# TwentyCore Legal and Security Review Checklist

Last reviewed: 2026-05-18

This checklist helps a buyer prepare procurement, legal, IT, finance, and operations diligence. It is not legal advice, a certification, or a signed contract. Final commitments must be confirmed in the customer agreement, data processing agreement, and implementation statement of work.

## Documents To Review Before Signature

- Master subscription agreement, order form, support terms, and service description.
- Data processing agreement, subprocessor list, data residency statement, and retention/export terms.
- Security architecture, AI data handling policy, incident response process, and backup/restore policy.
- Implementation scope, data migration scope, training scope, and go-live acceptance criteria.

## Commitments That Must Be Explicit

- RPO, RTO, backup retention, restore ownership, and restore test cadence.
- Support hours, escalation path, incident notification expectations, and customer responsibilities.
- Data export window, cancellation process, deletion timeline, and integration credential ownership.
- Statutory integration boundaries for LHDN, email, payments, object storage, Redis, and AI.

## Evidence To Attach To Diligence

- Backup restore drill evidence.
- Deployment health and migration health evidence.
- Tenant isolation and PostgreSQL parity test evidence for the latest production build.
- Integration proof for Stripe, email, object storage, Redis, LHDN sandbox/live where applicable.
- UAT evidence from a disposable tenant for the buyer's critical workflows.

## Buyer Review Questions

- Which public trust notes become contractual commitments?
- Who owns each security, backup, incident, and AI control?
- Which controls are standard and which are enterprise add-ons?
- What evidence must be refreshed before production go-live?