LoginStart free trial
XeroData Protection

The Shared Responsibility Model in Xero: Why Your Data Is Your Problem

10 min readJune 19, 2026WOW Backup & Restore

Introduction

There is a fiction most Xero users operate under, and almost nobody discovers it is fiction until something goes wrong. The fiction is that because your accounting data lives inside a cloud platform run by a major company, that company is responsible for protecting it.

It is not. And this is not a hidden detail. It is in the terms of service, it is the industry standard for cloud accounting, and it is the same arrangement that applies to every other SaaS product you use.

What this means in practice is that the recoverability of your Xero data depends entirely on what you have set up outside of Xero. If you have not set anything up, you are not protected. The platform working perfectly and your data being recoverable are two different things. The shared responsibility model is the framework that explains why, and what to do about it.

This article walks through what the model actually says, what it does not, and what genuine protection looks like.

What "Shared Responsibility" Actually Means

The phrase "shared responsibility" sounds like something is shared. In a strict sense it is not. Responsibility is split between two parties, with a clean line down the middle, and each party is fully responsible for their own side.

Xero is responsible for:

  • Keeping the platform online and reliable.
  • Securing the infrastructure that runs the platform.
  • Encrypting data in transit and at rest.
  • Pushing application updates and fixing platform-level bugs.
  • Backing up their own infrastructure for disaster recovery.

You are responsible for:

  • The accuracy and integrity of the data you put into the platform.
  • Who has access to your organisation and what permissions they have.
  • Recovery from any data loss caused by users, integrations, or your own actions.
  • Maintaining a backup of your data independent of Xero.
  • Meeting any statutory record-keeping obligations that apply to your business.

Nothing on your side of the line is provided by default. You either set it up or it does not exist. That is the entire substance of the model.

The Specific Things Xero Will Not Restore For You

This is the part where people get caught out. Plain platform reliability sounds like protection, until you ask Xero to restore something specific.

Xero will not roll your individual organisation back to yesterday. It will not undo a bulk deletion of contacts. It will not reverse a chart of accounts restructure that reclassified historical transactions. It will not recover invoices that an app integration imported incorrectly. It will not restore a journal entry deleted in error.

In each case, Xero's platform did exactly what it was asked. Someone with valid credentials submitted an action. The platform processed it. There is no platform-side mechanism for distinguishing legitimate work from a mistake.

The audit log will show you exactly what happened and when. It will not give you the data back. That is the part most subscribers do not understand until they need to. The audit log is a record, not a restore tool.

This is what Xero Backup Solutions exist to solve. The platform's infrastructure backups are not designed for this. They are not accessible to subscribers in any form that supports point-in-time restore of an individual organisation.

Where the Confusion Comes From

Three things make this hard to see in advance.

First, platform reliability creates a false sense of security. Xero is up. The data is there. Everything looks fine. The assumption that the platform is protecting you flows naturally from that experience.

Second, the model is buried in the terms of service. Most subscribers do not read the terms. The clauses that limit Xero's liability to taking reasonable steps to recover data from available backups are accurate, legal, and standard. They are also not something anyone reads until they need to.

Third, there is no equivalent in the consumer world. Gmail, iCloud, and similar services do offer point-in-time recovery for individual users in many cases. People assume business SaaS works the same way. It does not.

When all three of these come together, what you get is a confident user with no protection, who believes the platform has them covered. The first time something goes wrong, the gap is visible. By then, options are limited.

What "Your Data Is Your Problem" Looks Like in Practice

A bookkeeper bulk-deletes a batch of supplier invoices during a clean-up. The deletion was authorised by a valid user with valid credentials. Xero processed it correctly. The data is gone from Xero's working copy. Without a Backup and Recovery Xero solution running, the recovery path is manual reconstruction from email correspondence and supplier portals.

An app integration with write access posts duplicate journals into the general ledger across a weekend. The error is caught Monday morning. The platform did what it was instructed to do. The data is now wrong. Without an independent Xero backup, fixing it requires identifying every duplicated record and reversing it manually.

A staff member's credentials are compromised and an attacker uses them to delete contacts and export sensitive data. The actions look like normal user activity from Xero's perspective. There is no platform alarm. Without a Xero full backup taken before the incident, the deleted contacts are not recoverable from Xero.

In every case, the same principle applies. Xero is not failing. The platform is working as designed. The data inside the platform is the customer's responsibility.

The Mental Model Shift

The simplest way to apply the shared responsibility model in practice is to stop thinking of Xero as a system that backs up your data and start thinking of it as a system that holds your data while you work with it.

