Xero EU Alternative 2026: New Zealand, Five Eyes, and Your Financial Data Under GDPR
Post #2 in the sota.io EU Accounting Software Series
Xero is popular with EU accountants and SMBs for its clean interface and strong ecosystem. But Xero Limited is headquartered in Wellington, New Zealand — a founding member of the Five Eyes intelligence alliance. While New Zealand is not subject to the US CLOUD Act, it has its own data interception legislation that EU compliance teams rarely examine. Add AWS as Xero's infrastructure provider (a US company squarely within CLOUD Act reach), and the risk profile is more complex than Xero's marketing suggests.
This post maps the legal exposure, explains why the EU-New Zealand adequacy decision does not fully resolve the risk, and identifies the EU-native accounting alternatives that keep your financial data genuinely sovereign.
Who Controls Your Xero Data?
Xero Limited was incorporated in New Zealand in 2006 and is listed on the Australian Securities Exchange (ASX: XRO). Its principal entities relevant to EU customers:
| Entity | Jurisdiction | Relevant Law |
|---|---|---|
| Xero Limited (parent) | Wellington, New Zealand | NZ Intelligence and Security Act 2017 |
| Xero Europe Limited | Dublin, Ireland | EU GDPR data controller |
| Infrastructure (AWS) | Amazon.com Inc., Delaware USA | US CLOUD Act (18 U.S.C. §2703) |
The dual risk: Xero Limited in New Zealand can be compelled by the NZ Government Communications Security Bureau (GCSB) or the NZ Security Intelligence Service (NZSIS) under the Intelligence and Security Act 2017. AWS — Xero's primary cloud infrastructure provider — is a US person under the CLOUD Act regardless of which AWS region stores the data.
The Five Eyes Problem
The Five Eyes (FVEY) alliance — the USA, UK, Canada, Australia, and New Zealand — maintains one of the world's most comprehensive signals intelligence (SIGINT) sharing arrangements. The alliance operates under the UKUSA Agreement and enables member states to share intercept intelligence with each other.
In practice, this means:
- Data accessible to the NZ GCSB under NZ law may be shared with NSA, GCHQ, CSE, and ASD
- The EU data subject whose invoice data sits in Xero's NZ-controlled systems has no enforceable right to notification or redress across Five Eyes jurisdictions
- The European Court of Human Rights has not yet extended its Schrems-framework analysis to Five Eyes countries beyond the US
The EDPB's Schrems II guidance (2020) focused on US law, but the underlying principle — that third-country surveillance law overrides SCC contractual protections — applies equally to NZ's intelligence statutes.
New Zealand's Intelligence and Security Act 2017
The Intelligence and Security Act 2017 (ISA 2017) replaced New Zealand's earlier surveillance statutes and granted expanded powers to the GCSB and NZSIS:
Section 64 — Interception warrants: The GCSB can obtain a warrant to intercept the private communications of any person in New Zealand or any NZ person overseas. This includes electronic communications — which encompasses API calls, database queries, and data at rest in cloud storage.
Section 43 — Access authorisations: Allows the GCSB to access information infrastructure (including cloud providers operating in NZ) with authorisation from the Minister of Intelligence and Security. No court involvement required for the initial access authorisation.
Section 15 — Foreign intelligence: The GCSB can collect foreign intelligence — including data relating to non-NZ persons (i.e., EU data subjects) — when it serves NZ's security interests or those of Five Eyes partners.
Notification gap: Unlike the EU's GDPR Article 34 (communication of a personal data breach to data subjects), there is no obligation under ISA 2017 to notify affected individuals or data controllers that their data was accessed.
The EU–New Zealand Adequacy Decision
The European Commission granted New Zealand an adequacy decision in 2012 under Directive 95/46/EC. This decision was reviewed and maintained after Schrems II (2020), confirming that New Zealand's Privacy Act 2020 provides an essentially equivalent level of protection to EU GDPR.
However, the adequacy decision contains a critical caveat:
The Commission has assessed New Zealand law and practice, including the legislation governing access by public authorities to personal data, and has not found that such access undermines the level of protection provided by New Zealand law.
The Commission's assessment was contested by privacy advocates because:
- ISA 2017 was not fully considered — the adequacy assessment predates the 2017 Act's passage and was not re-examined at the depth that post-Schrems II analysis requires
- Five Eyes sharing was treated as analogous to mutual legal assistance treaties (MLATs), not as a parallel interception channel
- No independent review mechanism exists for EU data subjects to challenge NZ GCSB access to their data
The adequacy decision means Xero can transfer EU personal data to New Zealand without SCCs. It does not mean that EU data in Xero is immune from NZ intelligence access.
