1. Can we obtain a copy of your incident management process?We do not provide copies of our internal processes, we regularly review them. 2. Is traffic to and from the web services encrypted? If so, at what level?Traffic to and from the web services is encrypted at the transport level (HTTPS). 3. Do you perform code reviews?Code reviews are undertaken on all new / modified code. 4. Do you follow OWASP coding guidelines?Yes, in addition all Product Engineering team members must undertake mandatory, yearly security training. 5. Do you conduct threat modelling?Yes, on new and existing features, where appropriate. 6. What browsers are supported?System requirements are available in our supporting documentation, click here to access this information. 7. What compatibility do you have with Google tools and applications?We provide Google maps integration and GooglePay – details available in our helpfiles. 8. What compatibility do you have with Microsoft Office Suite applications?System requirements are available in our supporting documentation, click here to access this information. We also provide connection to the Microsoft Power Platform which includes Power Apps, Power BI & Power Automate. These licences are not available from Sage, we currently provide a connector to link the applications, details can be found here. 9. Is there access on mobile devices?Yes, full details on the web app are available in our help files here. 10. Is two factor authentication possible?No. 11. How does Sage 200 deal with PCI/DSS compliance?Further details can be found on this article. 12. Where can I see the Data Protection addendum referenced in the product terms?Further details can be located http://www.sage.com/dataprotectionaddendum. 13. Where can I see details on the Sage Privacy Policy?Further details can be located https://www.sage.com/en-gb/legal/privacy-and-cookies/. 14. Will you complete an individual security questionnaire for my business/institution?Unfortunately, it’s not possible to provide individual responses. This document is designed to cover all common questions. Should you have a specific question that this document has not addressed, please speak to your Sage support provider; which may be a Sage Business Partner or Sage directly, they will arrange to review your questions and update this document where appropriate. 15. Does Sage 200 send invoice data to any other application/ database?Yes – this will vary depending on what you have activated within your software: - In you have subscription to our payment cloud services – information is shared with them. This includes Stripe/ PayPal & GoCardless.
- If you use Microsoft Outlook payment processing, the payment requests are handled by Microsoft routed to our payment cloud services.
- Due to the amendable nature of the product the use of any 3rd party solution may share data, you will need to speak to your Sage Business Partner and/or 3rd Party developer to understand the information that is being shared.
16. How does Sage 200 handle personal data?Data within the system is the responsibility of the end user to manage to ensure they comply with necessary policies. Further information can be found in our knowledgebase. GDPR data protection principles and Sage 200 GDPR – individual rights and Sage 200 17. Does the application have records of processing?There is an audit trail which details who entered invoices (and other transaction types) Transaction Audit File which is accessible within the application – Helpfile information. 18. Can the Microsoft SQL server database be encrypted?It is not practical or feasible for us to test Sage 200 Professional on all configurations. We do not test Sage 200 Professional with encrypted Microsoft SQL server. If you wish to enable encryption on Microsoft SQL server you will need to test this configuration. 19. Do you support Microsoft SQL server?Sage does not offer support for Microsoft SQL server. The Sage business partner supports Microsoft SQL server for the customer. Please refer to the business partner handbook. 20. Do you support Microsoft IIS?Sage does not offer support for Microsoft IIS. The Sage business partner supports Microsoft IIS for the customer. Please refer to the business partner handbook. 21. Do you support Active Directory?Sage does not offer support for Active Directory. The Sage business partner supports Active directory for the customer. Please refer to the business partner handbook. 22. How does Sage 200 Professional authenticate?Sage 200 Professional uses Windows authentication. It will use the credentials of the user currently logged into Windows for authentication. 23. Can Sage 200 Professional force the user to enter their password at logon time?Yes. Enforce Login can be enabled in the System Administration tool - Helpfile information. 24. What version of the library XXXX does Sage 200 Professional use?We don't publish version numbers of third party libraries we use within Sage 200 Professional. 25. Does Sage 200 Professional allow browsing to any web application directories?No, this is turned off within IIS. 26. Do the Sage 200 Professional web services allow X-Frame-Options?No. X-Frame-Options are denied in the IIS services, not allowing the pages to be rendered in a frame or iframe. 27. Do you conduct independent penetration testing?Yes, we regularly conduct penetration testing via third parties. We do not share penetration testing results. Sage operate a global Technical Vulnerability Management policy and subsequent processes which define resolution times of technical vulnerabilities based upon the risk category. All items are tracked until closure. 28. What testing/ validation is undertake on Sage 200 Professional?Sage 200 Product Engineering test the software at all stages of the development lifecycle. These include, but are not limited to: - Integration & Co-Existence Testing
- Security, including where appropriate Threat Modelling for new features and Penetration Testing via independent third parties
- Load/Stress Testing
- Non Functional Testing including different Operating Systems and devices
- Manual Testing
- Automated Testing including at the unit, API and Feature level
- Manual Regression
- Automated Regression
- Accessibility Testing
| 
NOTE: As you may have a support arrangement through our network of business partners, it is essential to undertake discussions with them in addition to reviewing this document. They will be able to share their processes and procedures around their user access and data.