This article is designed to assist customers, partners & Sage colleagues with common security questions regarding:

• Sage 200 Professional – deployed via the Sage Provisioning Portal

For information relating to our other Sage 200 variants please use the links below:

• Sage 200 Professional
• Sage 200 Standard Online / Sage for Education

We keep this security FAQ under regular review and may update it from time to time to reflect current practises. This version was last updated in December 2022.

NOTE: As you have a support arrangement through our network of business partners, it’s essential to undertake discussions with them in addition to reviewing this document. They will be able to share their processes and procedures around their user access and data.

Additionally, as this deployment is on a Sage Partner’s Azure subscription you should discuss any questions in detail with them directly.

Lastly, discussions with 3rd party developers will be required to understand how their application works, their processes & procedures.

Further details are outlined on our Trust & Security Hub.

Q & A

1. Where is data physically located?

As the Microsoft Azure subscription for this product variant is managed via your partner it will depend on the subscription they chose – please contact your Sage Business Partner to as which region your deployment resides in.

2. Where are the SQL database administrators (DBAs) and other network support staff based?

As this solution is hosted on SQL Azure, you will need to speak to your Sage Business Partner.

3. In which data centre tier does a particular data set reside?

Microsoft, do not publish information on TIA tiering. Details of their certification and compliance can be found here.

4. What processes are in place in case of outage or downtime events?

Customer data is automatically backed up via the Sage Provisioning Portal, your Sage Partner will discuss your backup requirements and may compliment the automated backup routines with additional elements that are suitable to your business. Your partner will have a documented procedure for restoration of service in the event of an outage and a well-defined incident management procedure in case of smaller service interruptions.

Additionally data centre equipment failures and protection from environmental risks are covered by the IT controls of the hosting provider, Microsoft. This is an extract from their published documentation:

• The data centres have dedicated 24x7 uninterruptible power supply (UPS) and emergency power support, which may include generators. Regular maintenance and testing is conducted for both the UPS and generators. Data centres have made arrangements for emergency fuel delivery. The data centre has a dedicated Facility Operations Centre to monitor the following:
• Power systems, including all critical electrical components – generators, transfer switch, main switchgear, power management module and uninterruptible power supply equipment.

• The Heating, Ventilation and Air Conditioning (HVAC) system, which controls and monitors space temperature and humidity within the data centerscentres, space pressurization and outside air intake. Fire Detection and Suppression systems exist at all data centerscentres. Additionally, portable fire extinguishers are available at various locations in the data centercentre. Routine maintenance is performed on facility and environmental protection equipment.

  “Protecting against external and environmental threats and supporting utilities” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.1.4 and 9.2.2. For more information review of the publicly available ISO standards we are certified against is suggested.

• Environmental controls have been implemented to protect the data center centre including:
• Temperature control
• Heating, Ventilation and Air Conditioning (HVAC)
• Fire detection and suppression systems

• Power Management systems

  “Protecting against external and environmental threats” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 9.1.4. For more information, a review of the publicly available ISO standards we are certified against is suggested.

We review these processes regularly.

5. Can we obtain a copy of your incident management process?

We do not provide copies of our internal processes, we regularly review them. Please also refer to question 12. You will also need to speak to your Sage Business Partner about their incident management processes.

6. Are you accredited? If so, which industry standard(s)?

In connection with Azure, Microsoft, has ISO27001/27002/270018 certification. For details, please see here.

Sage 200 Professional (SPC) is not accredited, but Sage operates an internal IT controls framework covering security and continuity of service. Sage 200 Professional on SPC has been audited against this control framework.

7. Can you provide regular SAS 70 type II reports or SSAE16 Type II reports?

Our hosting provider, Microsoft, provides SOC 1 Type 2 and SOC 2 Type 2 reports on request for customers.

8. Is traffic to and from the cloud service encrypted? If so, at what level?

Traffic to and from the cloud services is encrypted at the transport level (HTTPS).

9. If data resides on local hardware, is it encrypted at rest?

Classified data residing on local hardware is encrypted at rest.

Communication with servers uses TLS and Https is mandated Sage operate a global information classification and Handling policy/process which defines data/information types and the subsequent security controls required for safe storage, transmission etc of the respective data.

As your partner may have altered the Azure Virtual machine you will need to speak to them to see what amendments have been made.

10. What is the data store type & version?

Microsoft SQL Azure is used, this is automatically updated when updates are available from Microsoft. Please refer to their supporting documentation for additional information on this.

11. What types of Intrusion Detection Systems are being used, if any?

All incoming traffic passes through a network based IPS/IDS. Network traffic inside the datacentre is monitored by our hosting provider, Microsoft. As your partner may have altered the Azure Virtual machine you will need to speak to them to see what amendments have been made.

