# TwentyCore Security Architecture Review Note

Last reviewed: 2026-05-17

This note summarizes the buyer-review security architecture for TwentyCore. It is not a certification, audit report, or legal commitment. Final commitments must be confirmed in the customer agreement.

## Access and Identity

- Authenticated browser access with JWT sessions.
- Role-based permissions for operational users.
- Optional 2FA/TOTP for account hardening.
- Privileged user access should be reviewed before production rollout.

## Application and API Boundary

- Frontend calls API routes under `/api/v1`.
- Backend services should enforce tenant context and permissions.
- Production support should use request IDs and structured logs.
- Backend secrets must remain in backend hosting secrets, not frontend builds.

## Data and Tenant Isolation

- Tenant-scoped data model with `tenant_id` on business records.
- Tenant-isolation regression tests should run before production release.
- PostgreSQL RLS is recommended for defense-in-depth where practical.
- Restore drills and tenant smoke tests are required before relying on backup promises.

## Buyer Evidence To Request

- Tenant isolation test evidence.
- Backend health and migration health evidence.
- Restore drill evidence.
- Access review and 2FA policy.
- Incident response owner and escalation path.