- 877-968-0600 Call
Coffee Break Demo
Put your feet up and enjoy this live Q&A
Learn how Sage Intacct helps you drive improved business performance — throughout your entire organization.
30 minute demo | Daily 9:00 am PT / Noon ET
Effective Date: May 1, 2018
This policy describes how Sage Intacct, Inc. and its worldwide subsidiaries collect and handle personal information that customers provide through or in conjunction with the Sage Intacct products and services that link to this policy (“Sage Intacct Services”). It also describes your choices regarding use, access and correction of your personal information.
This policy refers to Sage Intacct, Inc. and its subsidiaries as “we,” “us” and “our.” References to “you” and “your” are to the owners of the data input into the Sage Intacct Services. This generally is our customers, the companies and organizations that have subscribed to the Sage Intacct Services, and their users. In some cases, this may be our partners with respect to data owned by you as a partner. If you are an individual whose data is controlled by a customer or partner of ours and input into the Sage Intacct Services by such customer or partner, please direct your privacy-related inquiries to the company or organization that has subscribed to the Sage Intacct Services, as more fully described in “Data Access and Choice” below.
Information Provided by You
You provide us with several kinds of information: Customer Data, Administrative Data, and Billing Data.
Customer Data is the information submitted into the Sage Intacct Services when you use the Sage Intacct Services or when you receive customer support. This includes accounting information, transactions (for example, with vendors or customers), bank account information and other financial information, as well as information derived by the operation of the Sage Intacct Services from such submissions, such as reports and analytics. Customer Data may be submitted directly by you or indirectly through our partners.
Our system processes and stores Customer Data strictly on your behalf in order to provide you the Sage Intacct Services and perform our contractual obligations to you. We restrict our employees’ access to Customer Data to (1) support, client services and technical staff, who with your consent may have access to your Customer Data to provide customer support, technical troubleshooting and professional services, and (2) a limited number of operations personnel, who may have controlled access to Customer Data for troubleshooting and system maintenance. We use Customer Data to provide you the Sage Intacct Services and to address customer support requests and technical problems.
Administrative Data is information you provide during sign-up, purchase or administration of the Sage Intacct Services. This includes company name, address, email and phone number, and individual users’ names, emails, phone numbers and account credentials.
We collect, store and use Administrative Data to perform our contractual obligations to you and/or for our legitimate business interests. Specifically, we use Administrative Data to provide the Sage Intacct Services to you, administrate your account, provide customer support and professional services, keep a records of our dealings with you, notify you of new product offerings and of changes, updates and availability of the Sage Intacct Services, understand your experience using the Sage Intacct Services (for example, by sending you surveys), conduct research, improve the Sage Intacct Services, plan and host events, contact you with marketing communications, and identify and prevent fraud.
Billing Data is financial qualification and billing information you provide as our customer when you purchase, subscribe for, renew or expand the Sage Intacct Services. This includes name, billing address, credit card information, credit references and other financial data.
We use Billing Data for our legitimate business interests: to process or collect payment for your transactions with us, keep a record of our dealings with you, and prevent fraud. We store Billing Data for use in your future transactions with us.
Information Collected by Us
|Session Identification (Required)||These cookies are required to access the Sage Intacct Services. When a user logs in, a cookie with an encrypted information tied to the user account is placed onto the browser. These cookies allow us to identify the user when he/she is logged in to perform online requests. One required cookie is also used to prevent the same user from logging into the Sage Intacct Services from multiple browsers at the same time.||When browser is closed, or in some cases on the earliest of session timeout, user logout or when browser is closed.|
|Persistent User Identification||These cookies allow the Sage Intacct Services to remember information a user has entered such as username, company name, and trusted device for 2-step verification. The Sage Intacct Services place these cookies onto the browser when a user selects “remember me” check box (opt in).||Some of these cookies expire in 90 days and others in 1 year.|
|Non-Persistent User Identification||The Sage Intacct Services place these cookies onto the browser during user login. These cookies allow temporary identification of the user for various functional purposes such as verification of SSO login, enablement of the “collaborate” feature, and keeping track of single sign-on.||In 5 minutes.|
|Functional||This cookie is placed to keep track of printed invoice record.||On the earliest of session timeout, user logout or when browser is closed.|
|User Interface Functionality||These cookies enable various user interface features (such as arranging components on the dashboard) by providing information about the browser screen’s width and height or keeping track of current selected menu in the user interface.||Some of these cookies expire immediately and others expire in 2 minutes.|
|Integration Functionality||The Sage Intacct Services use these cookies to remember the user session during the cloud storage authentication.||In 5 minutes.|
|Data Import Functionality||The Sage Intacct Services use these cookies to remember the user's last import settings. The next time a user imports data, the previous data import options are populated for the user in the user interface.||In 1 year.|
|Performance||The Sage Intacct Services use these cookies to measure the client response time to improve the performance and user experience.||In 2 seconds.|
|Non-Functional||These cookies are used by infrastructure components such as load balancer and content delivery network (CDN) and do not contain any customer or user specific information.||When user closes the browser.|
|Maintenance||These cookies are placed to show the system maintenance message page.||When user closes the browser.|
|CDN||These cookies are used to track session state, store origin server IP to facilitate CDN service, and for testing purposes.||Some of these cookies expire immediately and others expire in 1 year.|
Cookies are essential for the proper operation of the Sage Intacct Services. We do not provide an opt out for cookies identified as “Required” in the table above. In your browser, you can opt out of or delete the other cookies. We do not recommend opting out of cookies, as this will adversely impact the functionality of, and your access to, the Sage Intacct Services.