12. Have there been any attacks in the past? If so, how were the attacks managed and was the data compromised?

Sage operates a documented incident management procedure to handle a multitude of incident types, this includes security related incidents such as a breach scenario. We do not routinely publish information on attacks; however, Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting.

As the Microsoft Azure subscription for this product variant is managed via your partner, for any For details pertaining to your deployment/ environment, please contact them.

13. How will I be alerted to potential intrusion events and other security threats?

Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting. In addition our product terms refer to our Data Protection Addendum (available here).

As the Microsoft Azure subscription for this product variant is managed via your partner, for any details pertaining to your deployment/environment, please contact them.

14. What certifications has the application received?

Sage 200 Professional has not received certifications; however, this solution is only available on Azure and Microsoft, has ISO27001/27002/270018 certification covering all the service components that we use. For details, please see here. Please contact your support provider.

15. Do you perform code reviews?

Code reviews are undertaken on all new/modified code.

16. Do you follow OWASP coding guidelines?

Yes, in addition all Product Engineering team members must undertake training throughout the year.

17. Do you conduct threat modelling?

Yes, on new features, where appropriate.

18. Do you conduct independent penetration testing?

Yes, we regularly conduct penetration testing via third parties.

We do not share penetration testing results. Sage operate a global Technical Vulnerability Management policy and subsequent processes which define resolution times of technical vulnerabilities based upon the risk category. All items are tracked until closure.

As your partner may have altered the Azure Virtual machine you will need to speak to them to see what amendments have been made and what penetration testing they have undertake.

19. For initial login – do you support whitelisted IP’s, MFAs etc?

For this deployment of Sage 200 Professional solution, login is via Azure Active Directory. Sage do not handle login processes this is delegated to Microsoft. Please refer to their documentation for more information.

20. Do you utilise containers or VM’s? What hardening mechanisms they use to protect the OS layer?

Virtual Machine for this deployment, these services are further hardened by Sage to remove insecure cyphers from the system. By default end users of the deployment are not granted administration privileges by default. Your partner is responsible for securitisation of the environment.

21. Do you follow Microsoft best practices?

Yes, we have regular contact with Microsoft personnel including Microsoft architects.

22. Are containers used for deploying the environment?

No but we have a pre-production environment which is utilised prior to product deployment.

23. How do they vet employees who will have physical access to the network and compute infrastructure that hosts your application?

No Sage employees have physical access to the network and compute infrastructure that hosts our applications. Our hosting provider, Microsoft, publishes the following on their vetting process:

"All Microsoft US-based full-time employees (FTE) are required to successfully complete a standard background check as part of the hiring process. Background checks may include but are not limited to review of information relating to a candidate's education, employment, and criminal history."

They do not publish information for non-US based employees.

As the deployment is on a Partner’s owned Azure infrastructure, you will need to liaise with your business partner for details on their access and vetting process.

24. How do they securely delete or destroy my data when requested?

The retention period for customer data following termination of the agreement is defined within our Product Terms.

Sage 200 Product terms are available on the relevant legal pages: UK | IRL

As the data within the deployment is not hosted by Sage you will need to contact your partner for details of their data retention period.

The actual destruction of data is covered by the IT controls of your hosting provider, Microsoft.

25. What browsers are supported?

This deployment works via Azure Virtual Desktop – full details including browser compatibility are available here.

You can access our web screen functionality – further detail in our web portal helpfiles.

26. What compatibility do you have with Google tools and applications?

We provide Google maps integration and GooglePay – details available in our helpfiles.

27. What compatibility do you have with Microsoft Office Suite applications?

System requirements are available in our help files, click here to access information on Microsoft Office requirements.

We also provide connection to the Microsoft Power Platform which includes Power Apps, Power BI & Power Automate. These licences are not available from Sage, we currently provider a connector to link the applications, details can be found here.

28. Is there access on mobile devices?

Yes, full details on the web app are available in our helpfiles.

Additionally, you can access our Web Screens – further detail in our web portal helpfiles.

Lastly your solution in its entirety is accessible via Azure Virtual Desktop – full details including browser compatibility are available here.

29. Is information stored on mobile devices, if so, is it encrypted in transit and at rest?

No

30. Is two factor authentication possible?

For the core product, no. Additional information is in our Product Help.

For the Sage Provisioning Portal, Yes please refer to our knowledgebase article.

31. How does Sage 200 deal with PCI/DSS compliance?

Further details can be found on this article.

32. Where can I see the Data Protection addendum referenced in the product terms?

Further details can be located https://www.sage.com/dataprotectionaddendum.

33. Where can I see details on the Sage Privacy Policy?

Further details can be located https://www.sage.com/en-gb/legal/privacy-and-cookies/.

34. Will you complete an individual security questionnaire for my business/institution?

Unfortunately, it’s not possible to provide individual responses. This document is designed to cover all common questions.

Should you have a specific question that this document has not addressed, please speak to your Sage Business Partner.

