SugarCloud Geography and Data Residency
SugarCloud utilizes AWS across the globe. Clients choose the region they want to contain their data, and the data stays within that region.
We use the following regions:
- Sydney, Australia
- Montreal, Canada
- Frankfurt, Germany
- Singapore
- London, United Kingdom
- Portland, Oregon, United States
Compliance
STAR Registry Listing
Our services are listed on the Cloud Security Alliance STAR Registry, affirming our commitment to cloud security best practices and transparent reporting as guided by the STAR Level One self-assessment.
Data Privacy Framework
Our adherence to the Data Privacy Framework emphasizes our robust data governance and protection strategies, demonstrating our commitment to maintaining the highest standards of privacy for our clients across borders.
CCPA
Fully compliant with the California Consumer Privacy Act, we ensure the rights of consumers are at the forefront, providing transparent data practices, control, and security that meet stringent CCPA requirements.
ISO/IEC 27001:2022
We are ISO/IEC 27001:2022 certified and prioritize safeguarding our clients’ data, minimizing risks and ensuring operational excellence with the latest international standards.
SOC 2 Type II
Our Service Organization Control (SOC) 2 Type II certification highlights our ongoing commitment to trust service principles, including security, availability, processing integrity, confidentiality, and privacy of customer data.
GDPR
Dedicated to upholding the strict privacy and security laws of the GDPR, our processes and systems are GDPR compliant and designed to protect personal data in accordance with European data protection regulations.
The SugarCloud platform is built on AWS.
SugarCloud utilizes a stack that consists of a web frontend, multiple services and processing layers, and databases. API access is authenticated and all services require encryption.
SugarCRM maintains a comprehensive Information Security Program which includes following the latest Cloud Security best practices. SugarCloud uses industry standard encryption algorithms and data is encrypted both in transit and at rest.
All data in the SugarCloud Development, Test and QA environments is anonymized and sanitized to support secure development, patching, fixes and penetration testing.
For more information about our security program:
SugarCloud maintains an active data retention policy and retains or deletes all data in accordance with applicable laws and compliance requirements.
If a Sugar customer decides to leave Sugar, they have access to their data for up to 90 days, unless otherwise requested. After the 90 days, customer data will be permanently deleted.
Data at Sugar is restricted from access by non-authorized personnel.
Multi-Factor authentication is used on all systems, for all access points, at all times. All data access is logged and monitored.
As mentioned, Sugar has multiple global geographic regions that serve customers. The data flow inside each region is the same. This is a high-level view of the Data Flow in any region.
The SugarCloud Platform is highly available, relying on AWS infrastructure for uptime and tools for availability. Since all data is restricted within each region, all backups and availability requirements stay within each region as well. Each client front end, services, and database is constantly replicated across multiple data centers within the same region to ensure availability even if one data center experiences issues.
Our code is rigorously tested and secured through a comprehensive SDLC program. All code is continuously tested, gaps remediated, and retested. Once code has passed all tests and retests, it is put through QA and logic tests. Once it passes all those tests, it is put into an environment to be pen tested.
SugarCRM has a bug bounty program in place.
The SugarCloud Platform provides Role Based Access Control, configurable by the client. Client access is logged to the platform and reviewable by the client.
SugarCloud integrates with third-party identity and access systems to allow MFA, single sign on, federated sign on, and other client required access control mechanisms.
SugarCloud provides LDAP, SAML, and OIDC support for single sign-on for both mobile and web as another option for centralized management of passwords across multiple systems. SugarCloud supports external SSO providers for customers who prefer to perform authentication on their intranet and then be redirected to SugarCloud. The SugarCloud SSO solution integrates with any external Identity Management Services.
Sugar is SOC 2 Type II compliant. A copy of the report is available to download here.
Sugar also maintains a privacy compliance program which includes GDPR, CCPA, and the Data Privacy Framework.
Sugar is also ISO 27001 certified.
Our information security program is aligned to the CSA Cloud Controls Matrix and we are listed on the STAR Registry. To review our questionnaire, click here.
