The Security Standard for Add-on Marketplaces (SSAM) can apply to both cloud based DSPs and third party add-ons that integrate with DSPs via API.
Third party add-ons currently connected to or wishing to integrate with Xero, Intuit, MYOB, Reckon, Sage or any other cloud based DSP that handles taxation, accounting, payroll or superannuation data is expected to meet the SSAM security requirements.
The table below provides information about where the standards do apply and where they do not apply to third party add-ons.
|Third Party Add-ons|
|Where the standards apply||
Widely used third party apps that integrate via API with cloud based DSPs who are not covered by the Operational Framework directly.
Third party apps with more than 1,000 connections to Australian business customers of a DSP.
Third party apps who are connected to the practice client list of an Australian tax or BAS agent (practice connection).
|Where the standards do not apply||
Products already covered under the Operational Framework.
Third party apps that do not integrate with DSPs.
Third party apps with less than 1,000 connections.
Third party apps that do not connect to practice client lists of tax or BAS agents.
DSPs play a critical role in supporting the SSAM requirements and regulating third party add-ons. If you are a cloud based DSP that features an API powered third party ecosystem, we recommend familiarising yourself with the SSAM and understand your role here. Find out more under Information for DSPs.
You can download a copy of the standard (PDF) here: Security Standard for Add-on Marketplaces (SSAM). Last updated August 2019.