Home » Security

Pronto Software Security Assurance and Compliance Framework

Pronto Software takes very seriously the management of risk and the provision of security for our customers, Pronto Software strives to ensure that security is maintained at a high standard and as a key focus for our organisation. Pronto Software is certified for many security and compliance standards through certified, independent and external organisations. Read more about Pronto Xi application regarding enterprise security.

Pronto Compliance Framework Diagram

Information Security

Pronto Software is an ISO/IEC 27001 certified organisation. ISO/IEC 27001 is an international standard that requires organisations to establish, implement, maintain, and continually improve an information security management system (ISMS). Pronto Software is certified for ISO/IEC 27001 because it provides a framework for managing the security of its ISMS. Pronto Software utilises the ISO/IEC 27001 standard for Governance, Risk, Security and Compliance for the protection of Pronto Software’s customers systems and customers data.
A number of government agencies, customers and other third-parties require Pronto Software to be certified with ISO/IEC 27001 for engaging with them.
Pronto Software requires some of its key third parties to be ISO/IEC 27001 certified. Click here for Pronto Software’s ISO 27001 certificate.

ASAE 3402

ASAE 3402 is the Australian Standard on assurance engagement issued by the Audit and Assurance Standards Board (AUASB) of the Australian Government.

The standard:
a) deals with assurance engagements undertaken by an assurance practitioner, to provide a report for use by user entities and their auditors, on controls at a service organisation that provides a service to user entities that is likely to be relevant to use entities’ internal control as it relates to financial reporting.
b) Conforms with the International Standard on Assurance Engagements ISAE 3402 Assurance Reports on Controls at a Service Organisation issued by the International Auditing and Assurance Standards Board (IAASB).
c) Generally equivalent to the USA standard, Statement on Standards Attestation Engagements (SSAE) No. 16, used for the Service Organisation Control (SOC) type II report.

Pronto Cloud has been undertaking annual ASAE 3402 audits since 2018 to provide independent assurance on Pronto Cloud’s controls as a service organisation. Pronto Software through Pronto Cloud has completed Type I and Type II reports for ASAE 3402. The ASAE 3402 reports provide customers with independent, objective, and authoritative reviews that Pronto Cloud, as a service organisation are providing appropriate and reliable controls that a customer is using for their own financial reporting needs. Pronto Cloud is externally independently audited for ASAE 3402 compliance annually.
A full report can be requested from Pronto Software and the Pronto Cloud team.


Payment Card Industry Data Security Standard (PCI DSS) is a security and compliance standard for the protection of cardholder data. The PCI DSS security standards are designed that where organisations accept, process, store or transmit credit card information, that information is maintained in secure environments. Pronto Woven is PCI DSS certified. Pronto Woven is the award-winning digital consultancy division of Pronto Software.

ATO Operational Framework

In conjunction with the implementation of Single Touch Payroll (STP), the Australian Taxation Office (ATO) created the Operational Security Framework (OSF). Due to our connection to the ATO with STP reporting, Pronto Software is required to adhere to the OSF. The OSF seeks to protect Payroll and Superannuation related data and the integrity of the Taxation and Superannuation systems that support the Australian community. This is achieved by setting out a minimum level of security requirements that software providers must meet in order to access ATO Digital Services. The OSF has been established to respond to business risks and security threats presented by digital services’ continual expansion and growth across the ecosystem.

The ATO OSF seeks to protect the privacy data that forms part of STP processes through prescribed security measures, protect against the risks associated with third-party solution providers, suppliers, and vendors, protect against the risks associated personnel security and have defined incident management processes in place for cyber security breaches.

What does this mean for Pronto Xi payroll customers?

  • MFA and other security measures must be enabled in Pronto Software hosted payroll customer sites

  • Secure access control mechanisms.

  • Commitment to measures protecting privacy data for Confidentiality, Integrity and Availability.

  • Inform the ATO of cyber security breaches

  • Third party connections to Pronto Xi ERP Payroll software must be secure

Breaches in these areas can result in the ATO withdrawing confidence in processing STP information, resulting in the prevention of Payroll data processing. This is an outcome Pronto Software, and its customers takes very seriously and wish to prevent.

Pronto Software continues to meet all the requirements of the Operational Security Framework and have been provided with a Confirmation letter. Annually, Pronto Software perform a security evaluation process for the ATO through the OSF. You can view the certificate here.

Privacy Statement

Pronto Software’s Privacy Statement explains its handling of personal information.