The Security Standard for Add-on Marketplaces (SSAM) is an extension of the ATO's Operational Framework and is intended to provide guidance for cloud based third party add-ons who integrate via API with Digital Service Providers (DSPs).
Co-developed by ABSIA and the ATO, the SSAM outlines a consistent set of rules, specifications and practices for both DSPs and third party developers who integrate with cloud based taxation, superannuation, payroll or accounting software via API.
The security requirements specified in the SSAM were modelled closely on established industry guidelines. If an add-on is currently certified by multiple DSPs then it will probably meet the SSAM requirements already.
It is expected that if a third party add-on can meet the security requirements outlined in the SSAM, they should have minimal difficulty self assessing and certifying their add-on against multiple DSP ecosystems including Xero, MYOB, Intuit etc.
The standard applies to third party add-on developers with more than 1,000 connections to Australian business customers of a DSP or those who are connected to the practice client list of an Australian tax or BAS agent (practice connection).
The SSAM also outlines the minimum self assessment, breach reporting and logging requirements that are expected by DSPs that operate an ecosystem.
The SSAM will increase the protection of client data as well as improving the portability of apps between different vendors. The creation of common security standards across multiple accounting API ecosystems is a world first, with the opportunity for them to expanded or be adopted internationally.
You can download a copy of the standard (PDF) here: Security Standard for Add-on Marketplaces (SSAM). Last updated August 2019.
ABSIA co-hosted a webinar with the ATO is hosting a webinar with the ATO to officially introduce the Security Standard for Add-on Marketplaces (SSAM) on 2 October at 10am (AEDT).