Non-Disclosure Agreement
This Non-Disclosure Agreement (this “Agreement”) is a binding contract between you (“you,” or “Recipient”) and SugarCRM Inc. (“Sugar”). This Agreement governs your access to and review of Sugar’s SOC 2 Type II report (the “Report”).
THIS AGREEMENT TAKES EFFECT WHEN YOU CLICK THE “I ACCEPT” BUTTON BELOW (THE “EFFECTIVE DATE”). BY CLICKING ON THE “I ACCEPT” BUTTON BELOW YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT; (B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT AND, IF ENTERING INTO THIS AGREEMENT ON BEHALF OF AN ORGANIZATION, CORPORATION, GOVERNMENTAL ORGANIZATION, OR OTHER LEGAL ENTITY, YOU CERTIFY THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ENTITY; AND (C) ACCEPT THIS AGREEMENT AND AGREE THAT YOU ARE LEGALLY BOUND BY ITS TERMS.
IF YOU AGREE TO THESE TERMS, PLEASE SELECT THE “I AGREE” BUTTON BELOW. IF YOU DO NOT ACCEPT THESE TERMS, YOU MAY NOT ACCESS OR USE THE REPORT.
If you are a current direct Sugar customer with an active master subscription agreement, or you entered into a written mutual non-disclosure agreement with Sugar that is currently active, then the terms of the applicable master subscription agreement or non-disclosure agreement will supersede, govern, and control.
Sugar agrees to allow Recipient access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:
- “Affiliates” means a business entity now or hereafter controlled by, controlling or under common control with a party. “Control” exists when an entity owns or controls directly or indirectly 50% or more of the outstanding equity representing the right to vote for the election of directors or other managing authority of another entity.
- The Report is Sugar’s proprietary and confidential information. Sugar may disclose to Recipient, or Recipient may otherwise receive access to, the Report. Recipient will use the Report solely for the purpose of Recipient’s internal examination of Sugar’s controls relevant to security. Recipient will not disclose or permit access to the Report other than to its Affiliates and their respective directors, officers, employees, consultants, contractors, and agents (collectively, “Representatives”) who: (a) have a need to know or access the Report; (b) know of the existence and terms of this Agreement; (c) are directed to protect the Report from unauthorized use and disclosure; and (d) are bound by a written confidentiality agreement or confidentiality obligations no less protective of the Report than the terms contained herein. Recipient will safeguard the Report from unauthorized use, access, or disclosure using at least the degree of care it uses to protect its most sensitive information and no less than a reasonable degree of care. Recipient will promptly notify Sugar of any unauthorized use or disclosure of the Report and take all steps to prevent further use or disclosure. Recipient will be responsible for any breach of this Agreement caused by its Representatives.
- If Recipient or any of its Representatives is required by a valid legal order to disclose the Report, Recipient will, before such disclosure, notify Sugar of such requirements so that Sugar may seek a protective order or other remedy, and Recipient will reasonably assist Sugar therewith. If Recipient remains legally compelled to make such disclosure, it will: (a) only disclose that portion of the Report that, in the written opinion of its legal counsel, Recipient is required to disclose; and (b) use reasonable efforts to ensure that the Report is afforded confidential treatment.
- On the expiration of this Agreement or otherwise at Sugar’s request, Recipient will promptly destroy the Report in its and its Representatives’ possession and certify in writing to Sugar the destruction of the Report.
- Sugar has no obligation under this Agreement to disclose the Report. The Report is provided “AS IS” and without any warranty, express, implied or otherwise, regarding the Report’s accuracy or performance, and Sugar will have no liability to Recipient or any other person relating to Recipient’s use of any of the Report or any errors therein or omissions therefrom. Sugar does not grant any rights or licenses, by implication or otherwise, to any of its copyrights, patents, trademarks, or trade secrets or under any of its copyright, patent, or trademark applications because of its disclosure of the Report to Recipient.