AWS as Xero's Infrastructure: The CLOUD Act Layer
Xero uses Amazon Web Services as its primary infrastructure provider. This introduces a US CLOUD Act dimension entirely separate from NZ ISA 2017 risks:
AWS Regions used by Xero EU customers: Primarily eu-west-1 (Ireland) and eu-west-2 (London) for European customers.
The critical point: Amazon Web Services, Inc. is a Delaware corporation — a US person under 18 U.S.C. §2703 (CLOUD Act). A valid US law enforcement order can compel Amazon to produce data stored in AWS Ireland on behalf of any customer, including Xero, without notifying the end customer or data subject.
| Risk Layer | Source | EU Customer Impact |
|---|---|---|
| NZ ISA 2017 | GCSB/NZSIS | Xero Limited compelled to disclose |
| Five Eyes sharing | NSA/GCHQ/CSE/ASD/GCSB | Intelligence shared across agencies |
| AWS CLOUD Act | US DOJ/FBI | Amazon compelled for Ireland-stored data |
| AWS sub-processors | Various US companies | Additional transfer chain |
EU businesses using Xero face a stacked risk profile: NZ intelligence law at the application layer, US CLOUD Act at the infrastructure layer.
What Financial Data Is at Risk?
Xero stores comprehensive financial records for EU businesses. Under GDPR Article 4(1), all of the following constitute personal data:
- Customer records: name, address, VAT number, payment history, bank account details (for direct debit customers)
- Supplier/vendor data: contact information, payment terms, IBAN/BIC details
- Employee payroll data: salary, bank account, tax code — potentially Art.9 special category data when health-related deductions appear
- Invoice line items: service descriptions that may reveal business relationships, client identities, or trade secrets
- Financial forecasts and cash flow data: business health information subject to commercial confidentiality
Xero's bank feeds — direct integrations with EU bank accounts — make the data particularly sensitive. A Xero breach or compelled disclosure could expose both the EU business and all of its customers, suppliers, and employees.
Xero's GDPR Position
Xero Europe Limited (Dublin) acts as data controller for EU customers under GDPR. Xero's data processing approach:
- EU data residency: EU customer data is stored in AWS eu-west-1 (Ireland) — EU storage confirmed
- SCCs: Used for transfers between Xero Europe Limited and Xero Limited (NZ parent) for support and engineering access
- DPO: Appointed (required under GDPR Art.37 given the scale of processing)
- Privacy Shield successor: Xero relies on EU–NZ adequacy for NZ transfers; SCCs or adequacy for any US transfers
The gap: The SCC mechanism between Xero Europe and Xero Limited (NZ) must be assessed against a Transfer Impact Assessment that honestly evaluates ISA 2017. An honest TIA will surface Sections 43 and 64 as risk factors that SCCs cannot override. For most EU businesses, this is a MEDIUM-HIGH RISK finding.
EU-Native Xero Alternatives
The following accounting platforms are controlled by EU entities — no NZ parent, no US infrastructure CLOUD Act exposure (where noted):
1. DATEV eG — German Cooperative, Maximum Sovereignty
Headquarters: Nuremberg, Bavaria, Germany Legal form: Eingetragene Genossenschaft — member-owned cooperative (40,000+ German tax advisors) Infrastructure: Own data centers in Nuremberg, Germany — no hyperscaler
DATEV has zero external investor exposure, no US or NZ parent, and operates infrastructure entirely in Germany. It is the standard system for German Steuerberater (tax advisors) and integrates directly with German tax authorities (ELSTER). For German businesses, DATEV represents maximum possible financial data sovereignty.
Verdict: Best-in-class. Required for any German business with a compliance-focused Steuerberater.
2. Pennylane — French SaaS, Modern UX
Headquarters: Paris, France (Pennylane SAS) Infrastructure: AWS eu-west-3 (Paris) — contractually no data transfer outside EU Funding: Sequoia Capital Europe (note: EU fund, not US fund for this round)
Pennylane connects accountants with their clients via a shared real-time ledger. The SAS (Société par Actions Simplifiée) structure means Pennylane is a French legal entity — the data controller. Sequoia investment does not create CLOUD Act exposure; only the data controller's jurisdiction matters.
Verdict: Best modern Xero alternative for EU SMBs, especially French-speaking markets and tech-forward accountants.
3. Exact Online — 40 Years of EU Accounting
Headquarters: Delft, Netherlands (Exact Software B.V.) Infrastructure: Own data centers in Netherlands — no US cloud dependency for core accounting data GDPR Authority: Autoriteit Persoonsgegevens (AP, Netherlands)
Exact has been in continuous operation since 1984. Its own infrastructure in the Netherlands eliminates the AWS CLOUD Act layer entirely. Strong ERP capabilities beyond basic accounting make it suitable for mid-market EU businesses. Particularly strong in Benelux, Germany, and the UK (where GDPR equivalent applies post-Brexit).
