SugarCloud Geography and Data Residency

SugarCloud utilizes AWS across the globe. Clients choose the region they want to contain their data, and the data stays within that region.

We use the following regions:

  • Sydney, Australia
  • Montreal, Canada
  • Frankfurt, Germany
  • Singapore
  • London, United Kingdom
  • Portland, Oregon, United States
SugarCloud Platform Architecture

The SugarCloud platform is built on AWS.

SugarCloud utilizes a stack that consists of a web frontend, multiple services and processing layers, and databases. API access is authenticated and all services require encryption.

Learn more about AWS Certifications


All data at SugarCRM is encrypted in transit and at rest. SugarCloud requires the latest and most-secure encryption algorithms available.

All data in the SugarCloud Development, Test, and QA environments are anonymized and sanitized to allow for development, patching, fixes, code and penetration testing.

Data Retention

SugarCloud maintains an active data retention policy and retains or deletes all data in accordance with applicable laws and compliance requirements.

If a Sugar customer decides to leave Sugar, they have access to their data for up to 90 days, unless otherwise requested. After the 90 days, customer data will be permanently deleted.

Data Access and Data Flow

Data at Sugar is restricted from access by non-authorized personnel.

Multi-Factor authentication is used on all systems, for all access points, at all times. All data access is logged and monitored. 

As mentioned, Sugar has multiple global geographic regions that serve customers. The data flow inside each region is the same. This is a high-level view of the Data Flow in any region.

SugarCloud Availability Program

The SugarCloud Platform is highly available, relying on AWS infrastructure for uptime and tools for availability. Since all data is restricted within each region, all backups and availability requirements stay within each region as well. Each client front end, services, and database is constantly replicated across multiple data centers within the same region to ensure availability even if one data center experiences issues.

SugarCloud Development Security Program

Our code is rigorously tested and secured through a comprehensive SDLC program. All code is continuously tested, gaps remediated, and retested. Once code has passed all tests and retests, it is put through QA and logic tests. Once it passes all those tests, it is put into an environment to be pen tested.

SugarCRM has a bug bounty program in place.

Learn More

Client Access Control and Authentication

The SugarCloud Platform provides Role Based Access Control, configurable by the client. Client access is logged to the platform and reviewable by the client.

SugarCloud integrates with third-party identity and access systems to allow MFA, single sign on, federated sign on, and other client required access control mechanisms.

Single Sign-On (SSO)

SugarCloud provides LDAP, SAML, and OIDC support for single sign-on for both mobile and web as another option for centralized management of passwords across multiple systems. SugarCloud supports external SSO providers for customers who prefer to perform authentication on their intranet and then be redirected to SugarCloud. The SugarCloud SSO solution integrates with any external Identity Management Services.

Learn More

Sugar Compliance Program

We are SOC2 Type2 Compliant at Sugar. Our most recent certification is the year ending March 1, 2022

Sugar maintains a GDPR compliance program, and all details can be reviewed as part of the Privacy program.

Our SOC2 report is available upon request. Contact us here.

SugarCRM Information Security Program

Sugar maintains a third-party risk, vendor management, and services review program. We vet all external suppliers of services and software to ensure they meet our security and compliance requirements.

Sugar has implemented and maintains a global import/export third-party review system that continuously reviews international compliance for partners, vendors, employees, contractors and customers.