Xero and AI data processing
Know what crosses the connection.
Agent Atlas can connect one Xero organisation that you explicitly select and return minimised read-only information for your requested analysis.
Effective: 14 July 2026 · Contact: support@atlas-flow.com
1. What the connection does
The first release is a Read-only pilot. It can retrieve organisation settings, accounts, contacts, invoices, payments, bank transactions and selected accounting reports through twelve reviewed tools. It has no arbitrary HTTP or Xero API request tool.
After Xero authorisation, Agent Atlas displays the organisations returned for the current authorisation event. You explicitly select the intended organisation using an opaque local choice. Agent Atlas does not silently select the first organisation.
2. Exact initial Xero scopes
The connector requests only these initial scopes:
offline_accessaccounting.settings.readaccounting.contacts.readaccounting.invoices.readaccounting.payments.readaccounting.banktransactions.readaccounting.reports.aged.readaccounting.reports.balancesheet.readaccounting.reports.profitandloss.readaccounting.reports.trialbalance.read
offline_access permits rotating refresh credentials so the user does not need to sign in for every request. It does not grant write access.
3. Data categories
Depending on the user’s request, reviewed tools may return:
- organisation identity, settings and accounts;
- contact names and bounded contact details;
- invoice identifiers, dates, status, totals and bounded line context;
- payment and bank-transaction summaries;
- aged receivables or payables, balance sheet, profit and loss, and trial balance report data;
- safe provider status and rate-limit information needed to operate the connection.
Tool responses are bounded and minimised. Xero content is treated as untrusted data, not as instructions to the agent.
4. AI processing
When you ask Agent Atlas to analyse Xero information, the minimum information needed for that request may be sent to the AI or model provider configured in the local Hermes installation. Review that provider’s terms, retention, location, security and no-training commitments before connecting a real organisation.
No model training
Xero API data must not be used to train, fine-tune, adapt, enhance or improve an AI model. If the configured service cannot meet that requirement, do not connect Xero.
5. Authentication and credential storage
Xero sign-in occurs on Xero’s website using Authorization Code with PKCE. Agent Atlas never asks for a Xero password and the local PKCE connector has no client secret. The one-time OAuth code and PKCE verifier remain in process memory only while the authorisation transaction completes.
Access and rotating refresh credentials, granted scopes, the Xero connection ID and the explicitly selected organisation ID are encrypted locally for the current Windows user with DPAPI. Atomic replacement and cross-process refresh locking protect rotating credential updates. Production does not fall back to plaintext storage.
6. Audit and minimisation
Read operations produce payload-free, redacting and tamper-evident local audit events. Events can include the reviewed operation name, outcome, endpoint category, provider HTTP status and rate-limit counters. They exclude OAuth credentials, organisation IDs and Xero response payloads.
7. Writes are disabled
Invoices, contacts, payments, banking, journals, and settings cannot be changed in the first pilot. Write scopes and handlers are not exposed by the released MCP server.
A future write capability would require an additive Xero scope and fresh consent, a separate registered capability, exact proposed-payload review, approval bound to that operation and payload, one-time execution, replay resistance, payload-safe auditing, Xero read-back verification and Demo Company testing. Enabling invoice writes would not enable contact, payment, banking, journal or settings writes.
8. Demo Company acceptance
The first live connection must use a Xero Demo Company. Acceptance covers consent, callback state, explicit organisation selection, read tools, rotating refresh, restart persistence, reconnect, remote disconnect or revocation and local credential deletion. A real organisation remains blocked until the evidence is reviewed and explicitly approved.
9. Disconnect and deletion
You can skip Xero, disconnect it through Agent Atlas, revoke the app in Xero and remove the local connection. Disconnect attempts remote connection deletion or refresh-token revocation, encrypted local credential deletion and removal of the managed Xero MCP entry. Remote and local outcomes are reported separately so partial cleanup is visible.
Support files may remain after disconnect because they contain no connection credentials. They can be removed separately when cleanup is convenient.
10. Questions or withdrawal
Do not proceed with OAuth if you do not accept this processing. After connecting, stop future processing by disconnecting and revoking the app. Direct questions or privacy requests to support@atlas-flow.com without including passwords, tokens or accounting payloads.