Where is the data physically located?
The primary data centre is in the Republic of Ireland. The secondary data centre is in the Netherlands.
Where are the SQL database administrators (DBAs) and other network support staff based?
Newcastle Upon Tyne, United Kingdom.
In which data centre tier does a particular data set reside?
Our hosting provider, Microsoft, do not publish information on TIA tiering. Details of their certification and compliance can be found here.
What processes are in place in case of disaster or downtime events?
Customer data is backed up to a geographically distant secondary location. Sage has a documented procedure for restoration of service in the event of a disaster and a well-defined incident management procedure in case of smaller service interruptions. We have carried out a business resiliency assessment to understand the risks of disasters affecting Sage facilities.
Data centre equipment failures and protection from environmental risks are covered by the IT controls of our hosting provider, Microsoft. This is an extract from their published documentation:
- The data centers have dedicated 24x7 uninterruptible power supply (UPS) and emergency power support, which may include generators. Regular maintenance and testing is conducted for both the UPS and generators. Data centers have made arrangements for emergency fuel delivery. The data center has a dedicated Facility Operations Centre to monitor the following:
- Power systems, including all critical electrical components – generators, transfer switch, main switchgear, power management module and uninterruptible power supply equipment.
- The Heating, Ventilation and Air Conditioning (HVAC) system, which controls and monitors space temperature and humidity within the data centers, space pressurization and outside air intake. Fire Detection and Suppression systems exist at all data centers. Additionally, portable fire extinguishers are available at various locations in the data center. Routine maintenance is performed on facility and environmental protection equipment.
"Protecting against external and environmental threats and supporting utilities" is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.1.4 and 9.2.2. For more information review of the publicly available ISO standards we are certified against is suggested.
Environmental controls have been implemented to protect the data center including:
- Temperature control
- Heating, Ventilation and Air Conditioning (HVAC)
- Fire detection and suppression systems
- Power Management systems
“Protecting against external and environmental threats” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 9.1.4. For more information, a review of the publicly available ISO standards we are certified against is suggested.
Are you accredited? If so, which industry standard(s)?
Our hosting provider, Microsoft, has ISO27001/27002/270018 certification covering all the service component that we use. For details, please see here. Sage 200 Extra Online itself is not accredited, but Sage operates an internal IT controls framework covering security and continuity of service. Sage 200 Extra Online has been audited against this controls framework.
Can you provide regular SAS 70 type II reports or SSAE16 Type II reports?
Our hosting provider, Microsoft, provides SOC 1 Type 2 and SOC 2 Type 2 reports on request for customers.
Is traffic to and from the cloud service encrypted? If so, at what level?
Traffic to and from the cloud services is encrypted at the transport level (HTTPS).
If data resides on local hardware, is it encrypted at rest?
Classified data residing on local hardware is encrypted at rest.
What types of Intrusion Detection Systems are being used, if any?
All incoming traffic passes through a network based IPS/IDS. Network traffic inside the datacentre is monitored by our hosting provider, Microsoft.
Have there been attacks in the past? If so, how were the attacks managed and was data compromised?
Sage operates a documented security incident management procedure. We do not routinely publish information on attacks, however, Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting.
How will I be alerted to potential intrusion events and other security threats?
Sage policy is to comply with our statutory obligation and to follow the guidance from the UK Information Commissioners Office on breach reporting.
What certifications has the application received?
Sage 200 Extra Online has not received certifications, however, our hosting provider, Microsoft, has ISO27001/27002/270018 certification covering all the service components that we use. For details, please see here.
Is there access on mobile devices?
Is information stored on mobile devices? If so, is it encrypted in transit and at rest?
Not applicable (see previous point).
Can information be remotely wiped in the event of theft or loss?
Not applicable (see previous two points).
How do they vet employees who will have physical access to the network and compute infrastructure that hosts your application?
No Sage employees have physical access to the network and compute infrastructure that hosts our applications. Our hosting provider, Microsoft, publishes the following on their vetting process:
"All Microsoft US-based full-time employees (FTE) are required to successfully complete a standard background check as part of the hiring process. Background checks may include but are not limited to review of information relating to a candidate's education, employment, and criminal history. "
They do not publish information for non-US based employees.
How do they securely delete or destroy my data when requested?
The retention period for customer data following termination of the agreement with a customer is 40 days. Within this period, a customer can request a recent backup copy of their data. After this period it will be deleted. The actual destruction of data is covered by the IT controls of our hosting provider, Microsoft. This is an extract from their published documentation:
"Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can't be wiped we use a destruction process that destroys it (i.e. shredding) and renders the recovery of information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined by the asset type. Records of the destruction are retained. "
"All Windows Azure services utilise approved media storage and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-life cycle."
“Secure disposal or re-use of equipment and disposal of media” is covered under the ISO 27001 standards, specifically addressed in Annex A, domains 9.2.6 and 10.7.2. For more information review of the publicly available ISO standards we are certified against is suggested."
What browsers are supported?
Internet Explorer 10 and 11, Google Chrome updated.
What compatibility do you have with Google tools and applications?
What compatibility do you have with Microsoft Office Suite applications?
Microsoft Office 2010 SP2 (32-bit only) - Standard, Professional and Professional Plus Editions
Microsoft Office 2013 SP1 (32-bit and 64-bit) – Home and Business, Small Business Premium, Professional Plus, and Enterprise Editions
Is two factor authentication possible?
Sage Business Partners can now log new cases online!
If you're unable to find the help you require from our online resources, log a new case with us without having to use phone or email. Simply select 'Manage your cases' from the dashboard or visit my.sage.co.uk/cases.
Benefits for your employees above and beyond their payslips
We want to help your business where we can. That's why we are offering Sage Employee Benefits free to Sage customers for the first three months.