Home » Security

Pronto Software Security Assurance and Compliance Framework

Pronto Software takes very seriously the management of risk and the provision of security for our customers, Pronto Software strives to ensure that security is maintained at a high standard and as a key focus for our organisation. Pronto Software is certified for many security and compliance standards through certified, independent and external organisations. Read more about Pronto Xi application regarding enterprise security.

Pronto Compliance Framework Diagram

Information Security

Pronto Software is an ISO/IEC 27001 2022 certified organisation. ISO/IEC 27001 is an international standard that requires organisations to establish, implement, maintain, and continually improve an information security management system (ISMS). Pronto Software is certified for ISO/IEC 27001 because it provides a framework for managing the security of its ISMS. Pronto Software utilises the ISO/IEC 27001 standard for Governance, Risk, Security and Compliance for the protection of Pronto Software’s customers systems and customers data.
A number of government agencies, customers and other third-parties require Pronto Software to be certified with ISO/IEC 27001 for engaging with them.
Pronto Software requires some of its key third parties to be ISO/IEC 27001 certified. Click here for Pronto Software’s ISO 27001 certificate. Certification applies to the Melbourne, Sydney, Brisbane and Adelaide offices only.

ASAE 3402

ASAE 3402 is the Australian standards on assurance engagements issued by the Auditing and Assurance Standards Board (AUASB) of the Australian Government.

This standard:

  • Deals with assurance engagements undertaken by an assurance practitioner, to provide a report for use by Pronto Cloud customers and their auditors, on the controls at Pronto Cloud that are likely to be relevant to Pronto Cloud customers’ internal control related to financial reporting.

  • Conforms with the International Standard on Assurance Engagements ISAE 3402 Assurance Reports on Controls at a Service Organisation issued by the International Auditing and Assurance Standards Board (IAASB).

Pronto Cloud has been undertaking annual ASAE 3402 Type 2 audits since 2018 to provide independent assurance on Pronto Cloud’s controls as a service organisation. The detailed report is available upon request.


Payment Card Industry Data Security Standard (PCI DSS) is a security and compliance standard for the protection of cardholder data. The PCI DSS security standards are designed that where organisations accept, process, store or transmit credit card information, that information is maintained in secure environments. Pronto Woven is PCI DSS certified. Pronto Woven is the award-winning digital consultancy division of Pronto Software.

ATO Operational Framework

In conjunction with the implementation of Single Touch Payroll (STP), the Australian Taxation Office (ATO) created the Operational Security Framework (OSF). Due to our connection to the ATO with STP reporting, Pronto Software is required to adhere to the OSF. The OSF seeks to protect Payroll and Superannuation related data and the integrity of the Taxation and Superannuation systems that support the Australian community. This is achieved by setting out a minimum level of security requirements that software providers must meet in order to access ATO Digital Services. The OSF has been established to respond to business risks and security threats presented by digital services’ continual expansion and growth across the ecosystem.

The ATO OSF seeks to protect the privacy data that forms part of STP processes through prescribed security measures, protect against the risks associated with third-party solution providers, suppliers, and vendors, protect against the risks associated personnel security and have defined incident management processes in place for cyber security breaches.

What does this mean for Pronto Xi payroll customers?

  • MFA and other security measures must be enabled in Pronto Software hosted payroll customer sites

  • Secure access control mechanisms.

  • Commitment to measures protecting privacy data for Confidentiality, Integrity and Availability.

  • Inform the ATO of cyber security breaches

  • Third party connections to Pronto Xi ERP Payroll software must be secure

Breaches in these areas can result in the ATO withdrawing confidence in processing STP information, resulting in the prevention of Payroll data processing. This is an outcome Pronto Software, and its customers takes very seriously and wish to prevent.

Pronto Software continues to meet all the requirements of the Operational Security Framework and have been provided with a Confirmation letter. Annually, Pronto Software perform a security evaluation process for the ATO through the OSF. You can view the certificate here.

Privacy Statement

Pronto Software’s Privacy Statement explains its handling of personal information.