# TwentyCore Data Processing Review Note

Last reviewed: 2026-05-18

This note helps buyers classify data categories, processing boundaries, retention, export, deletion, AI, and integration obligations. It is a procurement draft, not a signed data processing agreement.

## Data Categories To Classify

- Customer, supplier, product, pricing, invoice, payment, purchase, shipment, quality, and production records.
- User account data, role assignments, audit events, request IDs, and support metadata.
- Attachments, imports, exports, AI prompts/responses where enabled, and integration payloads.

## Processing Boundaries

- Backend hosting, managed database, object storage, frontend hosting, email, monitoring, payment, AI, and statutory integration providers.
- Credential ownership and rotation process for Stripe, LHDN, SMTP, object storage, Redis, and AI providers.
- Data minimization expectations for AI prompts, support access, logs, and exported reports.

## Exit and Deletion Path

- Customer export format, export owner, export deadline, and verification method.
- Cancellation access window, deletion timeline, backup retention, and legal hold exceptions.
- Procedure for revoking integrations and deleting attachments or imported files.

## Buyer Review Questions

- What customer data is processed and where?
- Which subprocessors are optional?
- How does the customer export operational data?
- What happens to backups and attachments after cancellation?