DSP conditions of use

This page provides a detailed list of terms applicable to the use of ATO digital wholesale services. This includes services provided through ATO Standard Business Reporting (SBR) and ATO API Portal. Other terms may be contained within service specific documentation. This page is intended for DSPs who are consuming or planning to consume these ATO digital wholesale services.

The Bulk Data Exchange (BDE) platform has a different set of terms and conditions. Developers for this platform should refer to the Data Transfer Facility terms and conditions. 

When we say:

  • we, us and our – we mean the Australian Taxation Office (ATO)
  • you and your – we mean you as the Digital Service Provider (DSP)
  • ATO digital wholesale services – we mean the electronic data system that we provide
  • End user – we mean business entity and each individual sender 
  • End user product – we mean a software product created or developed for use by end users, which could include other Digital Service Providers.

Find information about the legislative and operational restrictions on using our digital services including:

Who can and can’t use our services: legal disclosure of information

Division 355 of the Taxation Administration Act 1953 and Part 1 of the Superannuation Industry (Supervision) Act 1993, prohibits us from disclosing protected information about the tax or superannuation affairs of a particular entity except in certain specified circumstances.

Entities are not able to give consent to protected information being shared with third parties unless they are a covered entity such as a tax agent and in the approved form. Even if an entity gives consent, we cannot disclose their information outside of these circumstances.

We only grant access to our APIs where you provide a service that supports entities to meet their reporting obligations. You must therefore consider the intended business purpose of the proposed service, verifying that the intended client or user will be:

  • a business client - for the purpose of managing their taxation, payroll, superannuation, and/or registry affairs
  • an intermediary or tax professional (such as a tax agent, BAS agent or Payroll provider) - for the purpose of administering taxation affairs
  • a superannuation fund (trustee, or a representative) - for the purpose of administering superannuation obligations.

Who can’t use our services: unsupported business models

Some unsupported business models include providing software services:

  • directly to individual taxpayers to lodge their own returns
  • interacting with ATO online systems. Systems such as myTax, do not allow and have not been designed for external, third-party software interactions
  • directly to a third-party to obtain an individual/businesses ATO data and sharing that data with another entity
  • directly to individuals to obtain their own ATO data and share with another entity

Examples of these business models could be software services:

  • that enable individuals to lodge a basic income tax return without an agent
  • for credit reporting agencies or loan brokers to verify income and employment details
  • for financial planners to access ATO data for their clients, when they are not also intending to represent their client as a tax/BAS agent

General Terms

Conditions of use

You agree to these Conditions of use when you register to be a Digital Service Provider (DSP) with us. They establish:

  • the terms under which the ATO makes its developer material available, 
  • our expectations of you,
  • our right to manage our systems, and
  • that we have no obligation to provide access to our services.

SBR and ATO API Portal each have their own conditions:

Reasonable Use of ATO digital wholesale services

The Reasonable Use policy outlines the expectations on reasonable use of ATO digital wholesale services. This policy complements service specific usage restrictions described within relevant business implementation guides, to ensure high levels of availability and responsiveness for all users.

Whitelisting Process

Access to ATO digital wholesale services is managed through DSP product whitelisting. Whitelisting grants access to ATO production or test environments. The whitelisting process commences with registration of an organisation in Online Services for DSPs, at which point your representative will make declarations, authorisations, and acknowledgements around the responsible consumption of ATO digital wholesale services. Final whitelisting is dependent upon acceptance of these conditions, and there are requirements to which you must adhere to maintain whitelisted status.

Product ID 

Upon whitelisting, we will provide you with a unique Product ID for each of your products to include in messages transmitted to the ATO. A Product ID should not be used for multiple products. You are issued separate Product IDs for the testing and production environments. These may only be used to access their respective environment. Product IDs must be kept confidential and secure to ensure they are used only for their intended purpose.

De-Whitelisting Process

De-whitelisting is the process of suspending or revoking access to ATO production or test environments. A product may be de-whitelisted where:

  • it is not compliant with our requirements 
  • the service generates a significant number of unexpected technical errors resulting in data issues, or
  • a cyber incident presents a risk to our digital wholesale channel, ATO reputation or taxpayers.

End-User Agreement

End users of your product/s must accept our End-User Agreement. This agreement sets out the rights and restrictions in using ATO digital wholesale services. 

SBR and API Portal each have their own agreements:

ATO Service Support Versioning Strategy 

Over time SBR services will change or be replaced to accommodate legislative, policy and technology changes. We will endeavour to work with you to minimise the impact these changes may have on your products. For further details, you should refer to this versioning strategy

Security

This section provides information on how to interact with our digital wholesale services securely and responsibly. 

Fraud Mitigation

Our digital services present a range of service opportunities but also pose some risks and security implications. It is crucial that we work in partnership with you to protect the integrity of the tax, super and registry systems for the Australian community. 

DSPs who produce tax practitioner lodgement software must also consider customer verification guidelines as determined by the ATO and the Tax Practitioners Board.

The ATO DSP Operational Security Framework and industry specific guidelines (such as Essential 8) support the protection of ATO systems and client data against cyber threats. You must provide detail on how your product meets the requirements of the DSP Operational Security Framework.

DSP Operational Security Framework (OSF)

The DSP Operational Security Framework (OSF) sets out a minimum level of security requirements that you must meet to access ATO digital wholesale services. 

