Your request
You review the notice and decide whether to connect and what analysis to request.
Agent Atlas · Xero connector
Agent Atlas connects an explicitly selected Xero organisation to a configured AI service for requested analysis. The first release is deliberately read-only, consent-led and tested against a Demo Company before real use.
The connection boundary
OAuth permission alone is not enough. You review the data-processing notice, consent to the connection, explicitly select the Xero organisation, and decide what to ask. Agent Atlas sends only the information needed for that request to the AI service configured in the local Hermes installation.
You review the notice and decide whether to connect and what analysis to request.
You explicitly select the authorised organisation. The first tenant is never silently chosen.
Only the Xero information required to answer the request is returned through reviewed tools.
The configured provider processes the request under its own reviewed data-handling terms.
First release
The connector can support questions about organisation settings, accounts, contacts, invoices, payments, bank transactions and selected accounting reports. It does not expose an arbitrary Xero request tool.
Invoices, contacts, payments, banking, journals, and settings cannot be changed in the first pilot. Future write access would require separate Xero consent, capability release, exact-operation approval and Demo Company acceptance.
Operational controls
Xero sign-in occurs on Xero’s website using Authorization Code with PKCE. There is no client secret. OAuth credentials are encrypted for the current Windows user, and connection audit records exclude accounting payloads and credential values.
Live acceptance begins with a Xero Demo Company. A real organisation remains blocked until evidence is reviewed and approved.
Xero API data must not be used to train, fine-tune, adapt, enhance or improve an AI model.
You can skip Xero, test the connection, disconnect it, revoke Xero access and remove the encrypted local connection.
Before connecting
These pages explain the pilot boundaries and the data path. Commercial rollout requires suitable Australian legal, privacy, accounting and security review.
How site and connector information is processed, minimised, retained and deleted.
The exact scopes, categories, AI-processing boundary and connected-user controls.
Connection help, privacy requests, safe diagnostics and security reporting.