A plain-English security review checklist for ERP buyers covering identity, tenant isolation, backups, audit logs, integrations, AI, and incident response.
Security review should be specific
Enterprise trust does not come from saying "secure cloud platform." It comes from answering concrete questions about user access, tenant boundaries, secrets, backups, integrations, incident response, and data export.
Manufacturing buyers should ask for evidence that maps to daily operating risk: wrong user access, wrong tenant data, lost attachments, broken integrations, failed migrations, and slow incident response.
Minimum questions to ask
- How are roles, permissions, privileged users, and 2FA handled?
- How does the application prevent tenant A from reading tenant B data?
- What evidence exists for PostgreSQL parity, RLS, and tenant isolation tests?
- Where are database, storage, email, payment, AI, and LHDN secrets stored?
- How are audit logs, request IDs, and deployment IDs used during support?
Operational resilience questions
- When was the latest backup restore drill?
- What are the target RPO and RTO?
- How are migrations run and verified?
- What is the rollback plan for backend and frontend deployments?
- How are failed jobs, slow queries, webhook failures, and integration outages monitored?
Legal and procurement review
Security notes help the buyer prepare diligence, but they are not a substitute for the final contract, data processing agreement, and customer-specific legal review. Treat all public trust documents as review inputs until the agreement is signed.