The OSF uses a risk scaled model to determine the security controls required for your product or service. The following pages provide more information on the risk scaled model, and security control requirements:

Maintaining Compliance

There are ongoing expectations that you maintain your compliance with the DSP OSF. Requirements for maintaining your compliance include, but are not limited to, that you must:

  • notify us as soon as practicable of significant changes to your business or product environment
  • hold a current certification (both independent and self-assessed) and take appropriate steps to update and supply us with a current copy of your certification, and
  • undertake annual reviews to ensure you remain compliant with the DSP OSF.

Failure to maintain your compliance can result in de-whitelisting. You can find out more about maintaining compliance and what happens if you don’t on the maintaining compliance page.

Data Breaches

Where a data breach is identified you must contact us immediately to ensure appropriate action can be taken. A data breach occurs when personally identifiable information (PII) an entity holds is subject to unauthorised access or disclosure to an unknown party. You should refer to the data breaches page for information on reporting data breaches, and our actions. 

Security Monitoring

The security monitoring requirement seeks to minimise the impact of cyber incidents by having controls in place to detect, prevent and respond to cyber-attacks. Monitoring is considered a joint responsibility between you and the ATO. The ATO conducts monitoring at the network, application, and transaction layers. If anomalies or areas of concern are identified, we may re-assess your whitelisting suitability. We will contact you or your representative before making changes to your whitelisted status unless exceptional circumstances apply.

Privacy

You have a responsibility for supporting clients to maintain the privacy of personal information, including tax file numbers (TFNs).

Under the TFN rule under section 17 of the Privacy Act 1988, sharing an individual’s TFN with a third party is generally not permitted. Office of the Australian Information Commissioner provides guidance on the rule that may assist you.

Authentication and Authorisation

All ATO digital wholesale services (including SBR and ATO API Portal) use the myID Machine Credential to authenticate transactions with the ATO. The myID Machine Credential (known hereafter as M2M credential), positively identifies an organisation (with an ABN) that has initiated the transaction to the ATO. 

Limitations on the use of the M2M credential, responsibilities and associated conditions can be found in the myID Terms of Use - Machine.

AUSkey Software Developer Kit (ADK) – Developer and End-User Licences

ATO digital wholesale services that use the SBR channel, can use the AUSkey Software Developer Kit (or ‘ADK’) to manage the keystore and generate security tokens using the M2M credential. The ADK includes licences that outline restrictions to the distribution, sub-licencing, modification, or derivation of the source code of the SDK or the Software.

Cloud Software Authentication and Authorisation (CAA)

Software products that do not utilise your client’s M2M credential (such as Software as a Service) must implement the Cloud Authentication and Authorisation (CAA) solution. In addition to a Product ID which identifies your product to the ATO, each subscription or instance of your software also needs an ID to validate the authorisation between the reporting party, the DSP and the ATO. 

A Software Subscription ID (SSID), commonly referred to as a Software ID, is a unique ID that is used to identify each unique subscription or instance of software. SSIDs must be kept confidential and secure to ensure they are used only for the purpose of transmitting data securely between the ATO and the product. 

You should refer to the information kit for the relevant policies, conditions, requirements, and further information around the implementation and use of SSIDs.

Marketing and communications

This section outlines what is acceptable and unacceptable when promoting your products or services in connection with ATO digital wholesale services. Software tools that do not connect to ATO digital wholesale services and do not meet the applicable requirements, are not covered under this guidance.

The ATO does not approve, accredit, or endorse specific products. Instead, we confirm compliance with the necessary requirements for using ATO digital wholesale services.

Non-compliance with these requirements may result in a takedown notice being issued.

Acceptable:

  • Use approved terminology
    Accurately describe your product as being an 'ATO registered software product', or 'software registered with the ATO' after successfully completing the required ATO processes.
  • Product register guidelines
    The ATO lists compliant products on the Product Register. You may provide a brief product description for inclusion, ensuring it adheres to these guidelines. Note that the ATO does not recommend, endorse, or validate the accuracy of listed product descriptions.
  • Follow branding guidelines
    Ensure that the ATO’s copyright licence and Australian Government Branding Guidelines are followed.
  • Provide clear messaging
    Ensure your communications make it clear that whitelisting or compliance indicates eligibility to use ATO services, not ATO endorsement.

Unacceptable:

  • Avoid misleading claims
    Do not claim that your product is 'ATO Approved,' 'ATO Accredited,' or 'ATO Endorsed'.
  • Do not misuse branding
    Do not use the Australian Government logo, Commonwealth Coat of Arms, or other government insignia outside the approved guidelines.
  • Refrain from overstating benefits
    Do not imply that your product's whitelisting status provides competitive advantages or guarantees of performance.
  • Avoid misrepresentation
    Ensure that you do not misrepresent ATO’s role in your product’s development or functionality.

For detailed guidance on branding usage, refer to the Australian Government Branding Guidelines, the Commonwealth Coat of Arms guidelines, and the ATO copyright licence linked above.

Service specific terms and conditions

You must be aware of the terms specific to the service/s you are consuming or intend to consume. Many of these can be found on the corresponding SBR and ATO API Portal pages for these services and the appropriate business implementation guides.

Super services have additional legislation and terms you must be aware of. This includes, but is not limited to:

The next step: register on the ATO support system

Review the information on Online services for DSPs and register for access to the non‑live test environment, obtain specifications, and access support from the DPO to help guide you through the build process.

Contact us

For further information and to provide feedback, contact the DPO via the DSP service desk in Online services for DSPs or by emailing DPO@ato.gov.au.

Last modified date