The Security Standard for Add-on Marketplaces (SSAM) is an extension of the ATO's Operational Framework and is intended to provide guidance for cloud based third party add-ons who integrate via API with Digital Service Providers (DSPs).
The SSAM supports the DSP Operational Framework and, for DSPs, will involve an extra section of reporting in the Operational Framework Questionnaire. For third party add-on developers, this will involve providing self-assessments to DSPs on an annual basis.
The main aim of these standards is to further bolster the protection of data across this ecosystem, in particular client data. The SSAM should increase the portability of third party add-on certifications between DSP marketplaces.
Below is information about each of the security requirements, along with the aim of each requirement.
| Security Requirement | Aim of Security Requirement |
| Encryption key management | Ensure effective key management is implemented to protect client data |
| Encryption in transit | Ensure that sensitive client data in your app is protected during the transport process |
| Authentication | Ensure that users who access your app are authenticated |
| Indirect access to data | Ensure that unauthorised third-parties are unable to access customer data |
| App server configuration | Ensure that your app server is secure |
| Vulnerability management | Ensure that your app is secure against the common vulnerabilities |
| Encryption at rest | Ensure that sensitive client data in your app is protected while at rest |
| Audit logging | Ensure appropriate audit logging functionality is implemented and maintained |
| Data hosting | Ensure client data is not hosted in high risk areas |
| Security monitoring practices and breach reporting | Ensure you have security monitoring practices in place to detect and manage threats |
For more information about each of the requirements, including further details, please
review the standards document.
Last Updated: 2 January 2024