Where is the data physically located?
The primary data centre is in the Republic of Ireland. The secondary data centre is in the Netherlands.
Where are the SQL database administrators (DBAs) and other network support staff based?
Newcastle Upon Tyne, United Kingdom.
In which data centre tier does a particular data set reside?
Our hosting provider, Microsoft, do not publish information on TIA tiering. Details of their certification and compliance can be found here.
What processes are in place in case of outage or downtime events?
Customer data is backed up to a geographically distant secondary location. Sage has a documented procedure for restoration of service in the event of an outage and a well-defined incident management procedure in case of smaller service interruptions. We have carried out a business resiliency assessment to understand the risks of outages affecting Sage facilities.
Data centre equipment failures and protection from environmental risks are covered by the IT controls of our hosting provider, Microsoft. This is an extract from their published documentation:
- The data centers have dedicated 24x7 uninterruptible power supply (UPS) and emergency power support, which may include generators. Regular maintenance and testing is conducted for both the UPS and generators. Data centers have made arrangements for emergency fuel delivery. The data center has a dedicated Facility Operations Center to monitor the following:
- Power systems, including all critical electrical components – generators, transfer switch, main switchgear, power management module and uninterruptible power supply equipment.
- The Heating, Ventilation and Air Conditioning (HVAC) system, which controls and monitors space temperature and humidity within the data centers, space pressurization and outside air intake. Fire Detection and Suppression systems exist at all data centers. Additionally, portable fire extinguishers are available at various locations in the data center. Routine maintenance is performed on facility and environmental protection equipment.
“Protecting against external and environmental threats and supporting utilities” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.1.4 and 9.2.2. For more information review of the publicly available ISO standards we are certified against is suggested.
Environmental controls have been implemented to protect the data center including:
- Temperature control
- Heating, Ventilation and Air Conditioning (HVAC)
- Fire detection and suppression systems
- Power Management systems
“Protecting against external and environmental threats” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 9.1.4. For more information, a review of the publicly available ISO standards we are certified against is suggested.
We review these processes regularly.
Can we obtain a copy of your incident management process?
We do not provide copies of our internal processes, we regularly review them. Please also refer to question 12.
Are you accredited? If so, which industry standard(s)?
Our hosting provider, Microsoft, has ISO27001/27002/270018 certification covering all the service component that we use. For details, please see here. Sage 200 Standard Online and Sage for Education are not accredited, but Sage operates an internal IT controls framework covering security and continuity of service. Sage 200 Standard Online and Sage for Education have been audited against this controls framework.
Microsoft certifications relating to cloud hosting etc in which our services operate from can be found here.
Can you provide regular SAS 70 type II reports or SSAE16 Type II reports?
Our hosting provider, Microsoft, provides SOC 1 Type 2 and SOC 2 Type 2 reports on request for customers.
Is traffic to and from the cloud service encrypted? If so, at what level?
Traffic to and from the cloud services is encrypted at the transport level (HTTPS).
If data resides on local hardware, is it encrypted at rest?
Classified data residing on local hardware is encrypted at rest.
Communication with servers uses TLS and Https is mandated.
Sage operate a global information classification and Handling policy/process which defines data/information types and the subsequent security controls required for safe storage, transmission etc of the respective data.
What is the data store type & version?
Microsoft SQL Azure
What types of Intrusion Detection Systems are being used, if any?
All incoming traffic passes through a network based IPS/IDS. Network traffic inside the datacentre is monitored by our hosting provider, Microsoft.
Have there been attacks in the past? If so, how were the attacks managed and was data compromised?
Sage operates a documented incident management procedure to handle a multitude of incident types, this includes security related incidents such as a breach scenario. We do not routinely publish information on attacks, however, Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting.
How will I be alerted to potential intrusion events and other security threats?
Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting. In addition our product terms refer to our Data Protection Addendum (available here).
What certifications has the application received?
Sage 200 Standard Online has not received certifications, however, our hosting provider, Microsoft, has ISO27001/27002/270018 certification covering all the service components that we use. For details, please see here.
Do you perform code reviews?
Code reviews are undertaken on all new / modified code.
Do you follow OWASP coding guidelines?
Yes, in addition all Product Engineering team members must undertake mandatory, yearly security training.
Do you conduct threat modelling?
Yes, on new features, where appropriate.
Do you conduct independent penetration testing?
Yes, we regularly conduct penetration testing via third parties.
We do not share penetration testing results. Sage operate a global Technical Vulnerability Management policy and subsequent processes which define resolution times of technical vulnerabilities based upon the risk category. All items are tracked until closure.
For initial login – do you support whitelisted IP’s, MFAs etc?
Login is via Sage ID which does use MFA, you can find out how to activate it here. System sits behind Cloudflare.
Do you utilise containers or VM’s? What hardening mechanisms they use to protect the OS layer?
Neither, we use Cloud Services (PAAS) – these services are further hardened by Sage to remove insecure cyphers form the system.
Do you follow Microsoft best practices?
Yes, we have regular contact with Microsoft personnel including Microsoft architects.
Are containers used for deploying the environment?
No but we have a pre-production environment which is utilised prior to product deployment.
How do they vet employees who will have physical access to the network and compute infrastructure that hosts your application?
