<p>Zato undergoes independent third-party penetration testing after every major release, and at minimum every six months — whichever comes first.</p><h2 id="1s3tw31e0bd">The standard</h2><p>Testing follows OWASP (Open Web Application Security Project) standards — the recognised international framework for identifying and addressing web application security vulnerabilities.</p><h2 id="6tds78e0ylz">What happens with results</h2><p>All identified vulnerabilities are triaged, prioritised, and addressed before the next release. Critical findings are addressed immediately — not deferred to scheduled releases.</p><h2 id="1121tarx6iy">Broader security assurance programme</h2><ul><li>Continuous monitoring via AWS security tooling across all regional infrastructure</li><li>Regular internal security reviews aligned with ISO 27001:2022 requirements</li><li>AI system governance reviews aligned with ISO 42001</li><li>SOC 2 controls assessment covering security, availability, and confidentiality</li><li>Annual recertification across all four frameworks</li></ul><h2 id="mlc5kdpxyk1">Requesting documentation</h2><p>The following are available for due diligence:</p><ul><li>Penetration test summary reports</li><li>SOC 2 report (available under NDA)</li><li>ISO 27001:2022 and ISO 42001 certificates</li><li>Security overview documentation</li><li>Data processing agreements</li></ul><p>Contact <strong>security@zatohq.com</strong> or speak to your PSM.</p>

How frequently Zato tests for vulnerabilities, the standards it follows, and how to request security reports for due diligence.

Penetration testing & security assurance

Feature Requests and Ideas

Zato Roadmap

Release Notes

New to Zato? Start here. Everything your team needs before going live — system requirements, key terms, and a platform overview.

Getting Started

Hardware, software, and data requirements to meet before using the Zato Firm Portal.

Prerequisites & system requirements

Definitions of key terms, user types, permissions, and concepts used throughout the Zato platform.

Glossary of key terms

An overview of what Zato does and what this guide covers.

Introduction to Zato

How to log in, reset your password, and manage your profile and notification preferences.

User Login & Security

How to access Zato using your welcome email credentials and complete OTP verification.

Logging in for the first time

How to securely reset your Zato password using OTP verification.

Resetting a forgotten password

How to update your profile, change your password, and configure notification preferences.

Managing your profile & notifications

How Zato's role-based permission system works, what each role can do, and how job visibility is controlled across your firm.

Role Based Access Control

An overview of Zato's built-in roles, key rules, and which jobs each role can see.

Role based access control — overview & job visibility

Full permissions for the Director role — the super administrator of the Zato platform.

Director (Level 6) permissions

Permissions and restrictions for the Manager role — responsible for overseeing workflows and reviewing work.

Manager / Reviewer (Level 5) permissions

Permissions for the Accountant role — the core client processing role in Zato.

Accountant (Level 4) permissions

Permissions and restrictions for Level 3, Level 2, and Level 1 (Admin) roles.

Outsource Accountant, Junior Accountant & Admin roles

How to configure your firm in Zato — from accepting Terms of Use through to setting up users, questionnaires, thresholds, rules, and integrations.

Firm Setup

An overview of the Firm Setup wizard and what each of the seven tabs covers.

Firm setup overview

How to accept the Terms of Use, enter firm details, upload your logo, and register branch offices.

Firm details & branding

How to add users, assign roles, and manage your team's access within Zato.

Permissions & users setup

How to customise end-of-year client questionnaires at the firm level and for individual clients.

Questionnaire configuration

How to configure variance tolerances for each workpaper to align with your firm's materiality guidelines.

Workpaper variance thresholds

How to configure GL and GST materiality thresholds and understand the GST journal logic.

Materiality thresholds

How to create and manage automation rules that govern GL scrutiny across your firm's clients.

Rules Builder

How to connect Zato with FYI Docs and map FYI jobs to Zato jobs.

FYI Docs integration

Two tools that work independently of job creation — Autocoding automates transaction categorisation, and the PDF Splitter separates consolidated PDFs into individual files.

Autocoding & Pdf Splitter

How Autocoding works, how to run it, and how to handle each result category.

Autocoding — automated transaction categorisation

How to use the PDF Splitter to separate a consolidated PDF into individual files.

PDF Splitter

How to add, manage, and sync client records in Zato — manually, via CSV, or automatically from Xero.

Clients

Three methods for bringing client data into Zato, and what information is required for each.

Adding clients — manual, CSV & Auto Fetch

How to sync with Xero, perform bulk actions on clients, and send or schedule questionnaire invites.

