Skip to content
logo Knowledgebase

Sage 200 - Sage Network FAQ

Created on  | Last modified on 

Summary

This article is designed to assist Customers and Business Partners with common Sage Network related security queries regarding Sage 200 Professional.

Description

We keep this security FAQ under regular review and may update it from time to time to reflect current practices. This version was last updated in August 2024.

 NOTE: As you may have a support arrangement through our network of business partners, it’s essential to undertake discussions with them in addition to reviewing this document. They will be able to share their processes and procedures around their user access and data. 

In addition, discussions with 3rd party developers will be required to understand how their application works, their processes & procedures.

Resolution

1) When data is synchronised from Sage 200 to the Sage Network where is the data physically stored?

Data is brought into Azure Storage Blob Containers initially through the Connector Services and further processed to, sending specific entity data to appropriate Service/Storage:

  • Invoice and Payment data – ADS (Azure SQL Database) 
  • Customer/Contacts data – Directory Services (AWS DynamoDB) 
  • Accounts/Company data –Accounts Service/SXP (AWS MySQL)

2) Is it secure?


Yes, all components of the Sage Network platform are robustly security tested on a regular basis, including external pen testing by security expert partners. 
Sage Network uses Sage ID (Auth0) for user authentication into the application and API authentication. Magic links are powered by Microsoft's Azure B2C authentication system
which ensures robust security. The secure link incorporates a secret key stored in a digital vault, creating a secure token tailored for each user and their company.

3) What processes are in place in case of outage or downtime events?


a. Accounting Data Service: Incident management process is in place, which updates 
status of the incident to customers and stakeholders on a regular basis.
b. Directory Services: Incident management process is in place, which updates 
status of the incident to customers and stakeholders on a regular basis. 
c. Accounts Service: Incident management process is in place, which updates status 
of the incident to customers and stakeholders on a regular basis. 
d. Connectors: Incident management process is in place, which updates status of the 
incident to customers and stakeholders on a regular basis.


4) Can we obtain a copy of your incident processes?
We do not provide copies of our incident processes. 


5) Is the Sage Network accredited? If so, which industry standard(s)? 

a. The Sage Network (ADS, Directory Services, Accounts Service, Connectors, etc.) are 
not accredited at present.

 

6) Can you provide regular SAS 70 type II reports of SSAE16 Type II reports?


a. ADS: SOC 2 reports is the intended direction across the various Sage services used in 
Sage Network, though SOC 2 reports are not yet available.
b. Directory Services: SOC 2 reports is the intended direction across the various Sage 
services used in Sage Network, though SOC 2 reports are not yet available.
c. Accounts Service: SOC 2 reports is the intended direction across the various Sage 
services used in Sage Network, though SOC 2 reports are not yet available.
d. Connectors: SOC 2 reports is the intended direction across the various Sage 
services used in Sage Network, though SOC 2 reports are not yet available.


7) Is traffic to and from the cloud service encrypted? If so, at what level?
Yes, all traffic in and out of the cloud service is encrypted using https/TLS 1.2.


8) If data resides on local hardware, is it encrypted at rest?
No local hardware is used. Any data at rest in the Cloud is encrypted, any data in transit is 
over https/tls 1.2 or higher


9) What happens if I disconnect from the Sage Network 


a. ADS: There is currently no process of plan for offboarding customers from ADS. At 
this point data would remain secure in ADS until a request to remove data is given.
b. Directory Services: There is currently no process of plan for offboarding customers 
from Directory Services. At this point data would remain secure in NDS until a 
request to remove data is given.
c. Accounts Service: Following off-boarding, a ‘soft delete’ period of six months
commences where customer data is entirely inaccessible but where the account is 
recoverable by the owner. If the account has not been recovered after six months 
then the Account data is hard deleted.
d. Connectors: There is currently no process of plan for offboarding customers from 
Connectors. At this point data would remain secure in ADS until a request to remove 
data is given.

 NOTE: The Sage Network Platform is working on an automated offboarding policy and mechanism across the entire platform, which will be implemented soon and will follow the 
Accounts Service approach (i.e. a short-term soft delete where data is entirely inaccessible but where the account is recoverable by the owner, followed by a hard delete)

10)Do you have more information on how the Magic Link works?

a. ADS: Creation of magic links work by a mutual key exchange process between the 
ADS API and Azure B2C. When the API created a magic link, it uses a signing key from 
Azure Key Vault and creates a signed JSON Web Token (JWT) containing specific 
claims that Azure B2C will decode and then convert into a standard JWT that the API 
and App can use to authenticate and authorize a user.
b. Directory Services: N/A – Magic Links are not related to Directory Services.
c. Accounts Service: N/A – Magic Links are not related to the Accounts Service.
d. Connectors: N/A - Magic Links are not related to Connectors.


11) Which technology stack does the Sage Network follow? (for example AWS, C# for 
business logic etc)

a. ADS: Reference architecture is Azure Serverless or Managed Services, using 
primarily C# for business logic.
b. Directory Services – Reference architecture is AWS Serverless or Managed 
Services, using primarily C# for business logic.
c. Accounts Service – Reference architecture is AWS Serverless or Managed Services, 
using primarily C# for business logic.
d. Connectors: Reference architecture is Azure Serverless or Managed Services, using 
primarily C# for business logic

12)Do we have a security document which covers everything around the network?


a. ADS: Internal security documents exist. Threat modelling and security sign off 
exists for each product/service.
b. Directory Services: Internal security documents exist. Threat modelling and 
security sign off exists for each product/service.
c. Accounts Service: Internal security documents exist. Threat modelling and 
security sign off exists for each product/service.
d. Connectors: Internal security documents exist. Threat modelling and security sign 
off exists for each product/service.

13)Do we have access to analytics for Sage Network? 


a. The Sage Network (ADS, Directory Services, Accounts Service, Connectors, etc.) is 
able to share analytics related to the above noted services at this time. 


14)Does Sage Network capture browsing time, Ip address etc?


a. The Sage Network (ADS, Directory Services, Accounts Service, Connectors, etc.) does 
not capture browsing time, IP address, etc.