open it

The Security Standard for Add-on Marketplaces (SSAM) is an extension of the ATO's Operational Framework and is intended to provide guidance for cloud based third party applications who integrate via API with Digital Service Providers (DSPs).

The SSAM supports the DSP Operational Framework and, for DSPs, will involve an extra section of reporting in the Operational Framework Questionnaire. For third party app developers, this will involve providing self-assessments to DSPs on an annual basis. 

The main aim of these standards is to further bolster the protection of data across this ecosystem, in particular client data. The SSAM should increase the portability of third party add-on certifications between DSP marketplaces. 

Below is information about each of the security requirements, along with the aim of each requirement. 

Security Requirement Aim of Security Requirement
Encryption key management Ensure effective key management is implemented to protect client data
Encryption in transit Ensure that sensitive client data in your app is protected during the transport process
Authentication Ensure that users who access your app are authenticated
Indirect access to data Ensure that unauthorised third-parties are unable to access customer data
App server configuration Ensure that your app server is secure
Vulnerability management Ensure that your app is secure against the common vulnerabilities
Encryption at rest Ensure that sensitive client data in your app is protected while at rest
Audit logging Ensure appropriate audit logging functionality is implemented and maintained
Data hosting Ensure client data is not hosted in high risk areas
Security monitoring practices and breach reporting Ensure you have security monitoring practices in place to detect and manage threats


For more information about each of the requirements, including further details, please review the standards document.

Previous Page


Next Page