NZ relevance note
Xero is included as a Vertical SaaS AI vendor in this database with particular attention to its New Zealand customer base. Xero was founded in Wellington in 2006, is now headquartered in Melbourne and listed on the Australian Securities Exchange, and remains the dominant cloud accounting platform for NZ SMBs. Most NZ small businesses with an accountant or bookkeeper use Xero. JAX (Just Ask Xero) and the broader Xero OS are now the default AI surface for NZ SMB financial data. The privacy posture analysis below applies globally but matters most to readers handling NZ business financial information.
Plain-English risk rating: 2 of 5
Xero's AI features (JAX as the headline generative assistant, plus AI-powered bank reconciliation, data capture, and the broader Xero OS platform) sit within Xero's enterprise-grade SaaS infrastructure. Xero holds SOC 2 Type II and ISO 27001 certifications, operates regional data residency for AU/NZ customers, and has invested heavily in AI-specific security and privacy controls as part of the JAX positioning. The March 2026 Xero-Anthropic partnership announcement and May 2026 live integration confirm Claude as the primary LLM partner for JAX (with OpenAI used for web-research features).
The risk picture is dominated by (a) the breadth of financial data JAX has access to (literally every transaction in the customer's Xero account), (b) the agentic capability of JAX to execute financial operations (creating invoices, initiating payments, reconciling transactions) which puts JAX in the same agentic-AI risk category as Microsoft 365 Copilot, and (c) the integration trajectory — as JAX becomes more deeply embedded in Xero's core, the attack surface grows.
Recommended for
- Sole proprietor: Xero Starter at NZD $45/month or AUD $42/month includes basic AI features. Acceptable for solo accounting and tax basics.
- Small team (2-10 people): Xero Standard or Premium with full JAX features. The privacy posture is genuinely enterprise-grade.
- Regulated industry: Xero with appropriate AU/NZ data residency, BAA available for relevant configurations, and explicit policy guidance on which JAX capabilities are enabled for which user roles.
- The honest answer for most 1-10 employee NZ businesses: If you use Xero (which most NZ SMBs do), JAX is the AI surface for your financial data and the privacy posture is appropriate for SMB use. The deliberate decision is whether to enable JAX's agentic-action features (auto-payment initiation, auto-reconciliation) versus restricting JAX to advisory-only (analysis, suggestions, drafts). For most SMBs, advisory-only is the right starting posture; expand to agentic actions only after operational confidence with the suggestions.
Critical pre-deployment warning (agentic financial actions)
JAX's agentic capabilities include initiating payments, creating invoices, reconciling transactions, and (per Xero's 2026 product roadmap) executing increasingly complex financial workflows. Treat any JAX agentic action that moves money or modifies financial records as a privileged operation that warrants human review. The structural risk pattern is the same as Replit's AI agent (which deleted a production database) and Microsoft 365 Copilot (which EchoLeak exfiltrated sensitive data from): an agentic AI with destructive privileges can act in ways that ignore explicit instructions when prompted to by content within its operational context.
Mitigation: configure JAX's agentic actions with explicit approval workflows for any operation above a threshold dollar value, audit JAX action history weekly, and treat unexpected JAX suggestions involving fund movement with the same scrutiny you would apply to an unexpected request from an unknown email.
Data retention default
- Standard Xero retention applies to financial records (per regulatory requirements; financial data retention is typically 7 years in NZ and AU under tax law)
- LLM provider retention: zero-retention under Xero's contractual arrangements with Anthropic and OpenAI
- JAX conversation history retained per workspace configuration for audit purposes
- Receipt and document AI processing: extracted data stored as part of the Xero record; original images stored per Xero standard retention
Training opt-out
NO TRAINING ON CUSTOMER DATA BY DEFAULT. Xero's subprocessor agreements with Anthropic and OpenAI prohibit using customer financial data for LLM training.
Xero may use aggregate de-identified data for product improvement and benchmarking ("average revenue for a restaurant with five employees" is the marketed example use case for JAX's benchmarking feature). The aggregation methodology is part of Xero's published privacy framework but is the area worth verifying per current documentation.
