Legal and security review

Legal and security review checklist

A buyer-ready checklist that separates operational evidence from contractual commitments before production use.

Last reviewed: 2026-05-18. Final contractual commitments must be reviewed before signature.

Review status: Review checklist. It helps procurement prepare diligence, but it is not legal advice or a signed data processing agreement.

Documents to review before signature

This checklist gives buyers and TwentyCore a shared agenda for procurement, legal, IT, finance, and operations review.

Master subscription agreement, order form, support terms, and service description.
Data processing agreement, subprocessor list, data residency statement, and retention/export terms.
Security architecture, AI data handling policy, incident response process, and backup/restore policy.

Do not rely on marketing pages for contractual promises. Put high-impact commitments into the signed agreement or implementation statement of work.

RPO, RTO, backup retention, restore ownership, and restore test cadence.
Support hours, escalation path, incident notification expectations, and customer responsibilities.
Data export window, cancellation process, deletion timeline, and integration credential ownership.

A strong review pack connects public claims to operational proof that can be updated as the product and infrastructure mature.

Screenshots or logs for backup restore drill, deployment health, and migration health.
Tenant isolation and PostgreSQL parity test evidence for latest production build.
Integration proof for Stripe, email, object storage, Redis, LHDN sandbox/live where applicable.

Buyer checks

Which public trust notes become contractual commitments?

Who owns each security, backup, incident, and AI control?

Which controls are standard and which are enterprise add-ons?

What evidence must be refreshed before production go-live?