Xero and AI data processing

Know what crosses the connection.

Agent Atlas can connect one Xero organisation that you explicitly select and return minimised read-only information for your requested analysis.

Effective: 14 July 2026 · Contact: support@atlas-flow.com

Consent is separate from Xero OAuth. You must review this notice and affirmatively accept AI processing before Agent Atlas opens Xero authorisation.

1. What the connection does

The first release is a Read-only pilot. It can retrieve organisation settings, accounts, contacts, invoices, payments, bank transactions and selected accounting reports through twelve reviewed tools. It has no arbitrary HTTP or Xero API request tool.

After Xero authorisation, Agent Atlas displays the organisations returned for the current authorisation event. You explicitly select the intended organisation using an opaque local choice. Agent Atlas does not silently select the first organisation.

2. Exact initial Xero scopes

The connector requests only these initial scopes:

offline_access permits rotating refresh credentials so the user does not need to sign in for every request. It does not grant write access.

3. Data categories

Depending on the user’s request, reviewed tools may return:

Tool responses are bounded and minimised. Xero content is treated as untrusted data, not as instructions to the agent.

4. AI processing

When you ask Agent Atlas to analyse Xero information, the minimum information needed for that request may be sent to the AI or model provider configured in the local Hermes installation. Review that provider’s terms, retention, location, security and no-training commitments before connecting a real organisation.

No model training

Xero API data must not be used to train, fine-tune, adapt, enhance or improve an AI model. If the configured service cannot meet that requirement, do not connect Xero.

5. Authentication and credential storage

Xero sign-in occurs on Xero’s website using Authorization Code with PKCE. Agent Atlas never asks for a Xero password and the local PKCE connector has no client secret. The one-time OAuth code and PKCE verifier remain in process memory only while the authorisation transaction completes.

Access and rotating refresh credentials, granted scopes, the Xero connection ID and the explicitly selected organisation ID are encrypted locally for the current Windows user with DPAPI. Atomic replacement and cross-process refresh locking protect rotating credential updates. Production does not fall back to plaintext storage.

6. Audit and minimisation

Read operations produce payload-free, redacting and tamper-evident local audit events. Events can include the reviewed operation name, outcome, endpoint category, provider HTTP status and rate-limit counters. They exclude OAuth credentials, organisation IDs and Xero response payloads.

7. Writes are disabled

Invoices, contacts, payments, banking, journals, and settings cannot be changed in the first pilot. Write scopes and handlers are not exposed by the released MCP server.

A future write capability would require an additive Xero scope and fresh consent, a separate registered capability, exact proposed-payload review, approval bound to that operation and payload, one-time execution, replay resistance, payload-safe auditing, Xero read-back verification and Demo Company testing. Enabling invoice writes would not enable contact, payment, banking, journal or settings writes.

8. Demo Company acceptance

The first live connection must use a Xero Demo Company. Acceptance covers consent, callback state, explicit organisation selection, read tools, rotating refresh, restart persistence, reconnect, remote disconnect or revocation and local credential deletion. A real organisation remains blocked until the evidence is reviewed and explicitly approved.

9. Disconnect and deletion

You can skip Xero, disconnect it through Agent Atlas, revoke the app in Xero and remove the local connection. Disconnect attempts remote connection deletion or refresh-token revocation, encrypted local credential deletion and removal of the managed Xero MCP entry. Remote and local outcomes are reported separately so partial cleanup is visible.

Support files may remain after disconnect because they contain no connection credentials. They can be removed separately when cleanup is convenient.

10. Questions or withdrawal

Do not proceed with OAuth if you do not accept this processing. After connecting, stop future processing by disconnecting and revoking the app. Direct questions or privacy requests to support@atlas-flow.com without including passwords, tokens or accounting payloads.