Verdict: Mature, proven, maximum infrastructure sovereignty. Best for mid-market and ERP needs.
4. Holded — Spanish All-in-One
Headquarters: Barcelona, Spain (Holded Technologies SL) Infrastructure: AWS eu-south-1 (Milan) + eu-west-1 (Ireland) GDPR Authority: AEPD (Agencia Española de Protección de Datos)
Holded is a modern cloud ERP with invoicing, accounting, inventory, and HR modules. The Spanish SL structure means EU-controlled data processing. AWS is used as infrastructure (CLOUD Act layer exists, same as Xero), but Holded SL is the data controller — no NZ or US parent.
Verdict: Strong for Spanish businesses and EU SMBs wanting an all-in-one modern alternative.
5. Lexware — German Kleinunternehmer Standard
Headquarters: Freiburg im Breisgau, Germany (Haufe Group) Infrastructure: Own German servers GDPR Authority: LfDI Baden-Württemberg
Lexware is the go-to for German freelancers, sole traders, and Kleinunternehmer. Desktop-first with cloud sync. DATEV-compatible. Owns its servers in Germany — no cloud dependency.
Verdict: Best for German sole traders and small businesses that find DATEV too complex.
6. Sage Business Cloud — UK/EU (Post-Brexit Caveat)
Headquarters: Newcastle upon Tyne, UK (Sage Group plc, LSE: SGE) Infrastructure: AWS eu-west-1 (Ireland) and Microsoft Azure EU regions GDPR Authority: ICO (UK, not EU post-Brexit)
Sage is a FTSE 100 UK company — not subject to the US CLOUD Act. However, post-Brexit the UK GDPR is a separate regime and the EU–UK adequacy decision is subject to renewal. Sage's cloud product uses AWS and Azure (US CLOUD Act exposure at infrastructure layer, same as Xero). Best suited for UK businesses and EU businesses with a UK presence.
Verdict: Better than Xero from a NZ/Five Eyes angle, but still carries AWS CLOUD Act risk. Not ideal for EU businesses prioritising maximum sovereignty.
GDPR Compliance Comparison
| Criterion | Xero | DATEV | Pennylane | Exact Online |
|---|---|---|---|---|
| HQ Jurisdiction | New Zealand | Germany | France | Netherlands |
| Five Eyes Member | Yes | No | No | No |
| CLOUD Act (US) | AWS layer | No | Pennylane SAS controller | No |
| EU Adequacy | Yes (NZ, 2012) | N/A (EU→EU) | N/A (EU→EU) | N/A (EU→EU) |
| ISA 2017 Risk | Medium-High | None | None | None |
| SCCs Required | Yes (NZ transfers) | No | No | No |
| Recommended for EU | Review required | ✅ Best | ✅ Recommended | ✅ Recommended |
What EU Businesses Should Do Now
If you use Xero for EU business accounting:
-
Transfer Impact Assessment (TIA): Commission a TIA that specifically evaluates NZ ISA 2017 (Sections 43, 64) and AWS CLOUD Act exposure. The EDPB's 2021 TIA recommendations apply.
-
Update your ROPA: GDPR Article 30 requires documenting all processing activities including transfers. Xero should appear with both EU–NZ adequacy (for NZ parent access) and SCCs (for US AWS transfers), plus honest risk ratings.
-
Inform clients: If your Xero account processes client financial records (for accountants and bookkeepers), your engagement letter or privacy notice should disclose the Five Eyes / AWS data transfer chain.
-
Evaluate migration: For businesses serving public sector, financial services, or healthcare clients — where data sovereignty is a contractual or regulatory requirement — migration to DATEV, Pennylane, or Exact Online eliminates both the NZ and AWS risk layers.
Conclusion
Xero is a capable accounting platform. Its New Zealand headquarters, combined with AWS infrastructure, creates a stacked risk profile: NZ Intelligence and Security Act 2017 potential access at the application layer, US CLOUD Act at the infrastructure layer. The EU–NZ adequacy decision provides a transfer mechanism but does not immunise EU financial data from NZ government access or Five Eyes intelligence sharing.
For EU businesses seeking genuine financial data sovereignty, DATEV (Germany), Pennylane (France), and Exact Online (Netherlands) are the structurally sound alternatives — EU-controlled from code to infrastructure.
Next in the EU Accounting Software Series: Sage EU Alternative — UK HQ, post-Brexit adequacy uncertainty, and what LSE-listed means for your financial data.
sota.io runs on EU-native infrastructure — no CLOUD Act, no Five Eyes, no data processing outside the EU. Start free →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.