Data Privacy in Sugar cloud FAQ

Frequently Asked Questions - Sugar cloud

SugarCRM is helping its customers on cloud by implementing many business process changes to address security and contractual requirements specified in GDPR. If you are a SugarCRM customer hosted in our Sugar cloud, then the content of this document applies to you.

 

SugarCRM's Role in Data Privacy for cloud customers

When it comes to customer data hosted in Sugar cloud, is SugarCRM a controller or a processor?

Under GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. SugarCRM only processes customer data in the hosting infrastructure in accordance with the customer’s instructions. Thus, SugarCRM is a processor of customer data hosed in Sugar cloud; our customers are the controllers.

 

Agreements

How do i update my current agreement with SugarCRM in light of GDPR?

We have a new Data Processing Addendum that will meet the requirements of GDPR. Customers who need to incorporate GDPR provisions in their agreement can do so by following the instructions HERE

 

How can my organization obtain a Data Processing Agreement from SugarCRM?

SugarCRM offers an online Data Processing agreement to make this a fast and reliable process for our customers. You can find the PDF HERE and have an authorized signatory sign our DPA HERE

Hosting locations of Customer data

Where is customer data hosted in Sugar cloud?

Sugar cloud hosts customer data in 3 regions :

  • US West : Oregon
  • EU: Ireland
  • Australia: Sydney

How do I assess my hosting location if I am a European customer?

If you are a SugarCRM customer in Europe - an easy way to confirm your hosting location is to verify your domain name. If your instance has “eu” in its instance domain name, you are hosted in Europe.

I have further questions regarding my hosting location.

If you have specific hosting location questions, please don’t hesitate to reach out to us at dataprivacy@sugarcrm.com for any further clarification.

 

Customer Data Processing

How does SugarCRM treat customer data to meet compliance with GDPR?

SugarCRM continues to treat customer data with the required level of sensitivity and confidentiality. Please review our Privacy Policy and Data Processing Addendum.

Can an EU customer continue to host personal data outside of the EU?

SugarCRM customers in EU have the ability to transfer personal data outside of the EU. To help achieve level of protection, SugarCRM Inc. complies with the EU-U.S. Privacy Shield Framework . GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws - a Privacy Shield Certification allows US companies/  EU companies working with US companies, to meet this requirement of the GDPR.

How long does SugarCRM retain customer data in Sugar cloud?

SugarCRM retains customer data as long as it provides the service to you. Customers have 120 days to access their customer data after the account has expired. If a customer does not renew in this 120 day period, their data will automatically be purged in an unrecoverable fashion.

 

How does SugarCRM maintain backups of customer data?

Data in Sugar cloud is constantly backed up within a rolling period of 30 days to ensure we can restore access to your data and the service during outages. Our monitoring alerts us to any trouble and we have staff on-call at all times to quickly resolve unexpected incidents.

 

Data Security

What are the technical and security measures at the host location?

Sugar cloud hosts its data on Amazon Web services, a global leader in Infrastructure as a Service (IaaS). Amazon maintain multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. Their reports can be found on the AWS Compliance website and you can gain further insight into their approach here.

 

Sub-processors

How does SugarCRM ensure obligations of sub-processors covered in light of GDPR?

All obligations for data processors and sub-processors are covered by contract on behalf of SugarCRM. Any vendor that we use who hosts or has access to our customer data needs to go thorough a legal and technical review for diligence purposes. Additionally, their reports are reviewed annually and SugarCRM retrieves the latest copies and verifies for accuracy.

Questions?

Please reach out to us at dataprivacy@sugarcrm.com