Sage RTX Service – Customer guide
The Sage Payroll system consists of many parts, but we will talk about them at a high-level here:
- The Sage Payroll desktop software you interact with on a daily basis.
- Web services (online processing of data to be submitted to revenue).
Sage has developed a web service platform that facilitates integration with government gateways including the Revenue ROS service for PAYE Modernisation. This service is provisioned with AWS.
The service has been developed using secure development and test procedures and guidelines. AWS Shield is used to mitigate against attack as well as providing a level of web application firewall capability. All interfaces are secured authentication and use encrypted channels.
Protecting data/regulatory compliance
The RTX Service is fully compliant with UK Data Protection Act 1998 and supports the EU General Data Protection Regulation (GDPR).
URLs to be Whitelisted
The following URLs are used by Sage in the process of connecting to the Revenue service for PAYE Modernisation.
|Sage RTX Service*||https://api-rtx-ie-prod-ros.sagertx.com||The URL of the Sage Real Time Exchange (RTX) Service. This is where the product sends the data that we need to be able to process anything.|
|Amazon Web Service S3 buckets*||https://rtx-ie-prod-ros-s3-eu-west-1-files.s3.eu-west-1.amazonaws.com||Amazon Web Service is the cloud infrastructure that Sage use to host, process and store the information for the Sage Real Time Exchange (RTX) Service.|
|Sage Token Service*||https://www.sagetokenservice.com||Sage Token Service is used to authenticate your interactions with Sage Services.|
* Please note that none of the above will work when viewed via a web browser. The above URLs need to be accessed via defined protocols and secured requests.
Data transit and storage
For full details of Sage Governance, please visit https://trust.sage.com/governance
Data in transit
Data in transit from desktop to Revenue is transmitted via encrypted channels and secured with authentication.
Data pertaining to submissions is stored in an S3 bucket in AWS. This bucket has server-side encryption configured. When you use server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centres and decrypts it when you download the objects. The exact fields stored in this data differs per client but its will be a superset of the data required to generate the necessary submissions.
Data pertaining to registration and the configuration of the service is stored in a MongoDB cluster. Collections are:
There is no sensitive data stored in any of these collections. Nevertheless, all data is encrypted at rest and access is limited to appropriate personnel.
AWS Parameter store
Data pertaining to the configuration of the service is stored in AWS Parameter Store. Typical values are database connection strings and passwords. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. All values are saved as secure strings and access is limited to appropriate personnel.
What data is stored
Only data which is critical to the function of the RTX Service is stored, and a thorough assessment of this data has been conducted prior to the design and implementation of the system.
For the purpose of the RTX Service, the Data Processor is Sage UK Ltd.