Sage CRM 2020 R1: Data Protection

This article has been prompted by a customer's questions as they completed a Data Protection Impact Assessment.  A Data Protection Impact Assessment (DPIA) is a process to identify and minimise the data protection risks of a project. 

I have discussed the general approach to Sage CRM's architecture and security in previous articles.

Is there retention and disposal measures defined for the contents in Sage CRM​?

Data retention and disposal measures that satisfy local legal requirements are the responsibility of the customer.  But Sage CRM does provide features that allow customers to configure that system to meet the requirement of legislation such as General Data Protection Regulation (GDPR) vs California Consumer Privacy Act (CCPA).​

Please do refer to the Help Centre for details of documentation for supported versions of Sage CRM.
Sage has also created a very good guide that explains how Sage CRM can help a customer meet their obligations under GDPR:

The following information on Sage City may also be helpful​

  • How personal data flows into Sage CRM​
  • The management of consent
  • How do you know if data has been shared with another system?​
  • The right to be forgotten and the anonymization of data​

Is Sage CRM database encrypted? If yes, what kind of encryption is used?​

The Sage CRM database is not encrypted except for passwords.​

Sage CRM uses the idea of hashing for database passwords. Hashing in Sage CRM 2019 R1 uses the bcrypt algorithm​

  • Sage CRM 2019 R1: Increased user password security​​

Is the personal data in transit encrypted? (The flow of data between the database and Sage CRM)​

By default, the data in transit between the application and the database is not encrypted. ​

Sage CRM can be installed on either the same server as the database or on a separate server.  ​

If you're installing Sage CRM on a separate machine to the database server, you must install Microsoft SQL Client Tools to connect Sage CRM to the database server.   The Microsoft SQL client tools are installed as part of the SQL Server Management Studio(SMS).​

It may be possible to Enable Encrypted Connections to the Database Engine but Sage does not test with SQL encryption and therefore can not provide support for this.​