The Security Standard for Add-on Marketplaces (SSAM) can apply to both cloud based DSPs and third party applications that integrate with DSPs via API.
Third party apps currently connected to or wishing to integrate with Xero, Intuit, MYOB, Reckon, Sage or any other cloud based DSP that handles taxation, accounting, payroll or superannuation data is expected to meet the SSAM security requirements.
The table below provides information about where the standards do apply and where they do not apply to both DSPs and third party apps.
|DSPs||Third Party App/Add-on|
|Where the standards apply||DSPs with cloud based applications that feature an API powered third party ecosystem.||
Widely used third party apps that integrate via API with cloud based DSPs who are not covered by the Operational Framework directly.
Third party apps with more than 1,000 connections to Australian business customers of a DSP.
Third party apps who are connected to the practice client list of an Australian tax or BAS agent (practice connection).
|Where the standards do not apply||
DSPs already covered under the Operational Framework.
DSPs that do not operate an API powered third party ecosystem.
DSPs that are not cloud based and only have desktop third party add-ons.
Products already covered under the Operational Framework.
Third party apps that do not integrate with DSPs.
Third party apps with less than 1,000 connections.
Third party apps that do not connect to practice client lists of tax or BAS agents.
You can download a copy of the standard (PDF) here: Security Standard for Add-on Marketplaces (SSAM). Last updated August 2019.