search icon

Data security practices

Security at Sage includes best cyber security practices and process designed to keep data secure from unauthorized access or changes, defending Sage products and networks from cyberattacks.


Security is at the heart of our products and this is just as important as every other aspect of creating great software for our customers. By making security easy to manage, we enable our customers to focus on their business, which gives them peace of mind that customer data is protected.

Our goal is to deliver cybersecurity measures for our products with the highest degree of quality and reliability, and in-line with data security best practices and security controls.

Shift left

Security needs to be baked into a product right from the start—and before a line of code is even written. Our stringent coding standards, security controls, and continuous testing means that security is integrated throughout our development processes.

Secure by design

Making secure products by design means that security cannot just be tacked on after the fact. We iron out any vulnerabilities at the product design stage, alongside every new feature. Through threat modeling, our security architecture standards, and regular security training for our team, we minimize the opportunity for weaknesses in our products.

Our cloud security

Sage has experience and expertise of working in the cloud, built up over many years. We believe it is the best way to deliver great security in our products.

The cloud allows security scale which is impossible to replicate in any other way. We adopt the very best of public cloud for secure configuration and operation of our products, patching, updates and security which is completely transparent to our customers. 

Sage Business Cloud products take full advantage of high availability and denial of service protection, as well as more sophisticated features such as:

  • web application firewalls
  • 24/7 monitoring and threat detection
  • secrets management
  • serverless and container security
  • traffic inspection
  • secure back-ups and disaster recovery

Our products are built from the ground up to make the most these benefits.

Responsible disclosure policy

Sage supports the efforts of the online community to do the right thing and to make the online world a safer place for everyone. We provide a clear and easy way to report security vulnerabilities to Sage. Please report any security vulnerabilities at [email protected]

We follow the latest vulnerability disclosure toolkit provided by the ISO and the ISO/IEC 29147:2018 Information technology - Security techniques - Vulnerability disclosure guidelines.

Read Sage’s vulnerability disclosure policy.

We implement the tools, technologies, and best cyber security practices to protect our systems, devices, and data, wherever they sit. We use comprehensive security monitoring tools, develop code securely from day one, and test our approach regularly with targeted security testing. We securely manage our customers' personal data, just as we do when it comes to security.  

Encryption of customer data in transit  

Traffic to and from Sage websites and applications is encrypted using the latest recommended versions of the internationally recognized Transport Layer Security (TLS) protocol. TLS is widely used to protect sensitive data, such as usernames, passwords and private data as it flows across the internet. TLS ensures the confidentiality, privacy and integrity of your data by using strong encryption.

Encryption of customer data at rest  

Your data is always encrypted when stored in Sage databases within the cloud. This means that if someone were to take disk drives from a data center, they would be unable to read the data. This is called "encryption at rest". Our products use an advanced type of encryption to encrypt disks, databases and individual files, giving you the best level of protection available.  

Finding and fixing security problems

Sage proactively monitors for any vulnerabilities in our software that could be exploited by a cyberattacker. If you have concerns about a potential data breach related to Sage products or if you have found a suspected vulnerability in a product, please contact our 24/7 Cyber Defense Operations team via email: [email protected].

Secure coding

All Sage code is subject to reviews, where code is independently checked and scanned for flaws or vulnerabilities. Sage also follows the guidelines set out in the Open Web Application Security Project (OWASP) Top Ten. This is internationally recognized research conducted on the top ten most important security risks that affect software and web applications. Sage product developers are regularly trained in security to ensure they have all the skills they need to meet our standards.

Continuous security testing

Alongside a range of offensive security techniques, all products are subject to a penetration testing cycle. Any vulnerabilities are corrected in line with industry best practices. Find more information about penetration testing and offensive security at Sage.

24/7 security monitoring

Sage has sophisticated security monitoring systems across devices, products and our corporate IT network infrastructure. Every production environment is continuously monitored for potentially malicious activity by the Sage Cyber Defense Operations Team.

2-Factor Authentication (2FA)

All Sage Business Cloud products support 2FA and we strongly recommend that all of our customers enable this. Using 2FA significantly reduces the risk of unauthorized access to your data. Find out how to set up 2FA.


Give Feedback