Best practices for privacy and security

At Sage Intacct, we understand our customers' needs for privacy and security. As privacy legislation develops and security needs become more complex, Sage Intacct grows to meet these needs.

Subscription Company
Regional availability

All regions

User type Business user with admin privileges

Privacy

Privacy guidelines focus on limiting the access to and storage of personal data.

Personal data includes:

  • Names
  • Addresses
  • Dates (start date, end date, date of birth, etc.)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Account numbers (credit card, ACH, bank, etc.)
  • URLS
  • IP addresses

Enable SSN masking

Limit who sees employee SSN numbers when they view or edit an employee record. Select the Employee Social Security Number masking checkbox in your Company settings.

Set appropriate permissions

Be sure to be selective when you give permissions to items that tend to hold sensitive personal data. Notable items include:

  • suppliers

  • customers

  • employees

  • contacts

  • credit cards

  • bank accounts

  • bank feeds

Limit storage of personal data

Whenever possible, avoid storing personal data in Sage Intacct. When storing personal data for business or financial purposes, always use designated fields and objects that are built for handling sensitive information. Avoid using generic custom fields or objects that could not have the necessary security measures in place. For example, store customer information only in the customer object. Lastly, avoid making duplicate records.

Learn more about personal data in Sage Intacct.

Don't store attachments with sensitive data

Redact sensitive personal data from attachments before storing them in Sage Intacct. If you need that personal data, encrypt your PDFs with a password to protect them or consider using a separate file management system built to handle your requirements.

Learn more about best practices for attachments.

Security

Security guidelines focus on what users can do in your company, the security of their accounts, and the security of your company and financial records overall.

Set password and login options

By default, all passwords are complex, which means they contain at least one number, one lowercase letter, one uppercase letter, and one special character. Furthermore, passwords are checked to ensure that they do not contain common phrases such as "password."

The table below describes additional password login options available. You can set these on the Login settings section on the Security tab in Company information, or in the User preferences of an individual user. User preferences override company settings.

Option Description Best practice

Default inactivity duration

Maximum

 Defines how long a user can remain inactive before they’re automatically logged out.

Company level: One hour or less

For admins: 15 minutes

Default session duration

Maximum

 Defines how long a user can be logged in for any session before they’re automatically logged out, regardless of their activity. 5-10 hours
Reset password Defines how often passwords must be changed. Set to Quarterly
Minimum length Defines the minimum number of characters required in a password. Set to 9 or more
Prevent reuse of previous passwords Prohibits the reuse of previous passwords based on the number that you set. Set to 12
Maximum login attempts per day Defines the maximum number of login attempts allowed in a 24-hour period before the user is locked out. Set to 5 or less
Enforce IP address filters Restricts login access to Sage Intacct based on a list of IP addresses, such as an IP address range from your corporate office.

Enforce at user level for admins and Web Services users that use the API

Also consider enforcing for users with access to sensitive financial data.
Enable 2-step verification

Another common name for this is multi-factor authentication (MFA). This option is enabled by default.

Two-step verification mitigates the risk of passwords being compromised, which can result in unauthorized access to Sage Intacct.

 Don't allow trusted devices for admins and other users with access to sensitive financial and personal data.
Enable single sign-on

If you have an SSO provider, Sage Intacctoffers centralized login with SAML 2.0..

If you choose SSO for authentication, Sage Intacct will direct users to your SSO provider and won’t challenge users with Sage Intacct credentials and 2-step verification.

Depends on your company.

If your company uses an SSO provider, you should also enable multi-factor authentication for your SSO login.

Use role-based permissions

Permissions let you decide what a user can do and see in Sage Intacct. We highly recommend spending time to understand permissions so that you can decide what the right level of access for each user is in regard to Sage Intacct and your company data.

Although Sage Intacct supports both user and role-based permissions, we recommend using role-based permissions. With role-based permissions, the best practice is to identify specific user roles, assign permissions to that role, and then assign roles to users. If you assign multiple roles to a user, they inherit all the permissions of every role assigned.

Permissions also apply to integrations that rely on API access. The best practice is to create specific roles for any integrations you may use, such as bill.com, and give it only the permissions it needs to work.

Be sure that each role only has the required permissions to complete tasks.

Use Web Services users and authorizations for API calls

Sage Intacct provides a robust Application Programming Interface (API) which lets other applications, such as bill.com, interact with Sage Intacct programmatically. This flexibility comes with associated risk, so follow these security guidelines.

  • Create a Web Services user for any user that only makes API requests

    Web Services users are user accounts that can only make API calls to your Sage Intacct company. These types of users can't log in to Sage Intacct through a web browser.

  • Manage your Web Services authorizations

    Use Web Services authorizations to control which integrations and users are allowed to make API requests to your Sage Intacct company. Only authorize both identified and approved sender IDs, and be sure to keep the list up to date.

Manage your content security policy

A content security policy is an added layer of security that helps to detect and mitigate certain types of application attacks, including cross site scripting (XSS) and data injection.

In Sage Intacct, admins can modify certain pages within their company to include third-party content. To allow this flexibility with security in mind, admins modify and apply a content security policy to their company to mitigate the risks of application attacks related to the use of third-party content.

Configure your email security if you allow Sage Intacct to send emails on your behalf

You can configure Sage Intacct so that invoices, statements, and other information sent via email appear to be sent from your company instead of Sage Intacct.

If you configure Sage Intacct in this way, be sure to configure your Sender Policy Framework (SPF) and add your Email Sender Key (also known as DKIM) to your domain's TXT records. This practice helps mitigate the likelihood that your emails would be treated as spam by your customers or other receiving parties.

Learn how to configure your Enhanced email delivery service domain settings.

Restrict contacts in Accounts Payable and Accounts Receivable

In Accounts Payable or Accounts Receivable, select the Restrict to contacts related to the selected supplier or Restrict to contacts related to the selected customer option respectively. These options prevent the use of contacts that aren't associated with the customer or supplier record.

Restrict contacts in Order Entry and Purchasing

If you use Order Entry or Purchasing, select the Restrict to contacts related to customer only or Restrict to contacts related to supplier only option respectively. These options prevent the use of contacts that aren't associated with the customer or supplier record.

Reports and tools

Use the following reports and tools to help you monitor privacy and security in your Sage Intacct company. We recommend reviewing the reports on a quarterly basis.

User access report

The User Access report lists all users who attempted to access your company, including those currently logged in.

Permissions reports

There are several permissions reports you can use to analyze user permissions. These reports help you see permissions across the company, for specific users, or help track how permissions for users have changed.

Object audit trail

Everything in Sage Intacct can impact your financial statements, so both internal and external stakeholders need to know how things have changed and who made those changes. The audit trail keeps a record of who made changes to a particular record and when.

Other custom reports

You can always create additional custom reports that provide historical information based on how you use Sage Intacct. Some additional reports you could create include:

  • AP supplier invoice approval history

  • Purchasing approval history

  • Timesheet approval history

  • Activity trail for custom objects

  • Buy to order history

  • Cost change history

  • Cost history

  • Drop ship history

  • GL transaction history

  • Landed cost history

  • Partner sync log

  • Revenue recognition change history

Smart events

You can use Smart events to help you identify both legitimate and suspicious activity in your company. For instance, you can create a Smart event to notify you when a new supplier is created or when transaction over a certain amount is posted. You could also create a Smart event to notify you when a user is granted admin privileges or a new Web Services User is created.