SugarCloud Geography and Data Residency

SugarCloud utilizes AWS across the globe. Clients choose the region they want to contain their data, and the data stays within that region.

We use the following regions:

  • Sydney, Australia
  • Montreal, Canada
  • Frankfurt, Germany
  • Singapore
  • London, United Kingdom
  • Portland, Oregon, United States
SugarCloud Platform Architecture

The SugarCloud platform is built on AWS.

SugarCloud utilizes a stack that consists of a web frontend, multiple services and processing layers, and databases. API access is authenticated and all services require encryption.

Learn more about AWS Certifications

Cloud Security

SugarCRM maintains a comprehensive Information Security Program which includes following the latest Cloud Security best practices. SugarCloud uses industry standard encryption algorithms and data is encrypted both in transit and at rest.

All data in the SugarCloud Development, Test and QA environments is anonymized and sanitized to support secure development, patching, fixes and penetration testing.

For more information about our security program:

View our FAQs

Data Retention

SugarCloud maintains an active data retention policy and retains or deletes all data in accordance with applicable laws and compliance requirements.

If a Sugar customer decides to leave Sugar, they have access to their data for up to 90 days, unless otherwise requested. After the 90 days, customer data will be permanently deleted.

Data Access and Data Flow

Data at Sugar is restricted from access by non-authorized personnel.

Multi-Factor authentication is used on all systems, for all access points, at all times. All data access is logged and monitored. 

As mentioned, Sugar has multiple global geographic regions that serve customers. The data flow inside each region is the same. This is a high-level view of the Data Flow in any region.

SugarCloud Availability Program

The SugarCloud Platform is highly available, relying on AWS infrastructure for uptime and tools for availability. Since all data is restricted within each region, all backups and availability requirements stay within each region as well. Each client front end, services, and database is constantly replicated across multiple data centers within the same region to ensure availability even if one data center experiences issues.

SugarCloud Development Security Program

Our code is rigorously tested and secured through a comprehensive SDLC program. All code is continuously tested, gaps remediated, and retested. Once code has passed all tests and retests, it is put through QA and logic tests. Once it passes all those tests, it is put into an environment to be pen tested.

SugarCRM has a bug bounty program in place.

Learn More

Client Access Control and Authentication

The SugarCloud Platform provides Role Based Access Control, configurable by the client. Client access is logged to the platform and reviewable by the client.

SugarCloud integrates with third-party identity and access systems to allow MFA, single sign on, federated sign on, and other client required access control mechanisms.

Single Sign-On (SSO)

SugarCloud provides LDAP, SAML, and OIDC support for single sign-on for both mobile and web as another option for centralized management of passwords across multiple systems. SugarCloud supports external SSO providers for customers who prefer to perform authentication on their intranet and then be redirected to SugarCloud. The SugarCloud SSO solution integrates with any external Identity Management Services.

Learn More

Sugar Compliance Program

Sugar is SOC 2 Type II compliant. A copy of the report is available to download here.

Sugar also maintains a privacy compliance program which includes GDPR, CCPA, and the Data Privacy Framework.

Sugar is also ISO 27001 certified.

Our information security program is aligned to the CSA Cloud Controls Matrix and we are listed on the STAR Registry. To review our questionnaire, click here.

Sugar has several resources to help you in securing your solution and configuring privacy within each product.

Sugar Sell, Serve, Enterprise, and Pro

Access security, configuration, and other information on securing access to resources and application can be found below.

View Documentation

Also, as you are working to customize Sugar, the Visibility Framework and Teams model ensure your data remains private within your organization. For more information, please refer to link below.

View Documentation


Hint, Sugar Mobile, and SugarPredict

These products share the Visibility framework and CRM access from Sugar Sell, Serve, Enterprise and Pro. Please refer to the information above.

Sugar Mobile can further be configured to leverage your organization’s Mobile Device Management via the Mobile Application Configuration Services (MACS) component.

View Documentation


Sugar Connect

For information concerning account and user configuration, please refer to link below.

View Documentation

When users are working with Sugar data in the side panel, Sugar Connect leverages the Visibility Framework described above.


Sugar Discover

For information on Discover access rules and configuration.

View Documentation


Sugar Market

For information about Market user management and role access.

View Documentation

SugarCRM Information Security Program

Sugar maintains a third-party risk, vendor management, and services review program. We vet all external suppliers of services and software to ensure they meet our security and compliance requirements.

Sugar has implemented and maintains a global import/export third-party review system that continuously reviews international compliance for partners, vendors, employees, contractors and customers.