35. Does Sage 200 send invoice data to any other application/database?

Yes – this will vary depending on what you have activated within your software:

• In you have subscription to our payment cloud services – information is shared with them. This includes Stripe, PayPal & GoCardless.
• If you use Microsoft Outlook payment processing, the payment requests are handled by Microsoft routed to our payment cloud services.
• Due to the amendable nature of the product the use of any 3rd party solution may share data, you will need to speed to your Sage Business Partner and/or 3rd Party developer to understand the information that is being shared.

36. How does Sage 200 handle personal data?

Data within the system is the responsibility of the end user to manage to ensure they comply with necessary policies. Further information can be found in our knowledgebase.

GDPR data protection principles and Sage 200

GDPR – individual rights and Sage 200

37. Do you follow W3C coding guidelines?

The Sage 200 Web Portal app is partially compliant with the Web Content Accessibility Guidelines version 2.1 AA standard. Our full Accessibility Statement is available upon request. Please contact [email protected].

38. Who is responsible for operating system upgrades?

Your support provider is responsible for the upgrades connected with operating system changes including service packs and updates. Please contact them to discuss in more detail.

39. How does user management & assignment work, what level of traceability is available?

Login to the portal & application is via Sage ID which is unique and tied to the individuals email address. Additional user set up; maintenance & monitoring is the responsibility of the end user – Sage (or your partner) will create the initial user which is the individual who agrees to the product terms.

Login to your product is via Active Directory.

The following links will also assist:

• Portal Access and user setup
• Product helpfiles and application level user set up

The application includes an audit trail which outlines the activity undertaken by each user. In addition, the portal contains logs and audits to show a variety of activity.

In all cases, the addition of a user to your site will send the administration level user(s) a notification email. You should review the notification.

Where you are serviced by a business partner, they need to get consent from the site admin to access your site with partner level authority.

Customers should ensure that user access is regularly reviewed in line with their business processes.

40. Is there a backup procedure process & strategy?

The provisioning portal takes automated rolling backups for 7 days, 1 month and 1 annual. You can take 5 additional manual backups in which you can take a fresh manual backup at any time or move one of the automated backups in order to keep it longer than the rolling cycle.

We encourage customers to instigate their own backup strategy using the provisioning portal and not rely solely on the automated process – you can find out more in the helpfiles.

Backups are encrypted at rest and in transit. They are only exported on demand, at which point the file contents themselves are unencrypted, but only accessible via a signed URL.

As the deployment is on a Sage Partners Azure infrastructure, they may schedule additional backups, we advise you speak to them for clarity on this.

41. Does the application have records of processing?

There is an audit trail which details who entered invoices (and other transaction types)

Transaction Audit Trail list – Helpfiles information:

Transaction Audit File which is accessible within the application.

42. Are you able to share the service availability history?

Yes, this is available on our website https://my.sage.co.uk/support/sage-200/availability.aspx. For this deployment this is in reference to the Sage Provisioning Portal only and not to the core Sage 200 application as the virtual machine deployment is not on Sage’s Azure subscription.

43. How do you inform customers of maintenance windows and/or service disruption?

• Maintenance windows have a provision within our product terms for every Friday evening, we do not utilise all of these periods and will provide an in-product message for maintenance windows, including those not taking place on a Friday.
• Maintenance announcements are also put onto our Service Status page - https://status.sage.com/
• If there is an incident, as we may not be able to communicate you with our in-product page, we will utilise one or more of the following options:
• In product messaging
• Service status page - https://status.sage.com/
• Email to all administration users set up within the Sage Provisioning Portal.
• Email to all users set up within the Sage Provisioning Portal.
• Messaging for direct customers, messaging on our telephony system.

As the deployment is on a Sage Partners Azure infrastructure, they may schedule additional maintenance, we advise you speak to them for clarity on this.

44. Can the Microsoft SQL server database be encrypted?

It is not practical or feasible for us to test Sage 200 Professional on all configurations. We do not test Sage 200 Professional with encrypted Microsoft SQL server. If you wish to enable encryption on Microsoft SQL server you will need to test this configuration.

45. Do you support Active Directory?

Sage does not offer support for Active Directory. Your Sage business partner supports Active directory in this instance.

46. How does Sage 200 Professional authenticate?

Sage 200 Professional uses AAD for authentication. It will use the credentials of the user currently logged into Windows for authentication.

47. Can Sage 200 Professional force the user to enter their password at logon time?

Yes. Enforce Login can be enabled in the System Administration tool - Helpfile information.

48. What version of the library XXXX does Sage 200 Professional use?

We don't publish version numbers of third party libraries we use within Sage 200 Professional.

49. Does Sage 200 Professional allow browsing to any web application directories?

No, this is turned off within IIS.

50. Do the Sage 200 Professional web services allow X-Frame-Options?

No. X-Frame-Options are denied in the IIS services, not allowing the pages to be rendered in a frame or iframe.