Xero Sync, bulk actions & sending questionnaire invites

How to create, configure, and run jobs in Zato — from job creation through CoA mapping, data sources, automation, and viewing results.

Jobs

How to create jobs manually or via CSV, and how to use job management tools including groups, bulk actions, and deletion.

Creating & managing jobs

The three-step Job Setup process — questionnaire review, Chart of Accounts mapping, and uploading data sources.

Job Setup — questionnaire, CoA mapping & data sources

How to run the automation engine and what to review in GL Scrutiny, Workpapers, and Manual Journals.

Running automation & viewing results

How GL Scrutiny works, how to interpret flagged transactions, and the actions available to review and resolve exceptions.

GL Scrutiny

How GL Scrutiny identifies exceptions in the General Ledger and what actions are available to resolve them.

GL Scrutiny — reviewing flagged transactions

How Zato's automatically compiled workpapers work — dashboard navigation, supporting documents, editing, and the Ziffy AI assistant.

Workpapers

Dashboard views, status indicators, and action icons in the Workpapers module.

Workpapers dashboard & navigation

How to manage supporting documents, add sections, edit workpapers, and use carry forward and prior year views.

Workpaper features — supporting docs, sections & editing

What Ziffy AI does, how to access it, and how to use its three tabs — Chats, Shared, and News.

Ziffy AI — in-platform accounting assistant

How to create, post, void, and sync manual journals in Zato — including auto-generated journals from specific workpapers.

Manual Journals

How to create manual journals from a workpaper or the dashboard, post them, sync with Xero, and void or edit them.

Manual journals — creating, posting & managing

How the formal review and director sign-off process works in Zato — from marking ready for review through to final sign-off.

Review & Sign-Off

How to initiate the formal review phase and how to handle approved, pending, and rejected workpapers.

Mark Ready for Review

The director sign-off process — how to complete final sign-off once all workpapers are approved.

Ready for Sign-off

The Command Centre is Zato's centralised communication and review management hub — covering internal queries, client queries, batch queries, and review points.

Command Centre

An overview of the Command Centre, query types by role, and how Brief Notes work.

Command Centre overview

How to manage internal queries and push them to batch for client communication.

Internal queries & batch queries

How Review Points work, why they block sign-off, and how they must be resolved before a job can be completed.

Review Points

When and how to raise client queries, how they are tracked, and where to create them within the platform.

Client queries

How your clients access and use the Zato Client Portal — login, questionnaire completion, responding to queries, and document signing.

Client Portal

How clients access the Zato Client Portal, complete OTP verification, and set up their password for the first time.

Client Portal — login & security

How clients navigate the dashboard, complete questionnaires, respond to queries, and track their status.

Client Portal — dashboard, questionnaires & queries

How to access Zato support, raise tickets, and troubleshoot common issues before escalating.

Support & Troubleshooting

How to access the Zato support team and submit a support ticket from within the platform.

Zato support & raising tickets

Basic troubleshooting steps to try before running automation or raising a support ticket.

Troubleshooting guide

How Zato protects your client data — data sovereignty, security certifications, AI governance, and how to request compliance documentation. For directors and partners conducting due diligence.

Security & Trust

How Zato keeps client data local to each jurisdiction, with NZ data in New Zealand and AU data in Australia.

Where your data is stored — data sovereignty

Zato's four certifications — ISO 27001:2022, ISO 42001, SOC 2, and GDPR — and what each one means in practice.

Security certifications — what they mean for your firm

Why your client data never touches an external AI model and how Ziffy operates inside a closed, jurisdiction-local environment.

No external model training — how Zato's AI works

Where to find Zato's full privacy policy, platform terms, and all compliance documentation.

Privacy policy & compliance documentation

Zato pricing, subscription model, and billing information. For authenticated firms only.

Plans & Billing

Zato's two pricing tiers, what each includes, and how Ziffy AI prompts are allocated.

Pricing overview

How Zato billing works — annual ledger subscriptions, fortnightly direct debit via GoCardless, and how invoices are issued.

Billing & payments

For firms receiving compliance services through Connect. What changes, what stays the same, how the workflow operates, and what your team needs to do. Your fees are unchanged — Connect covers the platform.

Connect Clients

A clear side-by-side of what changes when your jobs move to Zato and what stays exactly as it is.

What is changing and what is not

How the fee arrangement works — Connect absorbs the full Zato platform cost and nothing extra is charged to your firm.

