We take the security of our customers’ data very seriously. We know how important it is to keep this data safe, so we have put in place a set of robust security measures, based on recognised industry best practises.
Sage has an ISO 27001 audit program in place for Sage Business Cloud. We benefit from the excellence that the ISO 27001 program has brought and the advances we have made in standards, which includes our SDLC, Hosting, Incident Management, Change Management, Vulnerability Management. We ensure that our main suppliers have either ISO 27001 certification and/or an annual SOC-2 type audit program.
We perform background checks for personnel who are entrusted with sensitive information or granted access to sensitive systems – CV checks, reference checks, and DBS checks. There are also specific roles where we do financial checks. We have processes in place to guarantee that access to data is granted solely on a "need-to-know" basis, in accordance with the job descriptions and responsibilities of users. These processes also include removing access when the need no longer exists.
We have a Global Chief Information Security Officer (CISO), who heads the Global Security Team working across the enterprise. Our senior executives discuss Information Security regularly and take accountability for the security within Sage.
Sage’s business cloud data is stored in AWS (Amazon Web Services). Compliance and Security for this data is a shared responsibility between AWS and Sage. AWS is responsible for monitoring and protecting the infrastructure that runs all the services offered in the AWS Cloud. Information about AWS security certifications and obtaining copies of security reports from AWS is available at https://aws.amazon.com/compliance/programs. Sage's data is stored in an AWS data centre which is up-to-date compliant to set of standards and requirements such as ISO27001, SOC 1 and SOC 2/SSAE and others.
Read more: https://aws.amazon.com/security/
Amazon Web Services offers Sage the ability to build and host data in many regions and countries. We select AWS regions and availability zones that are as close as possible to where our customers businesses operate. The table below summarizes where data is kept, for each of our customer bases.
|Sage Customer||Location of Stored Data|
|United Kingdom||AWS, eu-west-1 - Dublin, Ireland|
|European Union||AWS, eu-central-1 – Frankfurt, Germany|
|North America||AWS, us-east-1 – N. Virginia|
|Canada||AWS, us-east-1 – N. Virginia and Canada (ca-central-1)|
Encryption of customer data in transit
When our customers use the service, their computing devices communicate with our Sage servers, and this communication is securely encrypted using latest versions of a technology called Transport layer security, known as TLS. You can click on the padlock symbol, on your chosen web browser to confirm this. This protects your session and your data from interference.
Encryption of customer data at rest
When you login into Sage Accounting, you can see your data. This data held in the service is encrypted. Data is kept in a big database and stored on disk drives. If somebody stole the disk drives, (from the secure Amazon Data Centre), nobody could use or read the data. It would be useless. This is often called encryption-at-rest.
Backup copies of customer data and encryption
The database that contains your data is backed up every hour. We store the copies securely, taking the same care over them as we do over the original data. Backups are also encrypted.
Sage proactively monitors for gaps or flaws in our software which could be abused by a cyber attacker. Our dedicated Cyber Defence Operations Security team, active 24 hours a day and 7 days a week, use SumoLogic, a secure and trusted platform, as our log collection and monitoring application. All logs are ensured to be encrypted while in transit and at rest and are protected from interference. This includes logging from security related tools which we employ, such as Web Application Firewalls etc. If you have concerns about a data breach related to Sage Accounting, or if you have found bugs and vulnerabilities on the application, our Customer services and Cyber Defence Operations team is at your service 24x7. You can contact them at: Sage Cyber Defence Operations – [email protected]
We have an external policy or notice to the public, users, or customers, describing how we protect the security and privacy of data. Our Data handling processes are audited for privacy by both internal and 3rd party audits. More information available here: Privacy and Cookies | Sage Canada