In addition, we use Google Analytics for certain pages on our product website. This tool helps us understand how often users visit our product website and what pages they visit. We use this information to analyze how our website is used and for website and product development and improvement. You can opt out of Google Analytics by disabling cookies on your browser.
IP Addresses: We collect the Internet Protocol (IP) address of the computer used to access the Sage Intacct Services. We use IP addresses for added security of the Sage Intacct Services and to optimize the performance of the Sage Intacct Services. A security feature of the Sage Intacct Services allows a client’s administrator to review the list of IP addresses from which the client’s Sage Intacct account has been accessed. We do not provide an opt-out option for IP addresses.
Statistical Data: When you use the Sage Intacct Services, we may collect statistical information (metadata), such as server log files, usage patterns and frequency, and volume and value of transactions. Such statistical information does not include Customer Data. We may use this statistical information for product improvement and billing.
Anonymous Data: If Statistical Data is used by us for any other purposes, we aggregate this data in a way that does not identify or otherwise permit the identification of you or any of your users. We may use and disclose Anonymous Data for training, quality assurance, product development, marketing, promotion, statistical analysis, market analysis, financial analysis, benchmarking and other business purposes. We do not provide an opt-out option for Anonymous Data.
Some browsers contain features that signal that the user does not want to be tracked, known as “Do Not Track” or DNT. The Sage Intacct Services currently do not respond to such signals.
Third-Party Provided Data: We partner with third parties (for example, payment service providers) who provide products and services within, or related to, the Sage Intacct Services. These third parties may provide us your Customer Data or Billing Data. We treat this information in the same manner as we treat Customer Data and Billing Data that you provide directly to us.
We retain Customer Data for the duration of your subscription to the Sage Intacct Services. After your subscription expires, we retain Customer Data for at least 90 days and may store it for up to an additional 90 days. Customer Data may be retained beyond that period in data backups, which may be stored for up to 5 years. We retain Customer Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We keep Administrative Data and Billing Data as part of our business and accounting records for the duration of your relationship with us and thereafter for so long as necessary for our legitimate business purposes. We retain credit cardholder data for no longer than 90 days from the card expiration date. We do not store card-verification code or value (CVV).
Please, refer to the table above for information on cookie expiration. We currently do not delete IP addresses, Statistical Data and Anonymous Data.
Disclosure of Information
We will disclose your data to third parties only as directed by you, as described in your agreements with us and in this policy, or as required by law.
- When you authorize third-party access to the Sage Intacct Services, or use our API or third-party applications accessed through the Sage Intacct Service, you may affirmatively transfer Customer Data to third parties. Such use is under your control, and we consider this a disclosure initiated and directed by you.
- We may contract with other companies to provide services or functionality on our behalf. If we do so, we may share Customer Data and/or Administrative Data with such providers to the extent necessary for their engagement. In such cases, we will require such providers to maintain the confidentiality of your information and to use it only for the purposes of their engagement by us. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and our agreements with you.
- We may store encrypted copies of our database backups in facilities provided by third parties. These third parties do not have the right to access such data.
- We may disclose Administrative Data to third-party providers of products and services within, or related to, the Sage Intacct Services for billing and for administering the Sage Intacct Services and such third-party products and services.
- We may disclose Administrative Data to affiliated companies within the Sage group for global information and customer relationship management, customer support, product compatibility and improvements, and to provide you with any information, applications, products or services that you have requested.
- We may share Administrative Data for marketing purposes with our partners and other third parties whose products or services we think may interest you in the operation of your business activities.
- We may disclose Billing Data to payment processors to complete our transactions with you and to payment processors and other third parties to prevent fraud or for collections.
- Anonymous Data does not identify you or your users and, therefore, we may disclose it to third parties as appropriate to support our business needs.
