opt-out, e.g. per bank account for auto-reconciliation). This should be re-verified directly against the live JAX page before being surfaced as a hard guarantee.
// Security controls
SOC 2 report availability
Produced annually via independent auditor examination of service controls; available on request (or by direct download for logged-in Xero Central users). External reporting places the program running since 2016 and covering Security, Availability, and Confidentiality Trust Services Criteria (Type II), though the vendor's own privacy notice text captured directly does not itself state the report type.
xero.comEncryption / data protection
Xero states it has 'appropriate technical and organisational measures' in place and directs users to its dedicated security pages for details; specific in-transit/at-rest algorithm details were not captured directly (vendor page returned HTTP 503 to this review's fetch).
xero.comPhishing / account protection
Multi-factor authentication (MFA) is available combining username/password with an authenticator app; genuine Xero email only comes from @xero.com and related subdomains.
central.xero.comInternational data transfers
Personal data may be processed in countries other than the user's home country (e.g. Australia, New Zealand, United States) due to team/hosting locations; Xero states it puts safeguards in place for such transfers.
xero.comSecurity incident / threat monitoring
Xero states it uses malware and monitoring tools to detect suspicious activity and block unauthorised access as part of its personal-data security management purpose.
xero.com// Products & data scope
data: Core financial data: invoices, bank feeds, payroll, expenses, contacts, billing/payment data.
Flagship product; over 4.9 million customers per vendor homepage. Certifications (SOC 2, ISO 27001, PCI DSS) apply at the platform level and cover this core product.
data: Reads the subscriber's Xero organization financial and business data to answer questions, surface insights, and (for enabled accounts) perform automated bank reconciliation.
Rolling out from beta to general availability; per-feature and per-bank-account opt-in/opt-out. Reported to route data to third-party model providers (e.g. OpenAI, plus cloud infra AWS/Azure/GCP) without retaining it for model training, per third-party reporting; verify directly on the live JAX page before publishing as a guarantee (page returned HTTP 503 to this review's crawler).
data: Aggregated access to multiple client organizations' financial data under practice-level permissions.
Same underlying platform and compliance posture as core Xero Accounting; distinguished by role/permission scope, not a separate security tier.
data: Third-party apps integrated via the Xero App Store are governed by each integrator's own terms and privacy policy, not Xero's certifications.
Data shared with connected third-party apps falls outside Xero's own compliance scope; assess each integration separately.
// What to watch
- Recommend a follow-up direct fetch/manual confirmation of exact cert scope, dates and audit period before displaying a 'verified' badge.
- SOC 2 report type (Type II) and Trust Services Criteria scope (Security/Availability/Confidentiality) come from third-party/search reporting, not from the literal text captured in the evidence file (which confirms a SOC 2 report exists and is available on request, but does not itself state 'Type II').
- Naming/identity note for the directory: the listing name 'Xero AI' refers to Xero Limited's JAX AI feature bundled into its accounting platform, not a standalone AI company. Do not confuse with 'Xerox' (a different company, trust.corp.xerox.com) which appeared adjacent in search results for 'Xero trust center'.
- AI-training no-train claim for JAX is sourced from third-party/support reporting, not a directly fetched vendor statement in this session (page 503'd) - re-verify before using as a hard compliance claim.
- No evidence of AI-governance certs (ISO/IEC 42001, CSA STAR) despite Xero shipping an AI feature (JAX); this is common for the current market but worth periodic re-check as JAX matures out of beta.
// At a glance
Pricing model
Subscription tiers (Starter/Standard/Premium), promotional first-3-months pricing, 30-day free trial; no credit card required for trial
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Xero Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
xero.com