Data flow diagram
A summary of the data that moves between Sterling and your Xero organisation. Reads flow from Xero to Sterling; Writes flow from Sterling to Xero.
XERO STERLING ┌─────────────────────┐ ┌──────────────────────────┐ │ Chart of Accounts │ ── READ ─▶ │ Coding bills correctly │ │ Tax rates │ ── READ ─▶ │ Applying the right tax │ │ Contacts │ ── READ ─▶ │ Matching suppliers │ │ Invoices & bills │ ── READ ─▶ │ Duplicate detection │ │ Organisation info │ ── READ ─▶ │ Multi‑org routing │ │ Reports (read) │ ── READ ─▶ │ Insights & analysis │ │ │ │ │ │ Contacts │ ◀─ WRITE ── │ New suppliers │ │ Bills (Draft) │ ◀─ WRITE ── │ Filed invoices │ │ Attachments │ ◀─ WRITE ── │ Original invoice PDFs │ │ │ │ │ │ Webhooks │ ─ EVENT ─▶ │ Connection changes │ └─────────────────────┘ └──────────────────────────┘ Encryption boundary (AES‑256‑GCM at rest, TLS 1.2+ in transit) Sub‑processor: OpenAI API (zero‑retention, no training)
Every interaction crosses an encryption boundary: AES‑256‑GCM at rest for stored data, and TLS 1.2+ with HSTS in transit. Sterling uses OpenAI's API as a sub‑processor for task execution — under zero‑retention terms, meaning OpenAI doesn't store your data and your data is never used to train any model.
Permissions Sterling requests (OAuth scopes)
Sterling uses granular OAuth 2.0 scopes and only requests what it needs for the features you use.
Always requested (identity only — no accounting data)
openid,profile,email— used when you sign up or sign in with Xero. These give Sterling your name and email; nothing more.
Always requested for core accounting features (read‑only)
accounting.settings.read— Chart of Accounts, tax rates, tracking categories, organisation settings.accounting.contacts.read— Look up suppliers and customers to match invoices correctly.accounting.transactions.read— Read existing invoices and bills for duplicate detection and coding history.accounting.reports.read— Generate insights from your ledger.
Requested for write actions
accounting.contacts— Create new supplier contacts when filing an invoice from a new vendor.accounting.transactions— Create draft bills and invoices. Sterling never posts approved bills; a human always approves in Xero.accounting.attachments— Attach the original PDF to the bill Sterling files.
Optional — only if you enable the Payroll skill
Read‑only
payroll.*scopes are requested only when you enable the Payroll & HR skill in Sterling. You can disable the skill at any time to revoke them.
You can review the full list on Xero's consent screen before clicking Allow access, and you can revoke access at any time from Xero → Connected apps or from Sterling → Skills → Ledger Connections.
When and how data syncs
On connection. Sterling pulls your Chart of Accounts, tax rates, contacts and recent transactions immediately after you authorise. Takes 1–2 minutes for a small organisation.
On demand. When you file an invoice, Sterling refreshes the supplier lookup and checks for duplicates before creating the bill.
Periodically. Sterling re‑syncs in the background (at least daily) so new accounts, contacts and tax changes are picked up.
Via webhooks. Xero pushes events (e.g. connection changes) to Sterling, which triggers targeted refreshes.
Syncs are rate‑limited to stay within Xero's API volume limits. Sterling respects Retry‑After headers and caps concurrent calls at 5 per organisation.
How your data is protected
Control | Detail |
Encryption at rest | AES‑256‑GCM for tokens, cached Xero data and attachments |
Encryption in transit | TLS 1.2+, HSTS with preload and includeSubDomains |
Session security |
|
Token storage | Append‑only; a new token set is written on every refresh |
Access control | Role‑based (Owner, Admin, Manager, Agent); Xero connection restricted to authorised roles |
AI processing | OpenAI API with zero‑retention terms — never used for training |
Hosting | AWS — North America and Australia/New Zealand regions; data sovereignty honoured |
Backups | Daily, 30‑day retention, geo‑separated, encrypted |
Audit logs | Structured logs, 90 days online + 1 year archived |
Breach notification | Xero notified within 24 hours of confirmation; customers notified without undue delay per our DPA |
Full details are in Sterling's Privacy Policy and the Sterling.
What Sterling will never do
Train AI models on your Xero data.
Sell, rent, or share your Xero data with third parties.
Post approved invoices or bills — everything is filed as a draft for your review.
Delete anything in Xero.
Access Xero organisations you haven't authorised.
Offer lending, payments, bank feeds, or other regulated financial services.