We also may disclose your information if we believe in good faith that it is necessary to (1) respond to a subpoena or request by government authorities or comply with any law, regulation, legal process, administrative or other government proceeding, (2) protect against misuse or unauthorized use of the Sage Intacct Services, (3) prevent or address fraud; (4) enforce our rights, policies and agreements or defend ourselves in legal or government proceedings; or (5) protect our rights, property or safety, or those of third parties.
Unless we are prohibited by law, we will attempt to notify you of any request to disclose your Customer Data to the authorities or any other party and, where appropriate, refer such requests directly to you.
We may transfer some or all of our assets, including data, in connection with a merger, acquisition, or sale of assets, or if we dissolve, reorganize our business, or cease operating as a going concern (for example, in the event of a bankruptcy).
We maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of your Customer Data that are consistent with industry standards. Our data security measures include (but are not limited to):
- Integration of application security into the agile product development lifecycle with both manual and automated controls to address static testing and dynamic code analysis;
- Regular internal and external penetration testing against both our application and associated supporting infrastructure;
- Intrusion detection systems monitoring both network and hosts;
- Data encryption in transit to and from1 us;
- Hashing/salting of passwords;
- Physical security measures of data centers;
- Multiple levels of backup data protection (onsite and offsite);
- Fully redundant backup data center capability and failover recovery covered by our SLA;
- SSAE16 SOC1 Type II externally audited at least once per year and Level 1 PCI DSS, third-party audited with Report on Compliance;
- Configurable security controls by the customer that allow you to adjust security; setting of roles and permissions to further restrict access based on business needs;
- Web services API utilizing a dual authentication method;
- Mandatory Sage Intacct-internal security controls, including: multi-factor authentication; password complexity; protocols to prevent brute-force authentication attempts.
Information Location and Transfers
We store Customer Data, Administrative Data and Billing Data in the United States. The Sage Intacct Services comply with the EU-U.S. Privacy Shield Framework. In some cases, storage of information may be based on the European Commission’s Standard Model Clauses for transfers of personal data outside the European Economic Area (EEA).
As part of our global operations, Sage Intacct colleagues or colleagues from affiliated companies in the Sage group may access information from other locations outside the United States. All Sage group companies are subject to Sage group data protection policies designed to protect data in accordance with applicable data protection laws.
Data Access and Choice
We are a data processor of Customer Data, which is controlled by you, our customers. You are responsible for complying with all privacy laws and regulations applicable to you as a user of the Sage Intacct Service and controller of Customer Data. We have no direct relationship with the individuals whose personal data we process as part of Customer Data. We acknowledge that the individuals have the right to access their personal information. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his query to you, our customer (the data controller). If requested to remove the data, we will respond to the individual within reasonable timeframe and direct the request to our customer.
Upon request we will provide you with information about whether we hold any of your personal information in Administrative Data or Billing Data. If you want to edit and/or change any Administrative Data or Billing Data (other than company ID or user ID, which cannot be changed without creating a new account and/or new user) you can do so at any time by using your company ID, user ID, and password to access your account. Please contact [email protected] for further instructions about deleting or deactivating your Sage Intacct account.
You can opt out from our marketing messages by clicking on the “unsubscribe” link included in them or by contacting your Sage Intacct account executive. Such opt out will not extend to transactional or relationship messages. If you wish to opt out from us sharing Administrative Data with third parties for marketing purposes, please contact your Sage Intacct account manager.
Rights of EEA Residents
If you are based within the EEA or another jurisdiction with similar data protection laws, in certain circumstances you have the following rights: to be told how your information is used and obtain access to your information; to have your information rectified or erased or place restrictions on processing your information; to object to the processing of your information (e.g. for direct marketing purposes); to have the information you provided on an automated basis returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”); where the processing of your information is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions; to object to any decisions based on the automated processing of your personal data, including profiling; and to file a complaint with the applicable supervisory authority responsible for data protection matters.
EU-U.S. Privacy Shield
Sage Intacct, Inc. participates in, and has certified the Sage Intacct Services’ compliance with, the EU-U.S. Privacy Shield Framework, and we are committed to adhere to its Principles and subject all personal data received from the EU in reliance on the Privacy Shield. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield Website. The Privacy Shield List contains a list of companies certified under the EU-U.S. Privacy Shield Framework.
Sage Intacct, Inc. is responsible for the processing of personal data it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Privacy Shield Principles, including the onward transfer liability provisions, for all onward transfers of personal data from the EU.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) here. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Changes to This Policy
We may update this policy to reflect changes to our information practices. If we make any material changes, we will notify you by email (sent to the email address of your Sage Intacct subscription representative on record with us) or by a notice posted in the Sage Intacct Services prior to the change becoming effective. We encourage you to periodically review this page for the latest information about our privacy practices.
1 You may elect, under your control, to send unencrypted information through the emailing of reports.