The DSP Operational Security Framework (OSF) applies to any software product or digital service that performs a functional role in the supply chain of transmitting Taxation, Accounting, Payroll, Business Registry or Superannuation data through ATO digital services.
This includes software products that reads, stores, modifies, or routes any Taxation, Accounting, Payroll, Business Registry or Superannuation data that connects:
- directly to ATO digital services
- indirectly to the ATO via a Sending Service Provider (SSP) for Payroll services
- indirectly to the ATO via a Gateway for Superannuation Services or SuperStream.
It also applies to:
- significant modifications of commercial software or white labelled products
- in-house developers (or non-commercial products or services)
- products or services producing a .CSV file.
For large organisations or groups of companies, the DSP OSF may only apply to relevant systems or business sectors of the organisation.
Note: the DSP OSF is not intended to capture the end user who owns the data and does not perform a functional role in the supply chain, such as a business using software to run their daily operations.
On this page
- Significant modification of commercial software
- In-house developers
- Products or services producing a .CSV file
- Sending Service Providers (SSPs)
- Evidence required
Significant modification of commercial software
If you or your client customise key components of a commercial product or service, it may be regarded as in scope of the DSP OSF.
Consideration of scope includes:
- whether your client would be classified as an in-house developer
- changes to the way the payloads are generated and how it differs from the original.
If you are unsure, you can contact the Digital Partnership Office (DPO) via the DSP service desk in Online services for DSPs to discuss your individual circumstances.
In-house developers
If you develop a product or service to manage a business’s own affairs, it may be considered as ‘in-house’
An in-house developer is a product or service that meets the following criteria:
- is developed to manage a business’ own taxation, accounting, payroll, business registry or superannuation affairs
- has no expectation of commercial gain
- will not be distributed outside the organisation
- will be controlled by the business.
In-house developers are still required to meet the requirements of the DSP OSF, however the requirements will differ depending on whether your product or service interacts with less than or greater than 10,000 taxation, accounting, payroll, business registry or superannuation records.
If you are unsure, you can contact the Digital Partnership Office (DPO) via the DSP service desk in Online services for DSPs to discuss your individual circumstances.
Products or services producing a CSV file
A product or service that produces a CSV file is in scope of the DSP OSF when:
- the file is transformed and transmitted via a Sending Service Provider (SSP)
- the product or service is made available commercially.
Sending Service Providers (SSPs)
We need to understand the details of a SSP model and value chain to determine if it falls in scope of the DSP OSF.
If you will be acting in the capacity of an SSP you will need to provide additional information (see Evidence required).
Evidence required
- Intended business model, for example, will the service be offered to market.
- Functional roles performed within the supply chain.
- Services that will be offered, for example, file upload, portal, REST API
- Architecture of the service, including services that are hosted on shared infrastructure.
SSPs may also be required to provide:
- published product descriptions
- screen shots displaying the method of connection.