Zero Data Retention availability
- Default for JAX LLM processing via contractual zero-retention with Anthropic and OpenAI
- AU/NZ Data Residency available; data processed in AU/NZ regions for AU/NZ-hosted workspaces
Plan tiers and pricing (as of early 2026, NZ pricing in NZD)
| Tier | NZ Price (NZD) | AU Price (AUD) | AI features | Suitable for |
|---|---|---|---|---|
| Starter | $45/month | $42/month | Basic JAX | Sole proprietors |
| Standard | $90/month | $84/month | Full JAX | Small teams |
| Premium | $135/month | $126/month | Full JAX + multi-currency | Growing businesses |
| Ultimate | Custom | Custom | Full JAX + advanced features | Larger SMBs |
Xero pricing has shifted multiple times during 2024-2026. Verify current pricing at xero.com/nz/pricing.
Jurisdiction
- Primary processor: Xero Limited, Melbourne, Australia (with Wellington, NZ subsidiary as origin entity)
- Cloud infrastructure: AWS primarily; AU/NZ data residency available
- Third-party AI subprocessors: Anthropic (primary partner per March 2026 agreement), OpenAI (web research features)
- SOC 2 Type II, ISO 27001 certified
- Subject to NZ Privacy Act 2020, Australian Privacy Act, EU GDPR (for EU customers), and applicable tax law in each operating jurisdiction
- Connected to over 21,000 global financial institutions for bank feed integration
Breach history (public incidents)
No major direct breach of Xero infrastructure publicly disclosed affecting customer financial data as of May 2026. This is meaningful given Xero's user base scale and the high-value-target nature of financial-platform data.
Note on the third-party app ecosystem: Xero's app marketplace (over 1,000 connected apps) follows a similar pattern to Shopify's — the most common breach vector for Xero customers is third-party app compromise rather than Xero-platform breach. SMBs should audit their connected apps quarterly and remove ones that are no longer in active use.
Category-level risk: JAX's agentic capabilities put Xero in the same risk category as other agentic AI products. The financial nature of the operations makes this particularly important to configure deliberately. The Xero-Anthropic integration also means that Claude vulnerabilities (CVE-2025-59536, CVE-2026-21852 from the Claude profile) could in principle affect JAX behaviour, though Xero's defensive prompting and validation layers reduce this risk.
What this means in plain English for SMB owners
Three honest takeaways:
- For NZ SMBs, JAX is the AI surface for your financial data whether you actively engage with it or not. It is being progressively integrated into Xero's core workflows. The privacy posture is appropriate for SMB use, but the breadth of access JAX has to your financial data is structural — understand what it sees before you understand what it does with that information.
- The agentic-action capabilities of JAX are the deliberate decision point. Advisory-only JAX (drafts, analysis, suggestions) is a low-risk addition. JAX as an autonomous agent moving money is a higher-risk deployment that needs explicit approval workflows and audit discipline. Default to advisory-only; expand only after operational confidence.
- The Xero-Anthropic integration coming live in 2026 is genuinely useful for NZ SMBs but adds a dependency. When you can query your Xero data inside Claude conversations, the privacy posture depends on both vendors' commitments holding up. Anthropic's Claude profile in this database notes the September 2025 consumer-terms change (training-on-by-default for consumer Claude tiers). The Xero integration uses commercial-tier Claude with no-training defaults, but the broader Anthropic risk picture is worth understanding before relying on the integration heavily.
Sources
- Xero JAX product page: https://www.xero.com/us/ai-in-accounting/jax/ (verified 2026-05-24)
- Xero media release: JAX AI superagent launches powerful new features (September 2025)
- Xero blog: The future of small business starts here with JAX (October 2025)
- Accounting Today: Xero aims to make AI core to platform functionality (March 2026)
- The Fintech Times: Xero and Anthropic Strike Multi-Year Partnership (March 2026)
- CPA Practice Advisor: Xero Introduces AI-Native Operating System for Accountants (April 2026)
- CPA Practice Advisor: XeroForce Natural Language Custom AI Agent Builder (May 2026)
- Xero media release: AI-powered data capture and extraction (February 2026)
- Coefficient: Latest Xero AI Features (September 2025)
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Xero (with JAX / Just Ask Xero) stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Xero (with JAX / Just Ask Xero) can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.