- Recipient (for itself and its successors and assigns) hereby releases Sugar and its Affiliates from any and all claims or causes of action that Recipient has, or hereafter may or will have, against Sugar and its Affiliates in connection with the Report, or Recipient’s access to the Report. Recipient will indemnify, defend and hold harmless Sugar and its Affiliates from and against all claims, liabilities, losses and expenses suffered or incurred by Sugar and its Affiliates arising out of or in connection with (a) any breach of this Agreement by Recipient or its Representatives; and (b) any use or reliance on the Report by any party that obtains access to the Report, directly or indirectly, from or through Recipient or at its request.
- Sugar retains its entire right, title, and interest in and to the Report, and no disclosure of the Report hereunder will be construed as a license, assignment, or other transfer of any such right, title, and interest to Recipient or any other person or entity.
- This Agreement is effective as of the Effective Date and automatically expires one year thereafter; provided, however, that prior to such expiration, either party may terminate this Agreement at any time by written notice to the other. Notwithstanding such expiration or termination, all of Recipient’s and its Representatives’ obligations pursuant to this Agreement will survive with respect to the Report.
- Recipient acknowledges and agrees that any violation of this Agreement may cause irreparable injury to Sugar for which monetary damages alone may not be an adequate remedy. Therefore, Recipient agrees that, in the event of a breach or threatened breach of this Agreement, Sugar will be entitled to specific performance and injunctive or other equitable relief as a remedy for any such breach or anticipated breach without the necessity of proving the inadequacy of legal remedies. Notwithstanding the foregoing, any such relief will be in addition to and not in lieu of any appropriate relief in the way of monetary damages or any other remedies allowed at law or in equity.
- Recipient may not assign or transfer any rights or obligations under this Agreement without the prior written consent of Sugar. Sugar may freely assign or transfer any rights or obligations under this Agreement without the prior written consent of Recipient.
- This Agreement and all matters relating hereto are governed by, and construed in accordance with, the laws of the State of California, without regard to the conflict of laws provisions of such State. Any legal suit, action, or proceeding relating to this Agreement must be instituted in the federal or state courts located in Santa Clara County, California. Recipient irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.
- All notices required or permitted to be made pursuant to this Agreement shall be sufficiently given by mailing the same by certified or registered mail, return receipt requested, by nationally recognized overnight courier or e-mail, to the parties at their respective addresses or at such other addresses as may be substituted by written notification. For Sugar, copies of all notices must be sent to legal@sugarcrm.com.
- No failure or delay in exercising any right, power, or privilege hereunder will operate as a waiver thereof, nor will any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any right, power or privilege hereunder. If any provision of this Agreement is held invalid, the remaining provisions of this Agreement will remain in full force and effect. No modification of, or amendment or addition to this Agreement is valid or binding unless set forth in writing signed by a representative of each party. The waiver or failure of either party to exercise in any respect any right or remedy provided herein will not be deemed a waiver of any future right or remedy hereunder.
- This Agreement is the entire agreement of the parties regarding its subject matter, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, whether written or oral, regarding such subject matter.
Sugar has several resources to help you in securing your solution and configuring privacy within each product.
Sugar Sell, Serve, Enterprise, and Pro
Access security, configuration, and other information on securing access to resources and application can be found below.
Also, as you are working to customize Sugar, the Visibility Framework and Teams model ensure your data remains private within your organization. For more information, please refer to link below.
Hint, Sugar Mobile, and SugarPredict
These products share the Visibility framework and CRM access from Sugar Sell, Serve, Enterprise and Pro. Please refer to the information above.
Sugar Mobile can further be configured to leverage your organization’s Mobile Device Management via the Mobile Application Configuration Services (MACS) component.
Sugar Connect
For information concerning account and user configuration, please refer to link below.
When users are working with Sugar data in the side panel, Sugar Connect leverages the Visibility Framework described above.
Sugar Discover
For information on Discover access rules and configuration.
Sugar Market
For information about Market user management and role access.
SugarCRM Information Security Program
Sugar maintains a third-party risk, vendor management, and services review program. We vet all external suppliers of services and software to ensure they meet our security and compliance requirements.
Sugar has implemented and maintains a global import/export third-party review system that continuously reviews international compliance for partners, vendors, employees, contractors and customers.