search icon

Standards and compliance

We take the security of our customers’ data very seriously. Explore how Sage is committed to industry-recognized standards and maintaining regulatory compliance which contributes to the robust security of your data and software.

We understand your role in security

In today's complex tech landscape, our understanding of legal requirements, international certifications, and standards is vital to keeping our customers secure and compliant.

Security governance

Good governance is critical for effective security. At Sage, this starts at the top with our CEO and Board and extends throughout our organization. Our practices are independently validated by external reviews and certifications.

Risk assessments

Cyber risks are a strategic issue at Sage and are subject to robust oversight and practices. Our regular and comprehensive cyber risk assessments help determine the security protocols and controls we prioritize.

Shared security model

We utilize the security features provided by our cloud hosting partners, AWS and Microsoft Azure, and augment them with our own tools and capabilities. We do this to minimize the security burden on customers.

Sage commitment to security standards

Our meticulous approach to compliance is what sets us apart.

Security Frameworks: Sage has built its information security management system using the international standard ISO 27001. We use standards and frameworks such as ISO 27002, NIST, and AICPA when selecting and designing security controls and processes required to achieve our cybersecurity risk objectives.

Policies: Sage ensures compliance with security standards and regulations through rigorous corporate governance. This means policies covering information security, secure development, acceptable use of our internal systems, personal data protection, and data handling are routinely reviewed, updated, and embedded in the organization.

Legal: Sage supports legal compliance by regularly reviewing the regulatory and legal landscape for new or potential updates, conducting audits of legal compliance, and maintaining a record of processing activities (ROPA) as required under Article 30 of the GDPR.

GDPR and CCPA: Sage is compliant with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and all other relevant data privacy regulations in the jurisdictions where we process data.

ISO 27001: the only auditable international standard that defines the requirements for an information security management system (ISMS), which is a set of policies, procedures, processes, and systems that manage information security risks, such as cyberattacks. We’re certified to ISO 27001 for the secure development and operations of our cloud-based accounting, financial management, HR, and people, as well as business management Software as a service (SaaS) within the Sage Business Cloud.

SOC 2: an internal controls report that captures how a company safeguards customer data and how well those internal controls are operating. At Sage, we are continuously expanding the scope of these reports to include more products and services.

The Payment Card Industry Data Security Standard (PCI DSS): a set of policies and procedures designed to optimize the security of credit, debit, and cash card transactions. Sage is compliant with PCI DSS at Level 1, ensuring the protection of cardholders against the misuse of their personal data.

The Health Insurance Portability and Accountability Act (HIPAA): it sets the standard for confidential patient data protection. Sage Intacct is certified to meet the requirements of the HIPAA.

Control assurance: we maintain a comprehensive security control assurance program that seeks to ensure our products meet our product security standards. These are regularly reviewed against this standard so that we fully understand the effectiveness of our security controls.

Change management: all updates, patches, or new software releases are governed by change or release management processes and strict standards.

Access controls: the principle of 'least privilege' is central to our access control processes, from provisioning access, managing privileged access to data and systems, and the requirements and contractual agreements with our suppliers.

Cryptography: we formalize our cryptography requirements per all mandatory policies and standards. We define the cryptographic algorithms and designs approved for use in Sage products and solutions.

Incident response, business continuity, and disaster recovery: we regularly test and exercise our incident response and business continuity policies and procedures, which include data backup and recovery plans to prevent various scenarios and ensure we can respond effectively to any issue that may arise.

Security of third parties and suppliers

Our partnerships are built on trust, and we want to ensure they rest on a foundation of stringent security standards.

  • Assessing Third-party Security: Sage operates a comprehensive supply chain assurance program to ensure any data or critical services are protected at all times.
  • Vendor Management: before integrating third-party services or components, we conduct a thorough security assessment to identify any security issues and address them upfront.
  • Contractual Agreements and Audits: vendors may be subject to annual reassessments and we work with several third-party security ratings services, utilizing AI technologies to continuously monitor our suppliers, taking appropriate action to remediate any changes in their security.

Ensuring data security

Your data is your most valuable asset, and we're committed to protecting it.

  • Data security measures: traffic to and from Sage applications and websites is encrypted using the latest versions of internationally recognized Transport Layer Security (TLS) protocol. TLS ensures the confidentiality, integrity, and availability of sensitive data as it is transmitted over the Internet.
  • Access Controls: the principle of least privilege always applies, and therefore access is granted to users on an essential need basis. Access control procedures and controls must be documented and regularly audited.
  • Cloud-hosted: by partnering with industry-leading cloud service providers, we offer multiple layers of security controls, ensuring that your data is not only accessible but also secure.

Continue your journey

Learn more about our unwavering commitment to cybersecurity. Dive deeper with our dedicated pages to help monitor operations and secure development.

Monitoring and operations

Explore the depth of our 24/7 monitoring and operations strategy, dedicated to ensuring the utmost security and reliability of your data and systems.

Secure development

Discover how we approach software development, where every piece of code is meticulously crafted with security, built-in from the outset.