MYOB Trust Centre
The latest information on our data protection, security, reliability, privacy, and compliance practices.
MYOB takes the security and protection of our customers’ data seriously
The MYOB Trust Centre connects our customers to the latest information on our data protection, security, reliability, privacy and compliance practices.
Table of contents
Product security resources
At MYOB, we partner with world class suppliers providing key infrastructure and services, such as monitoring for suspicious activity, physical security, server and power redundancy, and built-in firewalls. Please refer to MYOB Security Practices section below for more information.
You can view product specific security information via:
Compliance and privacy
At MYOB, we comply with leading security industry standards, Australian and New Zealand government regulation security requirements (where applicable) and the Australian and New Zealand Privacy Acts.
Our ongoing investment in assurance practices ensures MYOB remains compliant with security standards and regulations.
ISO 27001 is an international standard specifying a framework for information security management system (ISMS) and information risk management.
MYOB's ISMS governs the secure development, operation, and support of the delivery of SaaS products and connected services performing business management, tax accounting, payroll, employer, or superannuation functionality operated by the MYOB technology teams in accordance with the organisational Statement of Applicability.
To verify the MYOB’s ISO certification, refer to the https://www.pwc.com.au/certificate
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for the handling of credit card information. The standard was created to improve protection of cardholder data to reduce credit card fraud. MYOB ensures compliance with PCI DSS for our payment card processing services.
Information security reviews
MYOB is subject to regular independent reviews including ISO 27001 and PCI DSS. Technical security reviews and testing of information systems are performed regularly in line with MYOB’s information security policy and standards.
All MYOB employees undertake relevant Compliance, Ethics and Privacy training when they start working at MYOB, followed by periodic refresher training.
At MYOB, we protect your data by using industry leading practices and technologies. We ensure the management and monitoring of all our products and related services is ongoing, adapting where necessary to address changes in Information and Cyber Security Risk and Data Protection areas.
We value security governance, it underpins the establishment of information security policy and standards, the adoption of security risk-based approaches, conformance with internal and external requirements, and fostering a security positive environment and culture.
At MYOB, the Information Security Management System (ISMS) is aligned and certified annually to the ISO 27001 standard.
We have an established information security policy along with relevant security standards outlining our information security objectives and what needs to be done to achieve them. The purpose of our information security policy and standards is to guide the protection of customer and employee information and data.
Leading cloud service providers
MYOB partners with leading cloud service suppliers who provide key infrastructure and hosting services.
- Microsoft Azure production platform hosted in Australia. For details about Security, Privacy, Compliance and Audits in Microsoft Azure, refer to Azure Trusted Cloud.
- The Amazon Web Services production platform is hosted in Australia. For details about Security, Privacy, Compliance and Audits in Amazon Web Services ANZ, refer to Security and Compliance for Australia and New Zealand.
MYOB has an established Business Resilience framework with implemented processes, procedures and controls to ensure the required level of continuity of information security. MYOB verifies the established and implemented information security controls at regular intervals to ensure they are effective.
MYOB has adopted threat modelling to understand and identify threats and ensure controls are put in place to protect customers’ data and minimise the risk of security incidents.
Incident management at MYOB is governed by an established policy and procedures, implemented by a dedicated internal security and incident management team. Any security incidents are handled according to the specified escalation timeframes and the type of incident. MYOB’s incident management procedures align with relevant obligations in the Australian and New Zealand privacy law, including obligations relating to mandatory data breach notifications.
MYOB has technology teams located in both Australia and New Zealand. Our cloud storage providers are hosted in Australia by Microsoft Azure and Amazon Web Services.
We have a dedicated internal security team responsible for security monitoring and incident management of MYOB online products and services and ensuring secure application development and testing practices.
MYOB has an established onboarding practice and conducts relevant assessments of employees, contractors and third-party personnel. This may include verification of academic qualifications, verification of professional qualifications, police checks and character references. Upon completion of employment at MYOB, the departure process is triggered to ensure all equipment is returned and system access is terminated.
The use of technology within MYOB is described in the acceptable usage policy governing the use of the corporate network, internet, email and software.
MYOB employees and contractors are required to undertake appropriate compliance training when they join MYOB, followed by ongoing refresher training.
Independent security testing
MYOB engages external security vendors to technically assess our products both during and post-development. Assessments are aligned to the Open Web Application Security Project (OWASP) Application Security Verification Standard, which provides:
- application developers and application owners with a yardstick to assess the degree of trust that can be placed in our online products; and
- guidance to our product engineers about building security controls to satisfy application security requirements.
At MYOB, we have a policy that outlines the security requirements for applications developed in-house and by third parties. This policy defines application security testing activities and their role in identifying application vulnerabilities. These requirements also include the adoption of security development processes and practices such as those documented by SAFEcode and Open Web Application Security Project (OWASP).
Formal change control procedures are documented and enforced to ensure the integrity of systems, applications and products, from the early design stages through all subsequent maintenance efforts. Introduction of new systems and major changes to existing systems follow a formal process of documentation, specification, testing, quality control and managed implementation.
Adoption of automated tooling, including security scan tools provided by leading vendors, supports secure development practices. Development, test and operational environments are separated to reduce the risk of unauthorised access or changes to the operational environment. Access to program source code is restricted in line with the relevant policy.
At MYOB, access control is governed by a policy that sets appropriate user access restriction, management, monitoring and review as well as clear articulation of roles and responsibilities. We provide access to systems and information following the principles of “need to know” and “least privilege” and these form part of our access control policy. Care is taken that no single person can access, modify or use MYOB assets without authorisation or detection based on the principle of separation of duties.
MYOB will ensure proper and effective use of cryptography to protect the confidentiality and integrity of information according to its data classification. Encryption of data in transit and at rest is implemented in accordance with our encryption policy.
All systems are kept up to date with appropriate patch levels in accordance with the relevant internal policy, which also includes implementation of protective mechanisms against malware in all systems.
MYOB operates services by industry leading vendors to monitor inbound and outbound traffic that could impact services, including enterprise firewalls, proxy services, endpoint protection, cloud security services, denial of service protection solutions and vulnerability management.
We have an established audit and logging practice which is governed by an internal policy that sets out the requirements for the management of logs in technology platforms and security events.
Report security vulnerability
We take security vulnerabilities very seriously and protecting customer data is one of our top priorities.
If you have discovered a security vulnerability, please keep your findings strictly confidential and disclose the relevant information to us in a responsible manner via the link to MYOB’s Responsible Disclosure Statement.
MYOB Trust Centre last updated: December 2021