Your fees are unchanged

The 10-step workflow for Connect jobs running through Zato — who does what at each stage.

How jobs flow through Zato

How GL Scrutiny rules are established for Connect jobs, why they follow a formal change process, and how in-house rules work differently.

GL Scrutiny rules — how they are set and maintained

The four roles your firm needs configured in Zato, what each one does, and the full permission level reference.

Your team's roles on Zato

How the transition rolls out from 23 March through to fully ramped — and what your firm needs to do at each stage.

Transition timeline

Everything your firm needs to do before and after go-live — broken down by timeframe.

What your firm needs to action

Everything about the Foundation 50 Pioneer Programme — timeline, job selection, document checklist, how Zato supports your first 10 ledgers, and what happens after. For Foundation 50 firms only.

Foundation 50 Programme

What the Foundation 50 is, what your firm gets, and what you hold permanently as one of the first 50 firms.

What is the Foundation 50 Programme

Key dates from programme launch through to the strategic review, and what happens at each milestone.

Programme timeline

The recommended entity mix, business types to include, and what to save for after full rollout.

Choosing your first 10 jobs

Every document needed for each of your 10 Foundation 50 jobs, where to get it, and how to submit it to your PSM.

Document checklist

How the Foundation Period splits between Zato-led setup and your team taking the lead.

Jobs 1–5 vs Jobs 6–10

What Circles are, how sessions are structured, and what your firm gets from participating.

Foundation 50 Circles

What the champion role involves, who makes a good champion, and how to nominate.

Nominating your champion

The strategic review, what your PSM presents, and how the path to full rollout works.

What happens after 10 ledgers

How can we help you?

Help Center

Improved

Fixed

zato

In Review

Planned

In Progress

Completed

Rejected

High Priority

Low Priority

<p>See what we are building next. Features move from Backlog through to Shipped as development progresses. Vote for ideas on the Feature Requests board to influence what gets prioritised.</p>

Next up

Shipped

<img src="https://69d46bd597e5073f3e3090ab.featurebase-attachments.com/c/pending/019d7065-f0d7-751d-8413-ca1c3c7e17e2/b64u-MDE5ZDcwNjUtZjBjOC03N2VlLWFmNDgtMzQ3MzliOTAxNmFk.png?X-Amz-Expires=3600&amp;X-Amz-Date=20260409T040022Z&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=DO801TYC4FCVNNEKURKM%2F20260409%2Ffra1%2Fs3%2Faws4_request&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=fefb17a12c833f8cd2b504f728339f34f0b05c5ce4a365d8c327558cae63c82d" data-width="50%" data-align="left" alt="Zato Logo"><img src="https://69d46bd597e5073f3e3090ab.featurebase-attachments.com/c/pending/019d7065-f33f-7f7d-a64a-8b9371589bdf/b64u-MDE5ZDcwNjUtZjMzMS03NGU4LThhY2QtYzg2YzlmYmJlZTZi.png?X-Amz-Expires=3600&amp;X-Amz-Date=20260409T040022Z&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=DO801TYC4FCVNNEKURKM%2F20260409%2Ffra1%2Fs3%2Faws4_request&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Signature=9c588e94eca062af6daed67497d6ee55a87edcc6b6956cac9807833bcf7c4242" data-width="100%" data-align="left" alt="Divider"><p></p><p><a target="_blank" rel="noopener noreferrer nofollow" class="link" href="mailto:saurav@zatohq.com">team@zatohq.com</a>&nbsp;| <a target="_blank" rel="noopener noreferrer nofollow" class="link" href="http://www.zatohq.com">www.zatohq.com</a></p><p><strong>NZ:</strong> Level 2, 125 The Strand, Parnell, Auckland, 1010</p><p><strong>AU:</strong> Level 8, Australia Square, 264-278 George St, Sydney NSW 2000</p><p></p><p><em>All services provided by Zato are subject to our Terms of Use available at www.zatohq.com/terms-of-use. This email and any attachments are confidential and intended solely for the named recipient. If received in error, please notify the sender and delete it. Zato accepts no liability for any reliance placed on this communication.</em></p><p></p>

 Level 2, 125 The Strand, Parnell, Auckland, 1010

 Level 8, Australia Square, 264-278 George St, Sydney NSW 2000

All services provided by Zato are subject to our Terms of Use available at www.zatohq.com/terms-of-use. This email and any attachments are confidential and intended solely for the named recipient. If received in error, please notify the sender and delete it. Zato accepts no liability for any reliance placed on this communication.