On this page
- Register to access ATO APIs and Digital Services
- Determine which requirements apply to your product or service
- Completing and submitting the DSP OSF questionnaire
- DSPs with multiple products or services
- Evidence required
- Product ID
- Terms and conditions
- Letter of confirmation
- Product register
Register to access ATO APIs and Digital Services
To access our APIs and digital services, you must be registered in Online services for DSPs, will need a myGovID credential, and be linked in RAM.
You can build and test your product or service in the External Vendor Testing Environment (EVTE) and simultaneously work through the DSP OSF process, including the completion of the Security Questionnaire. See how to start using our services for more information.
Supporting information is also available in the DSP hub, and you can request assistance from the Digital Partnership Office (DPO) via the DSP service desk in Online services for DSPs.
Determine which requirements apply to your product or service
The DSP OSF uses a risk scaled model to determine the security controls required for your product or service.
Key risk factors considered include:
- products or services are controlled by you - for example, DSP cloud hosted solution, software as a service (SaaS), sending service providers (SSP) or gateways
- products or services are controlled by your client - for example, client hosted desktop solution, or cloud or infrastructure as a service (IaaS) controlled by the client
- products or services store or transact less than or greater than 10,000 unique taxation, accounting, payroll, business registry or superannuation client records
- API risk rating of the service(s) consumed
- Sending services provider (SSP) solutions.
Based on these, and other factors, your product or service will fall into one of five categories:
Category A
- Commercial product or service controlled by a DSP, and either
- Low to high-risk APIs with greater than 10,000 unique client records, or
- Sending service providers
Category B
- Commercial product or service controlled by a DSP, and
- Medium to high-risk APIs with less than 10,000 unique client records
Category C
- Commercial product or service controlled by a DSP, and either
- Low risk APIs with less than 10,000 unique client records, or
- No risk APIs regardless of unique client records
Category D
- Commercial product or service controlled by a client, and
- Low, medium or high-risk APIs regardless of unique client records
OR
- In-house developer controlled by a client, and
- Low risk APIs only with greater than 10,000 unique client records
Category E
- Commercial product or service controlled by either a DSP or the client, and
- No risk APIs regardless of unique client records
OR
- In-house developer controlled by a client, and either
- Low Risk APIs only with less than 10,000 unique client records, or
- No risk APIs regardless of unique client records
For more information on the specific DSP OSF requirements for products and services see Requirements for products and services.
Note: Where a DSP provides a hosted or multi-talented environment for a client, access as a DSP should be limited to maintenance and support activities with client consent. DSPs in this situation must ensure each instance of the software service is unique for each client and software instances are secured through certificate exchange or multi-factor authentication (MFA).
Completing and submitting the DSP OSF questionnaire
You must complete and submit a Digital Service Provider Operational Security Framework Questionnaire (DOCX, 768KB) and provide relevant evidence to demonstrate compliance to appropriate controls. The questionnaire requires evidence of the following:
- Audit logging
- Authentication
- Certification
- Data hosting
- Encryption key management
- Encryption at Rest
- Encryption in transit
- Entity validation
- Personnel security
- Security monitoring
- Supply chain
- Third party add-on
Completed questionnaires and supporting evidence must be submitted through Online services for DSPs, and the DPO will contact you if further information is required.
The DPO can also guide you through completing the questionnaire and understanding the requirements. If you have any questions, please contact the DPO via Online services for DSPs.
DSPs with multiple products or services
The DPO will consider one completed DSP OSF security questionnaire when you have multiple products or services in the same category, for example, if they are using the same operating environment.
To apply the DSP OSF across your entire organisation and maintain a single accreditation you must clearly articulate differences between the products and services, including different supply chain interactions, and provide supplementary evidence for any known gaps.
Evidence required
You must provide suitable supporting evidence to demonstrate compliance to each control requirement. Where evidence contains sensitive or confidential information you may remove or redact this prior to sending it to us. In the event sensitive or confidential information is redacted, it must contain all relevant details to demonstrate the requirements and controls have effectively been met.
Product ID
All products must have a unique product ID and they can only be used for the following purposes:
- External Vendor Testing (EVT) Product ID - should only be used to access ATO testing environments for the purposes of developing and testing your product
- Production Product ID - should only be used for transmission of data securely between the ATO and the product, including transmission of data through third parties.
We will provide you with a unique product ID for accessing both the testing and production environments, and you must keep this confidential and secure.
Terms and Conditions
You must accept the terms and conditions before you can be whitelisted to access ATO APIs and digital services. This means:
- you must provide us with true and correct information. If you provide false or misleading information, it will result in the restriction of access to services or de-whitelisting. We will endeavour to work through any non-compliance issues with you prior to any action being taken.
- we need to collect information and evidence so we can process and manage your application to access our digital services. We will not share your information with other parties, except when the law allows or requires us to, and protecting the privacy and security of your personal information is important to us.
- you are responsible for making sure your details are correct and up to date.
Conditional approval may be granted for a limited time if you are undertaking independent certification. In this instance you will need to provide the DPO with an appropriate timeline and progress updates and must have completed a recent self-assessment.
Letter of Confirmation
Once you have met all the requirements and controls of the DSP OSF, the DPO will issue you with a letter to confirm compliance.
Product Register
All commercial products will be listed on the ATO product-register to provide transparency to our mutual clients.
Additional information to support your product register listing can be provided to the DPO by submitting a ticket through Online services for DSPs.