search icon

Data security practices

Security at Sage includes the processes designed to keep data secure from unauthorised access or changes, and the practises of defending Sage products and networks from cyber-attacks. 


Security is at the heart of our products and is just as important as every other aspect of creating great software for our customers. We enable our customers to focus on their business by making security easy to manage, giving peace of mind that customer data is protected.

We aim to deliver cyber security measures which achieve the highest degree of quality and reliability for our products. We apply a zero-tolerance approach to non-compliance with our security standards.

Shift left

Security needs to be baked into a product right from the start – before a line of code is ever written. Our stringent coding standards and continuous testing means that security is integrated throughout our development processes.

Secure by design

Making products secure by design means that security can not be bolted on or added retrospectively. We iron out vulnerabilities at product design stage, and with every new feature. With threat modelling, our security architecture standards, and regular security training for our team, we minimise the opportunity for weaknesses in our products.

Our cloud security

Sage has experience and expertise of working in the cloud, built up over many years. We believe it is the best way to deliver great security in our products.

The cloud allows security scale which is impossible to replicate in any other way. We adopt the very best of public cloud for secure configuration and operation of our products, patching, updates and security which is completely transparent to our customers. 

Sage Business Cloud products take full advantage of high availability and denial of service protection, as well as more sophisticated features such as:

  • web application firewalls
  • 24/7 monitoring and threat detection
  • secrets management
  • serverless and container security
  • traffic inspection
  • secure back-ups and disaster recovery

Our products are built from the ground up to make the most these benefits.

Responsible disclosure policy

Sage supports the efforts of the internet community to do the right thing and make the online world a safer place for everyone. We provide a clear and simple way to report security vulnerabilities to Sage. Please report any security vulnerabilities to [email protected].

We follow the latest vulnerability disclosure toolkit provided by the ISO and the ISO/IEC 29147:2018 Information technology - Security techniques - Vulnerability disclosure guidelines.

Read Sage’s vulnerability disclosure policy.

We implement the tools and technologies to protect our systems, devices, and data, wherever they sit. We use comprehensive security monitoring tools, develop code securely from the outset, and regularly test our approach with targeted security testing. Just as we do the right thing when processing our customers' personal data, we do the right thing when it comes to security.  

Encryption of customer data in transit  

Traffic to and from Sage websites and applications is encrypted using the latest recommended versions of the internationally recognised Transport Layer Security (TLS) protocol. TLS is widely used to protect sensitive data, such as usernames, passwords and private data as it flows across the internet. TLS ensures the confidentiality, privacy and integrity of data by using strong encryption.

Encryption of customer data at rest  

Your data is encrypted while stored in Sage databases within the cloud. This means that if someone were to take disk drives from a data centre, they would be unable to read the data. This is called 'encryption at rest'. Our products use an advanced type of encryption to encrypt disks, databases, and individual files, giving you the best level of protection available.  

Finding and fixing security problems

Sage proactively monitors for vulnerabilities in our software which could be exploited by a cyber attacker. If you have concerns about a potential data breach related to Sage products, or if you have found a suspected vulnerability in a product, contact our 24/7 Cyber Defence Operations team via email: [email protected].

Secure coding

All Sage code is subject to reviews, where code is independently checked and scanned for flaws or vulnerabilities. Sage also follows the guidelines set out in the Open Web Application Security Project (OWASP) Top Ten. This is internationally recognised research conducted on the top ten most important security risks that are affecting software and web applications. Sage product developers are regularly trained in security to ensure they have all the skills they need to meet our standards.

Continuous security testing

Alongside a range of offensive security techniques, all products are subject to a penetration testing cycle. Any vulnerabilities are corrected in line with industry best practise. Find more information about penetration testing and offensive security at Sage.

24/7 security monitoring

Sage has sophisticated security monitoring systems across devices, products, and our corporate IT network infrastructure. Every production environment is monitored continually 24/7 for potentially malicious activity by the Sage Cyber Defence Operations Team.

2-Factor Authentication (2FA)

All Sage Business Cloud products support 2FA - we strongly advise our customers to enable it. Using 2FA significantly reduces the risk of unauthorised access to your data. Find out how to set up 2FA.


Give Feedback