No Sage employees have physical access to the network and compute infrastructure that hosts our applications. Our hosting provider, Microsoft, publishes the following on their vetting process:
"All Microsoft US-based full-time employees (FTE) are required to successfully complete a standard background check as part of the hiring process. Background checks may include but are not limited to review of information relating to a candidate's education, employment, and criminal history."
They do not publish information for non-US based employees.
How do they securely delete or destroy my data when requested?
The retention period for customer data following termination of the agreement is defined within our Product Terms. Sage 200 Product terms are available on the relevant legal pages: UK | IRL.
Within this period, a customer can request a recent backup copy of their data. After this period it will be deleted.
The actual destruction of data is covered by the IT controls of our hosting provider, Microsoft. This is an extract from their published documentation:
"Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped we use a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type. Records of the destruction are retained. "
"All Windows Azure services utilize approved media storage and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-life cycle."
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.2.6 and 10.7.2. For more information review of the publicly available ISO standards we are certified against is suggested."
What browsers are supported?
System requirements are available in our help files, click here to access information on Microsoft Office requirements and supported web browsers.
What compatibility do you have with Google tools and applications?
We provide Google maps integration and GooglePay – details available in our helpfiles.
What compatibility do you have with Microsoft Office Suite applications?
System requirements are available in our help files, click here to access information on Microsoft Office requirements.
We also provide connection to the Microsoft Power Platform which includes Power Apps, Power BI & Power Automate. These licences are not available from Sage, we currently provider a connector to link the applications, details can be found here.
Is there access on mobile devices?
Yes, full details on the web app are available in our help files Sage 200 Standard / Sage for Education.
Is information stored on mobile devices, if so, is it encrypted in transit and at rest?
No. Although access is available using mobile devices, information is not stored on the mobile device.
Is two factor authentication possible?
No.
How does Sage 200 deal with PCI/DSS compliance?
Further details can be found on this article.
Where can I see the Data Protection addendum referenced in the product terms?
Further details can be located http://www.sage.com/dataprotectionaddendum.
Where can I see details on the Sage Privacy Policy?
Further details can be located https://www.sage.com/en-gb/legal/privacy-and-cookies/.
Will you complete an individual security questionnaire for my business/institution?
Unfortunately, it’s not possible to provide individual responses. This document is designed to cover all common questions. Should you have a specific question that this document has not addressed, please speak to your Sage support provider; which may be a Sage Business Partner or Sage directly, they will arrange to review your questions and update this document where appropriate.
Does Sage 200 send invoice data to any other application/database?
Yes – this will vary depending on what you have activated within your software:
- In you have subscription to our payment cloud services – information is shared with them. This includes Stripe/ PayPal & GoCardless.
- If you use Microsoft Outlook payment processing, the payment requests are handled by Microsoft routed to our payment cloud services.
- Due to the amendable nature of the product the use of any 3rd party solution may share data, you will need to speed to your Sage Business Partner and/or 3rd Party developer to understand the information that is being shared.
How does Sage 200 handle personal data?
Data within the system is the responsibility of the end user to manage to ensure they comply with necessary policies. Further information can be found in our knowledgebase.
How does user management & assignment work, what level of traceability is available?
Login to the portal & application is via Sage ID which is unique and tied to the individuals email address. Additional user set up; maintenance & monitoring is the responsibility of the end user – Sage (or your partner) will create the initial user which is the individual who agrees to the product terms.
Customers should ensure that user access is regularly reviewed in line with their business processes.
The following links will also assist:
The application includes an audit trail which outlines the activity undertaken by each user. In addition, the portal contains logs and audits to show a variety of activity.
In all cases, the addition of a user to your site will send the administration level user(s) a notification email. You should review the notification.
Where you are serviced by a business partner, they need to get consent from the site admin to access your site with partner level authority.
Is there a backup procedure process & strategy?
Please also refer to question 4.
In addition, the provisioning portal takes automated rolling backups for 7 days, 1 month and 1 annual. You can take 5 additional manual backups in which you can take a fresh manual backup at any time or move one of the automated backups in order to keep it longer than the rolling cycle.
We encourage customers to instigate their own backup strategy using the provisioning portal and not rely solely on the automated process – you can find out more in the helpfiles.
Backups are encrypted at rest and in transit. They are only exported on demand, at which point the file contents themselves are unencrypted, but only accessible via a signed URL.
Does the application have records of processing?
There is an audit trail which details who entered invoices (and other transaction types)
Transaction Audit Trail list – Helpfile information:
Transaction Audit File which is accessible within the application.
Are you able to share the service availability history?
Yes, this is available on our website https://my.sage.co.uk/support/sage-200/availability.aspx
How do you inform customers of maintenance windows and/or service disruption?
Maintenance windows have a provision within our product terms for every Friday evening, we do not utilise all of these periods and will provide an in-product message for maintenance windows, including those not taking place on a Friday.
Maintenance announcements are also put onto our Service Status page - https://status.sage.com/
If there is an incident, as we may not be able to communicate you with our in-product page, we will utilise one or more of the following options:
In product messaging
Service status page - https://status.sage.com/
Email to all administration users set up within the Sage 200 Standard/ Education system
Email to all users set up within the Sage 200 Standard/ Education system
Messaging for direct customers, messaging on our telephony system
Please see further information in regards to fair usage policy for Sage 200 Standard Online.