This article has been prompted by a customer's questions as they completed a Data Protection Impact Assessment. A Data Protection Impact Assessment (DPIA) is a process to identify and minimise the data protection risks of a project.
I have discussed the general approach to Sage CRM's architecture and security in previous articles.
https://help.sagecrm.com/on_premise/en/GDPR/SageCRM_and_GDPR_Overview.pdfThe following information on Sage City may also be helpful
Is Sage CRM database encrypted? If yes, what kind of encryption is used?The Sage CRM database is not encrypted except for passwords.Sage CRM uses the idea of hashing for database passwords. Hashing in Sage CRM 2019 R1 uses the bcrypt algorithm
Is the personal data in transit encrypted? (The flow of data between the database and Sage CRM)By default, the data in transit between the application and the database is not encrypted. Sage CRM can be installed on either the same server as the database or on a separate server. If you're installing Sage CRM on a separate machine to the database server, you must install Microsoft SQL Client Tools to connect Sage CRM to the database server. The Microsoft SQL client tools are installed as part of the SQL Server Management Studio(SMS).It may be possible to Enable Encrypted Connections to the Database Engine but Sage does not test with SQL encryption and therefore can not provide support for this.https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-ver15