Trust Evidence
The documents buyers should request before go-live.
Architecture, backup, AI, incident, subprocessors, and limitation notes behind a serious ERP procurement review.
Architecture
Security architecture at buyer-review level.
User access
Browser app, JWT sessions, 2FA/TOTP, RBAC, audit events
Application layer
FastAPI services, tenant-scoped dependencies, structured logs, request IDs
Data layer
PostgreSQL, tenant_id scoping, RLS evidence, Alembic migrations, backups
Integrations
Stripe, LHDN MyInvois, email, storage, AI provider, optional BI exports
Backup and restore policy
- Production database should run on managed PostgreSQL with automated backups enabled.
- Restore drills must be performed into a test database before relying on backup promises.
- Post-restore checks should include migrations, tenant isolation, login, invoice, inventory, and audit smoke tests.
- Customer-specific RPO/RTO commitments must be confirmed in the commercial agreement.
AI data handling policy
- AI features are tenant-scoped and should receive minimum necessary operational context.
- AI output is advisory by default; high-impact operational actions require human confirmation.
- Prompt and response handling must be validated against the selected AI provider before enterprise rollout.
- Customer data should not be used for provider training unless explicitly agreed in the deployment terms.
Incident response process
- Classify severity, affected tenants, user impact, data exposure risk, and integration impact.
- Contain the issue, preserve evidence, notify accountable owners, and communicate customer impact clearly.
- Track remediation, customer follow-up, and post-incident review actions.
- Run tabletop exercises for DB outage, suspected tenant leak, LHDN outage, Stripe webhook backlog, and AI provider outage.
Data retention and export
- Customer business data remains customer-owned.
- Operational exports should be available in standard formats such as CSV, Excel, PDF, or database export by agreement.
- Cancellation retention and deletion timing must be stated before subscription.
- Legal, tax, audit, and regulatory retention requirements may override generic deletion windows.
Subprocessors
Provider categories to confirm per deployment.
Exact providers and regions can vary by customer environment. The production agreement should list final subprocessors and data roles before go-live.
DigitalOcean or configured cloud host
Application hosting, managed database, network, backups, and object storage where configured.
Vercel
Public website and frontend hosting where selected for deployment.
Stripe
Subscription checkout, customer portal, payment metadata, and webhook events.
Email provider
Transactional email and demo/contact notifications.
LHDN MyInvois
Malaysia e-Invoice submission when customer credentials and authority setup are complete.
AI provider
Optional tenant-scoped AI assistance when enabled.
Monitoring/logging provider
Operational metrics, alerting, uptime checks, and redacted logs.
Downloadable docs
Public review notes for procurement and security teams.
These are buyer-review notes, not fake certification claims. Use them to structure diligence, then confirm final commitments in the contract.
Security architecture
Security architecture review note
A buyer-level map of access, application, data, integration, logging, and deployment controls to review before production.
Backup and restore
Backup and restore policy
Operational backup expectations, restore drill requirements, and evidence buyers should request before go-live.
AI data handling
AI data handling policy
How AI features should be scoped, reviewed, and governed when connected to tenant-specific ERP data.
Incident response
Incident response process
The severity model, containment workflow, customer communication expectations, and post-incident review path.
Subprocessors and residency
Subprocessors and data residency note
Provider categories, data roles, regional assumptions, and what must be confirmed in the final deployment agreement.
Legal and security review
Legal and security review checklist
A buyer-ready checklist that separates operational evidence from contractual commitments before production use.
Data processing review
Data processing review note
A structured review of customer data categories, processors, retention, export, deletion, and AI/integration boundaries.
Limits
No unsupported certification claims.
TwentyCore is not SOC 2 or ISO 27001 certified today. LHDN production approval depends on customer authority setup and live credentials. Backup, rollback, monitoring, email, storage, Stripe, and AI provider evidence should be captured for each production environment.