Cloud storage is a useful comparison. If you store files in Google Drive, those files are protected against Google losing them. They are not protected against you deleting them. The Drive trash bin gives you some recovery options, but no serious business relies on the trash bin as a backup strategy. The same logic applies to Xero, except Xero does not have a trash bin for accidental bulk operations.

Once you accept this, your behaviour around the platform changes. You stop assuming there is a safety net. You start asking where your independent copy is. You set up automated daily backups under your own control. You verify that your retention window matches how quickly you can spot issues. None of this is exotic. It is just the work that makes the responsibility split actually workable.

The core principle. Xero is running. Your data is in it. Those two facts together are not protection. Protection is an independent, restorable copy of your Xero organisation that you control. If you cannot point at it, you do not have it.

What Counts as Actually Solving It

A few criteria distinguish a genuine Backup Xero solution from a partial one.

It runs automatically. If the backup depends on someone remembering to click a button, it will be missed. A scheduled Xero daily backup, run by software not by memory, is the only reliable form.

It captures the whole organisation. Transactions, contacts, chart of accounts, tracking categories, attachments, and configuration. Backup Xero files that are partial give you a partial restore.

It supports point-in-time restore. The ability to choose a specific date and get the data back as it existed on that date is the operational difference between recovery and reconstruction.

It restores into a new Xero organisation. Restoring Xero Organisations into a separate environment protects your live books while you analyse the recovered data.

It runs in a region you can defend. Australian data in Australia, Canadian data in Canada, United States data in the United States.

WOW Backup and Restore meets all of these. Daily backups, full organisation coverage, point-in-time restore, new-organisation restore model, regional data residency, two-factor authentication via an authenticator app, and a full access audit trail. Backup Xero Solutions at $9.95 USD per Xero organisation per month, attachments included, no per-seat fees.

Conclusion

The shared responsibility model in Xero is not a problem with Xero. It is the default arrangement for serious cloud software, and once you understand it, the question stops being "is my data safe?" and starts being "what have I set up to make sure it is?"

If the answer to that second question is "nothing, but Xero is reliable," you have not understood the model yet.

Close the gap on your side of the line

Visit: WOW Backup and Restore to set up automated daily backups for your Xero organisations. $9.95 USD per organisation per month, attachments included, regional data residency for AU, CA, and US.

FAQ

Frequently Asked Questions

Common questions from this article, answered.

Xero is responsible for the platform itself, including uptime, security, and infrastructure resilience. You are responsible for the data inside your Xero organisation, including its accuracy, who has access to it, and whether you can recover it after an incident. There is no default backup of your specific organisation that Xero provides to you. If you have not arranged one, your protection is platform-level reliability only.
No. Xero's backups exist for platform disaster recovery, not subscriber-facing restore. You cannot ask Xero to restore your organisation to a specific date. A Backup Xero solution you set up yourself is the only thing that gives you point-in-time recovery for your data.
Because the model is not built for it, and it would not scale across millions of subscribers. Xero's terms of service commit to reasonable efforts to recover from available backups, which is genuinely different from individual organisation point-in-time restoration. This is the same approach taken by other serious SaaS platforms.
Most of them, yes. The model originated with major cloud infrastructure providers and has become the industry standard for business SaaS. Xero is not unusual in following it. What is unusual is the level of confusion among users about what it actually means for their data.
The audit log shows you what changed and who did it. A Xero full backup is a saved copy of the data itself, which can be restored if something goes wrong. The audit log helps you understand what happened. A backup lets you fix it.
You are responsible, in the sense that the data is your organisation's responsibility regardless of who deleted it. Internal accountability is a separate question. From Xero's perspective, an authorised user performed an authorised action. The platform will not unwind it.
Some do, some do not. Ask explicitly. If they do, ask what specifically is being backed up, how often, and how a restore actually works. A casual CSV export every quarter is not the same as a Backup and Recovery Xero solution running daily.
The split does not change, but the consequences do. After cancellation, access to your data winds down on a timeline you do not control. Your responsibility to retain records does not end. This is one of the strongest practical reasons to create a Xero backup before any cancellation decision is finalised.
It does not change the responsibility model itself. Xero is still responsible for the platform; you are still responsible for your data. A Xero certified Backup Xero Services provider is the practical way to discharge your responsibility through a tool that has been vetted by Xero for compatibility and security.
Set up automated daily backups for every Xero organisation you operate. Connect a Backup and Recovery Xero solution that captures the full organisation, runs on a schedule without anyone touching it, and restores into a new Xero organisation when needed. That single step covers most of the practical work of the responsibility split, regardless of how many Backup Xero Organisations you manage.

Still have questions?

Our team replies within a few hours during business days.